What you need to know about the GDPR’s data subject rights

Personal data is an integral part of nearly every online service and transaction. Websites, apps, and other connected platforms collect this data for companies to learn about user behaviors and provide better user experiences and services. However, with this comes the need to protect individuals’ privacy and personal data. This is where the General Data Protection Regulation (GDPR) comes in, offering individuals a set of eight data protection rights aimed at ensuring their data is handled securely and transparently.

These data subject rights under the GDPR give people control over their personal data. Whether you’re a website owner or other small business, it’s important to understand what data subject rights are and how they function.

In this blog, we’ll break down the key rights under the GDPR, explain who is protected, and discuss how companies can comply with GDPR individual rights requests.

What are data subject rights under the GDPR?

The General Data Protection Regulation (GDPR) is a legal framework designed to protect individuals and their personal data. Central to this regulation is the empowerment of individuals — referred to as “data subjects” — by giving them specific rights over their personal data.

These common data subject rights are intended to provide transparency about data access and use, enable individuals to access and control their information, and hold companies accountable for how they handle personal data. The rights outlined in the GDPR have been influential on the drafting of other data privacy laws since the regulation came into force.

These rights give individuals the ability to:

• access their personal data
• have inaccurate data corrected
• request the deletion of their data in certain situations
• restrict or object to data processing 
• transfer their data to another service provider

Who do data subject rights apply to?

GDPR data subject rights apply to any individual residing in the EU/EEA whose personal data is being processed by a data controller or processor. However, the regulation’s scope is extraterritorial, meaning that it extends beyond the borders of the EU and applies to non-EU-based organizations that process the personal data of individuals within the EU.

Individuals that are protected by GDPR data subject rights include:

• EU residents: Any individual living in an EU member state whose data is being processed by an organization.
• Non-EU citizens within the EU: Even if someone is not an EU citizen, if they are residing in the EU and their data is processed, they are protected by the GDPR.
• Individuals outside the EU whose data is processed by EU-based organizations: If an EU organization processes the personal data of non-EU individuals, GDPR still applies.
• Non-EU organizations processing EU citizens’ data: For example, if a US-based company offers services to EU citizens, it must comply with the GDPR when processing its data.

Ultimately, GDPR data subject rights apply to a wide range of individuals and compliance responsibilities lie with many different types of organizations.

What does “subject data” refer to?

Under the GDPR, “subject data” refers to any information that can directly or indirectly identify an individual. This data could be anything that can be used to distinguish a person, either on its own or in combination with other data.

Types of data that fall under the category of “subject data” include:

• Personal Identifiable Information (PII): Personally identifiable information includes data like names, identification numbers, email addresses, phone numbers, and other personal identifiers.
• Location data: Information that can track a person’s geographical location, such as GPS data, IP addresses, and mobile phone data.
• Online identifiers: Tracking cookies, device IDs, and similar tracking mechanisms used to monitor online behavior.
• Biometric data: Fingerprints, facial recognition data, or other biological measurements that can identify a person.
• Health data: Information about an individual’s physical or mental health, healthcare, or diagnoses.
• Financial data: Bank account numbers, credit card information, or any other financial identifiers.

The key factor is that subject data relates to a living individual who can be identified, either directly or indirectly, using these details. Any organization that processes this type of data must adhere to the GDPR.

What are the data subject rights under the GDPR?

The GDPR grants individuals eight core data subject rights. These rights are designed to provide transparency, control, and security over personal data processing.

1. The right to be informed

Per Art. 13 GDPR, individuals have the right to be informed about how their personal data is collected, used, and shared. This means companies must provide clear, concise, and transparent information about their data processing activities.

This information is typically provided through privacy notices or privacy policies, which must include details such as:

• What personal data is being collected
• The purposes for which the data is processed
• The legal basis for processing
• Who the data will be shared with
• How long the data will be retained
• Individuals’ rights and how to exercise them

Organizations must ensure that this information is easy to understand and accessible at the time of data collection.

2. The right of access

Under Art. 15 GDPR, individuals have the right to access their personal data held by an organization. This right, also known as a Subject Access Request (SAR) or Data Subject Access Request (DSAR), enables individuals to request a copy of their data and information on how it is being processed.

When a person submits a request, a company must provide:

• Confirmation that their data is being processed
• A copy of the personal data
• Additional information, such as the purpose of processing, categories of personal data collected and processed, and details of any data sharing

Companies must respond to access requests within one month, although extensions may apply, but this depends on the scenario at hand and comes with communication requirements to the data subject.

3. The right to rectification

If an individual discovers that their personal data is inaccurate or incomplete, they have the right under Art. 16 GDPR to request its correction. A company is then required to rectify the information promptly, ensuring that any inaccurate or incomplete data is corrected or completed.

This right is crucial for maintaining data accuracy and ensuring that organizations only process up to date information.

4. The right to erasure (or the right to be forgotten)

The right to erasure, also known as the “right to be forgotten” under Art. 17 GDPR, enables individuals to request the deletion of their personal data in certain circumstances. These circumstances include:

• The data is no longer necessary for the purpose for which it was collected
• The individual withdraws their consent, and there is no other valid legal basis for processing
• The individual objects to the processing, and there are no overriding legitimate legal bases
• The data has been unlawfully processed
• The data must be erased to comply with a legal obligation

It’s important to note that the right to erasure is not absolute. In some cases, companies may have legal grounds or regulatory requirements to retain the data, such as for compliance with legal obligations or the defense of legal claims.

