9 minutes read

GDPR Data Subject Rights Explained

GDPR Data Subject Rights Explained - icon

Table of Contents

Introduction

The General Data Protection Regulation (GDPR) has fundamentally reshaped how personal data is managed within the European Union (EU). Central to this regulation are the rights of data subjects, individuals whose personal data is processed by organizations. These rights empower individuals to have greater control over their personal data and ensure that data controllers handle such information responsibly and transparently.

Understanding Data Subject Rights

Under the GDPR, data subjects are granted specific rights concerning their personal data. These rights are designed to provide individuals with control over how their data is collected, processed, and shared. Data controllers, the entities responsible for determining the purposes and means of processing personal data, are obligated to facilitate these rights. A data subject’s request is a formal way for individuals to exercise their rights under GDPR.

The eight data subject rights enshrined in the GDPR are:

  1. Right to be Informed: Data subjects must be informed about the collection and use of their personal data in clear and plain language.

  2. Right of Access: Individuals have the right to access their personal data and obtain information about how it is being processed.

  3. Right to Rectification: Data subjects can request the correction of inaccurate or incomplete personal data.

  4. Right to Erasure: Often referred to as the “right to be forgotten,” this provision enables individuals to request the removal of their personal data under specific circumstances.

  5. Right to Restrict Processing: Individuals may request restrictions on their data processing under certain conditions.

  6. Right to Data Portability: Data subjects can obtain their personal information in a structured, commonly used, and machine-readable format, facilitating a secure transfer to another controller.

  7. Right to Object: Individuals can object to the processing of their personal data in certain situations, such as direct marketing.

  8. Rights Related to Automated Decision-Making and Profiling: Individuals are safeguarded from decisions that significantly impact them if these decisions are made purely through automated processing.

These rights reflect the core principles of data protection law, emphasizing transparency, fairness, and accountability in personal data processing.

Right to be Informed

The right to be informed is a cornerstone of the GDPR, ensuring that data subjects are fully aware of how their personal data will be used. Data controllers are required to inform data subjects about the collection and use of their personal data in a clear and transparent manner. This involves sharing details about the reasons for data processing, the types of personal data involved, and the recipients or groups that will access the data.

For instance, when a company collects personal data for marketing purposes, it must inform data subjects about how their data will be used, who will receive it, and how long it will be retained. This transparency allows individuals to make informed decisions about whether to provide their personal data and to understand their rights regarding that data.

Data controllers must ensure that this information is easily accessible and presented in plain language, avoiding technical jargon. This is particularly important when informing children, who may need simpler explanations to understand how their data will be used. By adhering to these requirements, organizations demonstrate their commitment to data protection and build trust with their data subjects.

Right to Access

The right of access enables data subjects to receive confirmation from the data controller regarding whether their personal data is being processed. If such processing is taking place, individuals are entitled to access the data and receive detailed information about:

  • The purposes of the data processing.

  • The categories of personal data concerned.

  • The recipients or categories of recipients to whom the data has been or will be disclosed.

  • The anticipated duration for which the data will be retained or the criteria for establishing that duration.

  • The existence of the right to request rectification, erasure, or restriction of processing.

  • The right to lodge a complaint with a supervisory authority.

  • The source of the data, if not collected directly from the data subject.

  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved and the potential consequences for the individual.

Data subject requests must be handled promptly and transparently to comply with GDPR regulations.

This comprehensive access ensures transparency and allows individuals to be aware of and verify the lawfulness of the processing.

Right to Rectification

The right to rectification enables individuals to amend incorrect personal information promptly. Additionally, if the data is incomplete, individuals have the right to have it completed, considering the purposes of the processing. This can involve providing a supplementary statement to ensure the data is accurate and complete.

For instance, if an individual’s personal preferences or contact information changes, they can request the data controller to update their records accordingly. Ensuring data accuracy is a fundamental aspect of data protection principles, as it affects the quality and reliability of the processing activities.

Right to Erasure

Known as the “right to be forgotten,” the right to erasure allows individuals to ask for the removal of their personal information under specific circumstances:

  • The personal data is no longer necessary for the purposes for which it was collected or processed.

  • The data subject withdraws consent on which the processing is based, and there is no other legal basis for processing.

  • The data subject objects to the processing, and there are no overriding legitimate grounds for continuing the processing.

  • The personal data has been processed unlawfully.

  • It is necessary to erase personal data to meet legal requirements set by EU laws or Member State regulations.

  • The data was collected in relation to the offer of information society services to a child.

Upon receiving a valid erasure request, the data controller must take reasonable steps to inform other controllers processing the personal data to erase any links to or copies of that data. This obligation considers available technology and the cost of implementation.

However, the right to erasure is not absolute. It does not apply if processing is necessary for:

  • Exercising the right of freedom of expression and information.

  • Compliance with a legal obligation requiring processing under EU or Member State law.

  • Reasons of public interest in the area of public health.

  • Archiving for public interest, scientific or historical research, or statistical purposes, where erasure would likely make achieving the processing objectives impossible or severely compromised.

  • The establishment, exercise, or defense of legal claims.

Right to Restrict Processing

The right to restrict processing enables data subjects to control how their personal data is utilized. This right can be exercised under certain conditions:

  • The accuracy of the personal data is contested by the data subject, allowing time for the controller to verify its accuracy.

  • The processing is unlawful, and the data subject opposes erasure, requesting restriction instead.

  • While the data controller no longer requires the personal data for processing, the data subject needs it to establish, exercise, or defend legal claims.

  • The data subject has raised an objection to the processing based on legitimate interests while awaiting verification of whether the controller’s legitimate grounds take precedence over those of the data subject.

