AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Turn data subjects request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

What are 8 Data Subject rights according to the GDPR

Data Subject Rights-GDPR

When the General Data Protection Regulation (GDPR) was enforced in 2018, it granted individuals eight data subject rights with one common goal- to give individuals control over their personal data.

While some rights were already introduced through the earlier legislature (like the right to access) and further enhanced, some rights are novelties unique to the GDPR – like data portability.

The eight data subject rights are:eight data subject rights

1. Right to be informed

The right to information allows individuals (data subjects) to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how they can file a complaint, and with whom they will share the data.

To be more precise, the organization (data controller) is obligated to provide information about:

• controller’s information and contact details
• purpose of data processing
legal basis for personal data processing
• third party details
• data retention period,
• rights granted to the data subject under the data protection law,
• the right to file a complaint,
• whether the provision of personal data is a statutory or contractual requirement,
• whether the individual is obligated to provide the personal data and so on

All this information needs to be communicated in plain and clear language.

Right to be informed

2. Right of access

Individuals have a right to submit subject access requests and attain information from the organization about whether their personal information is being processed.

The organization is then obligated to provide a copy of personal data they have about the individual and additional information, including:

  • what is the purpose of the processing
  • what categories of personal data are they processing
  • with whom the data is shared (third countries or international organizations)
  • how long will the organization keep the data (data retention period)
  •  information about their GDPR rights (right to rectification, right to erasure, restriction of processing…)
  • the existence of automated decision-making, including profiling
  •  what is the source of collected data (if the data is not collected from the individual)

[RELATED TOPIC: What is Data Subject Access Request (DSAR)?]

Find out more about what information you are obligated to provide in a DSAR response. Who Can Submit a DSAR?Deadline for Responding to the DSAR? Can You Refuse to Respond to a DSAR?

Right of access

3. Right to rectification

The right to rectification allows the individuals to ask the organization to update any inaccurate or incomplete data they have on them.

If the organization confirms that the data is inaccurate, the legal deadline to respond to a request is one month. Upon the request, the organization should take steps to ensure that the data is indeed inaccurate and rectify it.

This right sets new operational challenges for organizations since rectifying one data set can have broader consequences on the entire database.

Right to rectification

4. Right to be forgotten

The right to be forgotten is also known as the right to erasure. This right allows individuals to ask for their personal data to be deleted if:

  • personal data is no longer necessary
  • an individual withdraws consent
  •  the personal data have been unlawfully processed
  •  Individual objects to the processing, and the data controller has no reason to continue processing
  •  data erasure is necessary for compliance with a legal obligation (EU law or national law)

Although there are situations where organizations can decline the request. For instance, for reasons in the public interest or compliance with legal obligations.

If a data subject exercises their right to erasure, the organization has to notify any third parties with whom the data was shared and request the erasure of data.

The organization has to comply unless it can prove that the request would require a disproportionate effort or if it is impossible to comply.

This means organizations are now facing a new challenge- notification of third parties.

For organizations that are sharing their data with a large number of third parties, this requires new procedures and notification systems, which can complicate compliance progress.

Click on the link below to find out more:

Right to be forgotten

5. Right to restrict processing

Individuals can request that an organization limits the way it uses its personal data. The organization is not automatically obligated to delete the data. However, they have to refrain from processing it in certain situations:

  • If the data is inaccurate (during the verification process)
  • If the processing is unlawful, but the individual does not want the data to be erased and requests restriction (which is different from the right to be erased)
  • The data controller no longer needs data, but the individual wants the data to be preserved so the legal claim can be exercised
  • The organization is taking measures to verify the data erasure request

Once the data is restricted organization is not allowed to process it unless they have the individual’s consent, they need it for legal claims or to protect the rights of other individuals.

Right to restrict processing

6. Right to data portability

Data portability is one of the novelties among data subject rights. It allows individuals to obtain personal data they have previously provided to the organization in a structured, commonly used, and machine-readable format.

Individuals can also request for their data to be transferred directly to another organization.

However, it can only be applied to the data that an individual has provided to the organization (data controller) by consent or contract and if the processing is carried out by automated means- no papers.

This is also applicable to data related to the behavior of the individual and may include search inquiries, location data, website history, and more.

Right to data portability

7. Right to object to processing

The right to object allows individuals to object to the processing of personal data at any time, in certain situations, and it will depend on the purpose of processing and the lawful base for processing.

Individuals can stop the processing of their personal data for direct marketing purposes, as this is their absolute right. However, they can also object to the processing of data on the grounds of legitimate interest or the tasks in the public interest.

Right to object to processing

8. Rights in relation to automated decision-making and profiling

The GDPR introduced strict rules when it comes to the processing of personal data that is done without human involvement.

This includes different types of profiling, which may include evaluating certain personal aspects relating to an individual that analyze or predicts aspects of behavior like performance at work, economic situation, health, personal preferences, interests, reliability, behavior, or location.

The data subjects now have the right not to be subject to automated decision-making if it is producing a legal effect that significantly affects them.

However, it will not apply if the processing is necessary for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent. Find out more about explicit consent!

Right to data portability

Violation of data subject rights

Any violation of data subject rights provokes the highest penalties under the GDPR, up to €20 million euros, or up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.

This represents a real risk for the organization, both financial and reputational, since the operationalization of the data subject rights remains one of the compliance challenges.

Operationalization of data subject rights

When an organization collects and processes personal data in large quantities, the automation of the process is the key. Privacy solutions such as Data Privacy Manager serve as a platform for the orchestration and management of data subject rights.

 

It automates the entire process so that the IT systems where the data is stored can execute user requests timely and accurately. The process becomes an automated workflow with clear insight into the process.

From the registration of the request, through the process of the request approval and data processing, to the notification of the data subject about the outcome of the request.

Most importantly, Data Privacy Manager represents one central place for the supervision of requests and provides DPO with all the information necessary for managing data subject requests within the limits of the response date.

Request a Data Privacy Manager demo

Let us navigate you through the Data Privacy Manager solution and showcase functionalities that will help you overcome your compliance challenges.

Scroll to Top