5. The right to restrict processing

The right to restrict processing under Art. 18 GDPR enables individuals to limit the way their personal data is processed. This means that an organization may store the data but cannot use it for any further processing unless certain conditions are met.

Individuals can request a restriction of processing if:

• They contest the accuracy of the data (until the organization verifies its accuracy)
• The processing is unlawful, but the individual does not want the data to be erased
• The organization no longer needs the data, but the individual requires it to establish, exercise, or defend a legal claim
• The individual has objected to processing (pending the organization’s verification of whether legitimate grounds override the individual’s rights)

6. The right to data portability

Data portability enables individuals to request the transfer of their personal data from one organization to another under Art. 20 GDPR. This right is designed to enhance user control over personal data and facilitate the free movement of information between service providers.

The right to data portability applies when:

• The data is processed based on consent or a contract
• The processing is carried out by automated means

Upon receiving a request to port data, organizations must provide the data in a structured, commonly used, and machine-readable format.

 7. The right to object

People have the right to object to the processing of their personal data in certain circumstances under Art. 21 GDPR. This right applies when processing is based on legitimate interest, direct marketing, or research purposes.

If an individual objects to direct marketing, the organization must stop processing the data for that purpose immediately. For other objections, the organization may continue processing if it can demonstrate compelling and legitimate grounds that override the individual’s rights.

8. Rights related to automated decision-making and profiling

Under Art. 22 GDPR, the law provides individuals with the right not to be subject to decisions based solely on automated processing, including profiling, if these decisions have legal or significant effects.

Organizations must ensure that individuals have the opportunity to request human intervention, express their point of view, and challenge automated decisions.

This right is particularly relevant in industries like finance, where automated systems may make decisions about creditworthiness, and in the recruitment process, where algorithms may be used to evaluate candidates.

How to respond to data subject rights requests?

Knowing how to handle a data subject rights request properly is a critical aspect of GDPR compliance. When a company receives a GDPR individual rights request, there are several best practices to follow:

• Verification of the individual: Before responding to any request, verify the identity of the individual to ensure that the request is legitimate.
• Timely response: GDPR requires that organizations respond to data subjects rights requests within one month. Under certain cases, this period may be extended by an additional two months, but the individual involved must be informed of the delay.
• Providing clear information: When fulfilling requests, it’s essential to provide the requested information in a concise, transparent, and easy to understand format.

Companies should implement procedures for handling EU data subject rights requests to avoid delays or incomplete responses, and mitigate data breach risks, as these could result in noncompliance penalties.

Who enforces GDPR data subject rights?

Enforcement of GDPR data subject rights is carried out by Data Protection Authorities (DPAs) in each EU member state. These authorities are responsible for monitoring compliance, handling complaints, and taking action against organizations that violate GDPR rules.

In addition to overseeing data protection, DPAs also have the authority to impose sanctions and fines on organizations that fail to comply with GDPR requirements, including those related to data subject rights. They can also conduct audits, issue warnings, and order organizations to cease data processing activities if necessary.

Individuals who believe their data subject rights have been violated can lodge a complaint with their national DPA, which will investigate the matter and take appropriate action.

What happens if you violate GDPR subject rights?

Failure to comply with GDPR data subject rights can result in significant consequences for organizations. The GDPR imposes two tiers of administrative fines, depending on the severity of the violation:

• Tier 1 fines: Up to EUR 10 million, or 2 percent of the organization’s global annual revenue (whichever is higher) for less severe breaches, such as failing to maintain accurate records or notify the DPA of a breach.
• Tier 2 fines: Up to EUR 20 million, or 4% percent of the organization’s global annual revenue (whichever is higher) for more serious breaches, such as violating data subject rights or failing to obtain valid consent.

In addition to financial penalties, companies may suffer reputational damage and a loss of consumer trust and opportunities with partners or investors if they fail to uphold data protection rights.

How Usercentrics Cookiebot can help you comply with GDPR data subject rights

GDPR data subject rights are fundamental to ensure that companies are transparent, accountable, and give users control over their personal data. Organizations that process personal data must understand and respect these rights.

However, that can be easier said than done. Usercentrics Cookiebot CMP simplifies this by helping you manage user consent and provide transparency in your data processing. Usercentrics Cookiebot CMP helps companies: 

• Collect valid consent: Usercentrics Cookiebot enables websites to obtain valid user consent for data processing per GDPR requirements.
• Provide clear information: By generating customizable cookie banners and privacy policies, UsercentricsCookiebot helps ensure that users are informed about how their data is being processed.
• Facilitate data subject rights: With Usercentrics Cookiebot, organizations can easily implement mechanisms for users to exercise their data subject rights, such as withdrawing consent or requesting access to their personal data.

By using Usercentrics Cookiebot CMP, companies can streamline their GDPR compliance efforts and reduce the risk of noncompliance, ultimately protecting both their users and their business.

FAQ