Data Subject

GDPR Fundamentals: Data Subject Rights

GPDR is such a revolutionary law because its focus is so heavily on the data subjects and protects personal data not only in the shape of security, but also in privacy. The law actually gives data subjects seven rights, outlines in Chapter 3. These seven rights of data subjects ensure transparency between data subjects and those organizations that are processing their personal data and include:

1. Right to access
2. Right to rectification
3. Right to erasure
4. Right to restriction
5. Right to data portability
6. Right to object
7. Right in relation to automated decision-making

There are conditions and exceptions to every right, so there’s a lot to learn. Let’s discuss these seven data subject rights and how organizations should respond when a data subject exercises any of those rights.

Right to Access

In Article 15, you’ll find the first data subject right: the right to access. This right gives data subjects the ability to confirm whether or not a controller is processing their personal data. This data subject right also entitles data subjects to obtain the controller’s purposes for processing, categories of the personal data being processed, third parties who receive their personal data, data retention policy, and other information.

Right to Rectification

A key component of GDPR is accuracy. The law requires that controllers and processors maintain the accuracy of personal data, but the data subject right in Article 16 also brings data subjects into this process. The right to rectification gives data subjects the right to dispute the accuracy of their personal data being processed by controllers. Data subjects can request that inaccurate data be corrected, which could require supplementary information to ensure accuracy.

Right to Erasure

The right to erasure, or the right to be forgotten, gives data subjects the right to have a controller delete their personal data. This isn’t an absolute right; just because a data subjects asks that their data be deleted doesn’t mean that a controller has to delete that data. There are five circumstances in which a controller might delete personal data, including:

1. If the data was processed unlawfully
2. If the organization no longer needs the data for the purposes that it originally collected the data
3. If there is a legal requirement to delete the data
4. If a data subject gave access to their data based on consent and they have withdrawn that consent
5. If a data subject has objected to the processing of their data and requested that their data be deleted

The right to erasure is tricky, though. If even one of those five conditions exist for deleting personal data, a controller may still have a reason to maintain that data. For example, if there is a requirement from the EU to maintain that data, if there is litigation regarding that data, or if a controller needs to maintain that data for historic or scientific purposes, then a controller may not have to delete that data. So, a controller must first determine if a valid ground exists to delete the data, and determine whether there is an exception.

Right to Restriction

Article 18 outlines a fourth data subject right, the right to restrict processing. Why would a data subject exercise their right to restriction? They may be challenging the controller’s accuracy of their personal data, challenging the lawfulness of the processing activities, or challenging if the controller needs the data for the original purpose.

Restriction may be achieved one of several ways: it can be deleted, restricted, sequestered, or suppressed. If a controller grants a request for restriction, not only does the controller have to restrict the processing, but it should also notify processors and other third parties that a restriction request has been granted.

Right to Data Portability

Data subjects have the right to data portability, meaning that they can obtain their personal data from a controller in a structured, commonly used format, and have the right to transmit that data to another controller without hindrance. There are three conditions that have to be met for a valid portability request, including:

1. The data subject directly gave their personal data to a controller
2. The legal basis for processing is consent or performance of a contract
3. The controller is using automated means to process the personal data

If all three of these conditions are met, then a controller must provide either the data subject or the data subject’s request for another controller with a copy of their personal data in a commonly used format.

Right to Object

Data subjects have the right to object to processing activities. Data subjects may object to any processing of their personal data by a controller if that processing is based on legitimate interest and there are not any overriding reasons to reject the data subject’s request for objection.

Right in Relation to Automated Decision-Making

The final data subject right given by GDPR is the right to object to automated decision-making, including profiling. Data subjects may request human intervention in cases when a controller uses automated processes to make a significant or legal decision, but controllers can reject these requests based on certain conditions. If the objection to automated decision-making is granted, the controller must suppress or restrict the personal data that was used in the automated process.

Responding to Data Subject Rights

When a data subject exercises any of their rights under GDPR, controllers have one month to respond to the request. They can either grant that request or respond by giving the reason for denial. Controllers cannot charge data subjects for exercising their rights unless they find that the request is unfounded or excessive. Controllers should always ensure that they are documenting names, dates, the nature of requests, investigations, and responses to data subjects’ requests so that, at any time, they can demonstrate proof that it was properly received and responded to.