When processing is restricted, the data controller may only process the personal data (except for storage) with the data subject’s consent for the establishment, exercise, or defense of legal claims or for protecting the rights of another natural or legal person, or for reasons of important public interest.

Data controllers are required to inform data subjects before lifting any restriction on processing.

Right to Data Portability

Data portability enables people to obtain their personal data from a data controller in a structured, widely recognized, and machine-readable format. This facilitates the ability to transmit the data to another controller without hindrance. This right applies when:

  • The processing is based on the data subject’s consent or on a contract.

  • The processing is carried out by automated means.

Data portability empowers individuals to manage and reuse their personal data across different services. For example, a user might want to transfer their data from one social media platform to another. The data controller must ensure that the data is provided in a format that supports this transfer and, where technically feasible, transmit the data directly to another controller upon the data subject’s request.

Data subjects can also request to have their personal data directly transferred from one controller to another, where technically feasible.

Nonetheless, this right must not negatively impact the rights and freedoms of others. Additionally, it does not pertain to processing required for fulfilling a task that serves the public interest or for exercising the official authority granted to the controller.

Right to Object

Individuals can challenge the processing of their personal data at any moment, given certain conditions. This right applies when:

  • The processing is based on the legal basis of public interest or legitimate interests pursued by the data controller.

  • The data subject has grounds relating to their particular situation for objecting.

When a data subject exercises this right, the data controller must cease processing the data unless they can demonstrate the following:

  • Compelling legitimate grounds for processing that override the data subject’s rights and freedoms.

  • The processing is necessary for establishing, exercising, or defending legal claims.

A specific application of the right to object relates to direct marketing:

  • Data subjects can object to their data being used for direct marketing, including profiling related to marketing.

  • Once an objection is made, the data controller must immediately stop processing the data for this purpose.

The GDPR places strict controls on decisions made solely through automated processing (including profiling) that:

  • Produce legal effects concerning the data subject.

  • Significantly affect the data subject in a similar way.

Automated decision-making is permitted only under specific conditions:

  1. Contractual necessity: The processing is necessary to enter into or perform a contract.

  2. Authorized by law: The processing is permitted by Union or Member State law, which also provides safeguards for the data subject.

  3. Explicit consent: The data subject has given clear and explicit consent to the processing.

In cases of automated decision-making:

  • Data controllers must provide human intervention upon request.

  • Data subjects have the right to challenge decisions made automatically and express their views.

  • This ensures individuals are not adversely impacted by decisions made without human oversight.

Exercising Data Subject Rights

The GDPR emphasizes the importance of transparency and accessibility in the exercise of data subject rights. Data controllers are mandated to facilitate the easy and effective exercise of these rights, ensuring that data subjects can make requests without undue complexity. Upon receiving a request, the data controller is obligated to provide information on the actions taken in response to the request without undue delay and, in any event, within one month of receipt. This period may be extended by two further months if necessary, considering the complexity and number of requests. The data controller is required to notify the data subject about any extension within one month of receiving the request and provide the reasons for the delay.

Data controllers must ensure they have the necessary processes in place to handle requests to process personal data in a timely manner.

If the data controller fails to act on the request, they must promptly notify the data subject within one month of receiving the request. This notification should include the reasons for inaction and details on how to lodge a complaint with a supervisory authority or pursue legal action. This framework ensures that data subjects are kept informed about the status of their requests and are aware of the avenues available for redress if their rights are not upheld.

Data controllers are also required to provide mechanisms for data subjects to submit requests electronically, especially when personal data is processed by electronic means. Data subjects should receive information that is clear, transparent, understandable, and readily available, utilizing straightforward and simple language. This is particularly crucial when addressing children, ensuring that they can understand and exercise their rights effectively. By adhering to these standards, organizations demonstrate their commitment to data protection principles and foster trust with individuals whose data they process.

Lodging Complaints with Supervisory Authorities

If an individual believes their GDPR rights have been violated, they can file a complaint with a supervisory authority, especially in the Member State where they usually reside, work, or where the infringement occurred. Supervisory authorities are independent public authorities established by each EU Member State to monitor the application of the GDPR, provide guidance, handle complaints, and enforce compliance. Upon receiving a complaint, the supervisory authority will investigate the matter and inform the data subject of the progress and outcome of the complaint, including the possibility of a judicial remedy. This process ensures that individuals have a clear and accessible pathway to seek enforcement of their data protection rights.

In addition to lodging complaints, data subjects have the right to an effective judicial remedy against a supervisory authority if they consider that their complaint has not been handled appropriately or if the supervisory authority fails to inform them within three months about the progress or outcome of their complaint. This provision ensures accountability and offers data subjects further recourse if they are dissatisfied with the supervisory authority’s handling of their concerns. Moreover, data subjects can seek compensation from data controllers or processors if they have suffered material or non-material damage as a result of an infringement of the GDPR. This right to compensation underscores the regulation’s commitment to protecting individuals’ rights and providing remedies for violations.

Conclusion

The General Data Protection Regulation (GDPR) creates an extensive framework for safeguarding the personal data of individuals in the European Union. Central to this framework are the rights afforded to data subjects, empowering them to control how their personal data is processed and ensuring transparency and accountability from data controllers. By understanding and exercising these rights, individuals can take an active role in managing their personal information while organizations are reminded of their obligations to uphold data protection principles. This dynamic fosters a culture of respect for privacy and enhances trust in the digital ecosystem.

Make your Shopify Store GDPR/CCPA compliant today
Pandectes GDPR Compliance App for Shopify
Share
Subscribe to learn more
pandectes

Related Articles