Share this article on:
What are the rights of data subjects under GDPR? Find out more about what GDPR means to data subjects, data controllers, and data processors.
The EU’s General Data Protection Regulation (GDPR) came into force on May 25, 2018. The main purposes of the directive are to ensure data protection laws are standardized across all member states and to expand the rights of data subjects. Under GDPR, data subjects have greater control over who collects their data, how the information is used, and for how long.
GDPR: Rights of Data Subjects
The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR.
1. Right to Access Personal Data
Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15).
2. Right to Rectification
Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16).
3. Right to Erasure
The right to erasure – also referred to as the right to deletion or the right to be forgotten – allows a data subject to stop all processing of their data and request their personal data be erased (Article 17).
4. Right to Restrict Data Processing
Data subjects, under certain circumstances, can request that all processing of their personal data be stopped (Article 18).
5. Right to be Notified
Data subjects must be informed about the uses of their personal data in a clear manner and be told the actions that can be taken if they feel their rights are being impeded. Data subjects must also be informed of any rectification or erasure of their personal data under articles 16, 17, and 18 (Article 19).
6. Right to Data Portability
A data subject can request that their personal data file be sent electronically to a third party. Data must be provided in a commonly used, machine readable format, if doing so is technically feasible (Article 20).
7. Right to Object
If a request to stop data processing is rejected by a data controller, the data subject has the right to object to their Article 18 right being denied (Article 21).
8. Right to Reject Automated Individual Decision-Making
Data subjects have the right to refuse the automated processing of their personal data to make decisions about them if that significantly affects the data subject or produces legal effects – profiling for example (Article 22).
Rights of Data Subjects under GDPR are Not Absolute
There is a common misconception that the rights of data subjects under GDPR are absolute, and under no circumstances can those rights be lost. While it is true that data subjects have the above rights under GDPR, in certain situations those rights cannot be granted.
For example, the right to restrict data processing does not apply is when data are processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences. The same applies to the processing of personal data in the prevention of threats to public security.
Data subjects have the right to access their personal data file, although not if that access adversely affects the rights and freedoms of others.
While data controllers must be aware of the rights of data subjects, they should also be aware of the circumstances under which those rights can be denied, and when charges can be applied for granting data subjects’ rights.