Rights of the Data Subjects in GDPR

Privacy has been a big concern of customers for long. This growing concern led to the enforcement of the European General Data Protection Regulation (GDPR). GDPR is a regulation in the EU law on data protection and privacy for all individuals within the European Economic Area (data subjects). It provides the data subjects with certain rights (Articles 12–23). Using them, they can ensure whether their data is being used lawfully. The rights in GDPR ensure the privacy and protection of sensitive and personal details of data subjects shared online. With the law in action, customers and users in the EU get full authority over their data no matter to which organization or website (the data controller) they provide it. This article explains these GDPR rights.

Recommended Reading: Ultimate Guide to GDPR

Let us look at the most fundamental rights data subjects get under GDPR.

Right to be informed

The right centers around the transparency right of data subjects. Data controllers must provide information regarding what they do with data subjects’ personal data. This information must be in a concise and easily accessible form in clear and plain language. It can be either provided in writing, orally or in electronic format.

Per Article 13, in case the data controller obtained the personal data from the data subject directly, the information must be provided at the time of receiving the data. It is not mandatory to share in case the data subject is already aware of it.

Per Article 14, in case the data was obtained from other sources, the data controller must provide the information no later than one month of obtaining the data. If the information is used to contact the data subject, then the controller must inform immediately at the time of communicating.

The information that must be provided to data subjects are:

• the contact details of the data controller;
• the contact details of the DPO (if available);
• the processing purposes;
• the legal basis of processing;
• the legitimate interest of processing (if any);
• the recipients when transmitting personal data;
• the details of the transfer of personal data to third countries (if any);
• the duration of storage;
• the rights of the data subject;
• the right to withdraw consent;
• the right to lodge a complaint with the authorities;
• whether the provision of personal data is a statutory or contractual requirement (only if obtained from the data subject);
• the automated decision-making activities, including profiling (if applicable);
• the source of personal data (if not collected from the data subject); and
• whether the data is publicly available (if not collected from the data subject).

The data controller does not have to provide the information to the data subject if:

• it is impossible or unreasonably expensive,
• the data was obtained or processed with a legal obligation, or
• it is subject to professional secrecy or other statutory secrecy obligations.

Right of access

Under this right, data subjects get access to their data under processing. They can request the controller for a copy of the data they submitted and other related information, such as:

• the processing purposes;
• the categories of personal data;
• the recipients or categories of recipients;
• the duration of storage of personal data or criteria for their definition;
• the rights of the data subject such as the right to rectification, erasure or restriction of processing, and object;
• the right to lodge a complaint with the authorities;
• the source of personal data (if not obtained from the data subject);
• the existence of an automated decision-making process, including profiling, with information about the consequences and purpose of such processing; and
• the appropriate safeguards are taken if personal data is transmitted to a third country.

Important to note that the right to a copy of their data should not interfere with the rights and freedoms of others.

Data subjects can make the request verbally or in writing, and the information must be provided not later than one month. Data controllers can seek an extension of this period if there is a legitimate reason. They can ask the subjects to specify the request if a large volume of data is under processing. It is mandatory to provide the information free of charge. However, for further copies, if requested, the controllers can charge a reasonable fee.

Data subjects can submit the request to anyone in the organization, including on social media. Therefore, a well-trained person must be responsible for communicating with data subjects to identify valid requests.

Right to rectification

Under this right, data subjects can request data controllers to rectify their inaccurate or outdated personal data. Depending on the purpose of processing, they can also get incomplete data completed. Special care and effort are necessary while rectifying inaccurate personal data that may adversely affect the data subjects.

If the request is related to information that is an opinion, then the data controller can argue that the information may not necessarily be inaccurate and need rectification as it is subjective.

It is a good practice for the data controller to restrict the processing of personal data as soon they discover it is inaccurate. They do not need to wait for the data subject to request it.

If the data controller is confident that the data in question is accurate, they can refuse to process the request. They can ask the data subject to file a complaint with the respective supervisory authority or seek legal help.

In any case, the data controller must make sure that the data they collect is accurate, complete (as required for the processing), and up to date.

Right to erasure (Right to be forgotten)

Under this right, data subjects can opt to have their personal data erased. This right is applicable where:

• the data is no longer necessary for the intended processing purpose;
• data subjects withdraw their consent, and there is no other lawful basis for processing;
• the data subject has objected to the processing, and there is no legitimate interest that outweighs it;
• the erasure is required by the EU law or any member state law; or
• if the data was processed unlawfully.

Data controllers must inform other controllers to erase the copies of the data in case the data has been disclosed to them or made public.

The request must be dealt with and informed data subjects of the measures taken within a month of receiving the request.

