The 8 Data Subject Rights: What are they and how can you be GDPR compliant?

The 8 Data Subject Rights: What are they and how can you be GDPR compliant?
Charlotte Bourguignon

Eight Data Subject Rights: What are they?

The General Data Protection Regulation (GDPR), which was put into effect in 2018, aims to give individuals more control over their personal information. As the most encompassing privacy law within the EU, it intends to prevent inappropriate usage of personal information and serves as a safeguard to protect individuals from companies that use their data.

Personal Data?

What do we mean exactly with personal data? Simply said: This includes all data that can be used to identify a person directly or indirectly. Personal data can range from simple email headers to more sensitive information, such as medical details or religious background. The person about whom we process personal data is called the data subject.

To give the data subject control about its processed personal data, the  GDPR outlines eight essential Data Subject Rights (and one extra; the right to withdraw consent). Individuals can submit a DSAR (Data Subject Access Request), through which they can exercise these rights.

It’s important to be prepared to handle these incoming requests. But first things first, what are these rights? We’ve listed these eight Data Subject Rights (+ the right to withdraw consent) for you below: 

1. Right to be informed

As a Controller, you must inform data subjects on the processing activities you perform with their data (collection, disclosure to recipient, processing for another purpose, etc.). This information needs to be easily accessible and written in clear, plain language comprehensible for your target audience (not in legal terms which may be hard to grasp).

Data subjects can be informed through, for example, a Privacy Policy on the company’s website and/or a Privacy Statement sent directly to the data subjects when collecting their personal data.

2. Right to access:

Data subjects have a right to view and request a copy of their personal data. It is good to set up a step-by-step procedure to ensure requests are handled within the deadline.vDSARs need to be handled within 30 days, though few exceptions apply. The company should also appoint someone responsible for this process; someone who can efficiently and timely process the incoming requests.

3. Right to rectification:

Data subjects have the right to request that inaccurate, incomplete, or outdated personal data be updated, completed, or corrected. This must be done free of charge unless the request is unfounded or excessive.

4. Right to be forgotten (right to erasure)

Data subjects have a right to ask for the erasure of their personal data in some specific situations. It is, however, not an absolute right. The right can be exercised depending on the following circumstances:

  • The personal data is no longer necessary for the purpose it was collected
  • The individual withdraws their consent
  • The individual objects to the processing of their personal data, and there is no overriding legitimate ground
  • The personal data has been unlawfully processed
  • The data needs to be erased to be compliant with another legal obligation within the European Union, or with national law to which the Controller is subject,
  • The personal data was collected concerning the information of social services and relates to a child or a child who has now reached maturity

5. Right to object

Individuals have a right to object; they can request a company to stop processing their personal data in two cases:

  • They can object to the use of data for direct marketing purposes
  • When personal data is used for a company’s legitimate interest (E.g., during a fraud investigation)

This can be done free of charge (unless the request is unfounded or excessive). The organization can decline the right to object when its interests override the individual’s interests.

6. Right to restriction of processing

Data subjects can request that their data is processed in a certain way, or restrict its processing, depending on the following circumstances: (provided by the GDPR):

  • The data subject is contesting the accuracy of the personal data.
  • The processing is unlawful, and the data subject opposes the erasure of the personal data but requests the restriction of their use instead.
  • The company no longer needs the personal data for the processing, but they are required by the data subject for the establishment or defense of legal claims.
  • The data subject has objected to the processing pending the verification of whether the legitimate grounds of your company override those of the data subject.

Once restricted, the processing of the involved personal data may only take place, among other things, with the data subject’s consent or for reasons of important EU- or national public interest.

7. Right to data portability

Data Subjects can request to receive data that was provided to a Controller, when the processing is based on consent or a contract, carried out by automated means. Again, the format has to be structured, commonly-used language and in a machine-readable format.

It also includes the right to have this personal data transmitted to another Controller without hindrance from the initial Controller. This without any charges.


8. Right to not be subject to automated processing

Data subjects have a right not to be subject to a decision based on automated processing. Whenever personal data is used in automated decision-making with significant effect, the individual has the right to request human intervention.  For example, if the subject applies for a financial loan for a car, and the decision was based on an automated process, the subject has a right to request human interference.

Note that exemptions for these rights exist, meaning that the data subject won’t be able to object to automated processing in some circumstances.


And the 9th, extra right: The right to Withdraw consent:

Data subjects can withdraw consent to process personal data, that was previously given.


How to be compliant?

The best way to make sure you are compliant with all Data Subject Rights and can manage all DSARs in a timely manner is to work out a procedure step-by-step. No clue where to start with setting up this framework?  Reach out to our experts for personal advice.