Data subject rights under the GDPR
The GDPR (General Data Protection Regulation) grants people, in their capacities as consumers, citizens and so forth a range of specific data subject rights they can exercise under particular conditions.
GDPR compliance among others means enabling the exercise of these rights. The 8 fundamental data subject rights and beyond.
Below is an overview of those data subject rights which of course should be in each single GDPR awareness program, at the very start of a strategic GDPR business approach and your journey towards GDPR compliance.
Below is an infographic which summarises some essential data subject rights, in this case called consumer rights in the infographic.
As you could see, these GDPR ‘consumer rights’ in this infographic include:
- The mentioned right to data portability.
- The data subject’s right to access to information.
- The right of correction, technically known as the right to rectification.
- The also mentioned right to be forgotten (erasure).
- The rights in the scope of consent (if that’s the legal ground for processing).
At the most essential level and technically speaking there are 8 essential data subject rights.
They are listed in GDPR Articles 15 until 22. How do we now? Easy enough: GDPR Article 12 on transparent information, communication and modalities for the exercise of the rights of the data subject says so.
So, here are those fundamental data subject rights:
- The data subject’s right of access which means 1) the right to know whether data concerning him or her are being processed and 2) if so, access it with loads of additional stipulations (GDPR Article 15).
- The data subject’s right to rectification. When personal data are inaccurate, then controllers need to correct them (GDPR Article 16).
- The previously mentioned right to erasure or right to be forgotten with additional stipulations, among others if personal data has been made public (GDPR Article 17).
- The data subject right to restriction of processing. Simply said, the right of the consumer or whatever you call the natural person under the scope of the GDPR, to limit the processing of his/her personal data with, once more, several rules and exceptions of course (GDPR Article 18).
- The right to be informed. Here we stretch it a bit. In general, the GDPR asks controllers and so on to inform data subjects on several matters. Providing clear and correct information is a key duty in many regards. Simply said, the GDPR wants consumers to know because if they don’t know they can’t decide, the data subject also has a right, even if not strictly called a right, to ask “who are all these recipients who have got to see my data”
- The right to data portability. This is again one of those data subject rights that are in the infographic. With the right to data portability we’re in GDPR Article 20, so, keeping in mind that data subject rights are covered in Articles 5 until 22 that means two more to go.
- GDPR Article 21 is all about the data subject’s right to object. That does indeed mean what it says: data subjects can say they don’t want the personal data processing to be done or going on. This might seem a bit overlapping with other data subject rights but it isn’t. Of course in practice the data subject can, again within specific conditions, exercise the right to object and the right to be forgotten. Especially direct marketers and people who do profiling should pay a lot of attention to the right to object as it’s a lot about them and certainly profiling with automated means..
- The data subject right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This is pretty much a copy and paste of GDPR Article 22, Paragraph 1, which ends the ‘official’ list of data subject rights.