Data controllers can refuse to erase the data if the processing is necessary for:

• exercising the right to freedom of expression and information;
• complying with a legal obligation;
• for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes; or
• the defense of legal claims.

Right to restriction of processing

This right provides data subjects the choice to restrict the processing of their data. Upon receiving such a request and verifying it, the data controller must limit the data for a period until the reason for the restriction is resolved.

Data subjects can request to restrict processing of data:

• to verify and handle the request to rectify inaccurate data;
• if the processing is not legal, and if the data subject requests to restrict it instead of erasure;
• the data controller no longer needs the data; however, the data subject does for the defense of legal claims; and
• the data subject objects to the processing, and the controller is verifying whether the legitimate ground for processing could outweigh the objection.

Methods to restrict the processing of personal data could include (but not limited to):

• temporarily moving the data to another processing system;
• making the data unavailable to users;
• temporarily removing published data from a website; or
• in the case of automated filing systems, technical measures such that the personal data are not subject to further processing.

Restricted personal data, other than for storage, can only be processed:

• if the data subject consents to it;
• for the defense of a legal claim;
• to protect the rights of another data subject or legal person; or
• in public interest.

Right to notification obligation

The data controllers must notify any rectification or erasure of personal data or restriction of processing to each controller, in case the data have been disclosed to them or made public. This is important and the controller must follow it even in case of loss or breach of data. If the data subjects request, then the controller must inform them of the other controllers.

Right to data portability

This right gives data subjects the freedom to obtain and reuse their data for their personal use across different services. They can use the data submitted, copy, or move from one IT environment to another without affecting its usability. They can request to receive the personal data submitted in a commonly used and machine-readable format. This right is applicable when the processing is based on consent or a contract, or automated system.

Data controllers must make sure that exercising the right should not interfere with the rights and freedom of others.

The processing conditions under which the right should not apply are:

• to comply with a legal obligation;
• for reasons of public interest; or
• to exercise an official authority vested in the controller.

The data subjects have the right to request the controller to transmit their personal data directly to another controller, if technically feasible.

Right to object

If data subjects wish to object to the processing of their personal data or any related information, at any time, then they can do so using this right. They can exercise the right in most conditions unless:

• the controller has legitimate ground for processing that overweighs the rights and freedom of the data subjects, or
• the processing is essential for the defense of a legal claim.

The data subjects can object to the processing of their data in case of direct marketing, including profiling. The controller must comply with the request in such a case.

Also, the right is applicable when the processing is necessary for scientific or historical research purposes or statistical purposes unless it is necessary for reasons of public interest.

Right to not be subject to automated individual decision-making, including profiling

Automatic processing of data subjects’ data can be carried out in different scenarios if:

• the decision based on the processing is important for the performance or entry in a contract between the data subject and the data controller;
• it is authorized by the union or law; or
• if the data subjects give their explicit consent.

If the processing takes place without the above scenarios happening, then the data subjects can object to such automated processing, including profiling.

According to the GDPR, profiling means:

“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”

If the processing is based on a contract, then the controller must take appropriate safety measures to protect the data subjects’ rights and freedom and interests. The data subjects at least have the right to ask human interference for the decision-making process and to contest the decision of the controllers.

Automated processing of special categories of personal data (with proper safety measures in place) is only possible if:

• the data subjects have given their explicit consent or
• if it necessary for reasons of public interest.

---

These are the nine GDPR rights of data subjects.

The data controllers must respond to the data subject requests to all these GDPR rights as quickly as possible. That is, no later than one calendar month from the day they receive the request. In case the controllers need additional information, the calendar month starts from the day they receive it. In case of complex or multiple requests, the controllers can take a maximum of three calendar months to respond

In most cases, the data controllers may refuse to comply with a request if it is:

1. manifestly unfounded; or
2. excessive.

Manifestly unfounded requests are those where the data subject offers to withdraw the request in exchange of a favor from the controller; or when it intends to harass the controller or its employee(s) or to cause disruption.

Excessive requests mean repeated requests (without legitimate reasons) or overlapped requests relating to the same set of data.

However, both of the scenarios depend on the context of the request.

In case the data controllers want to comply with such requests, then they can charge a reasonable fee.

The data controllers must have a legitimate and valid reason for refusing any request. They must inform this to data subjects in clear and plain language, and also how they can still exercise the right by registering a complaint with the supervisory authority or by seeking legal support.

All users, employees, customers, or anyone working for the company can make these rights requests.

Data subject rights are an essential part of the GDPR. It won’t be wrong to say that together with GDPR principles, they form the basis of the Regulation. Data controllers must implement measures to let the data subjects easily request their rights and help them to exercise it if needed. Failing to honor the rights will leave the data controllers open to GDPR fines and penalties.