When it comes to data subject rights, most companies focus on the right to access, modify, and delete data. But did you know there are actually eight rights under the EU’s General Data Protection Regulation? In this article, we’ll look at all of the GDPR data subject rights, what they require, and how to comply with them.
1. The right to be informed
Articles 12 to 14 of the GDPR talk about a data subject’s right to know that you’ve collected and intend to process their personal data. If you collect the data yourself, you must notify the data subject immediately.
For third-party vendors who obtain data from another processor, the timeframe to notify the data subject is wider. The law specifies you need to act within a “reasonable period of time” but no later than 30 days.
Whether you collect data directly or indirectly, the notification sent to the data subject must be easily accessible.
2. The right to access
The data subject’s right to access their personal data is described in Article 15. In short, data subjects have a right to know:
- If you have any of their personal data.
- The purpose of the processing.
- The categories of personal data.
- How you process the data.
- If you share data with any third parties.
Data subjects can send a data subject access request (DSAR), through which they may request a copy of all their personal data. A good DSAR mechanism is essential to ensure you’ll comply with their request in a timely manner.
Note that although individuals commonly make DSARs to access their data, it has become the industry standard to refer to any request to exercise a data privacy right as a DSAR.
Although access requests are the most common, the GDPR requires you to respond to any DSAR within 30 days, unless the request is particularly complex, which allows you to extend that timeline for another 30 days.
You can also reject DSARs, but only if the requests are “excessive or unfounded.” Examples include repeated requests in a short period of time, or requests that are clearly meant as harassment. In either case, the burden of proving that a request is excessive or unfounded falls on you, so you should be careful when rejecting a DSAR request.
3. The right to rectification
Detailed in Article 16, the right to rectification means data subjects can request the modification of any incorrect, outdated, or incomplete information.
4. The right to erasure (the right to be forgotten)
According to Article 17 of the GDPR, data subjects have the right to request their personal data be deleted. For the request to be valid, at least one of the following conditions must be met:
- The data is outdated.
- The data subject withdraws their consent.
- The original purpose for data collection and processing has been satisfied.
- The processing of the data was unlawful.
- The data subject objects to the processing of their data and there are no legal grounds for processing.
If any of these situations apply, you must delete the person’s data within 30 days of receiving their request.
5. The right to restrict processing
Article 18 gives data subjects the right to restrict the processing of their personal data. This is not the same as the right to erasure—here, you can still store the data. The right to restriction applies in certain situations, including:
- The data subject contests the accuracy of the data,
- The processing is unlawful, but the data subject doesn’t want their data to be erased.
- The controller no longer needs the data, but the data subject doesn’t want their data to be deleted.
- The data subject has objected to the processing of their data in accordance with Article 21 (see the section on “The right to object”).
As with other data subject requests, you have 30 days to respond when a restriction of processing is requested.
6. The right to data portability
According to Article 20 of the GDPR, data subjects have the right to move their data from one platform/controller to another with ease. As a controller, you need to provide their data in a machine-readable format.
If a data subject makes an access request, you can’t just give them their data in multiple complex formats—it needs to be a common format that can be accessed reasonably easily.
7. The right to object
Data subjects have the right to object to how their personal data is used for sales, marketing, or other non-service-related purposes according to Article 21. There are exemptions, but you need to prove you have legitimate grounds to continue processing the data.
For instance, if the processing is needed to carry out a task for public benefit, objecting is not permitted. Similarly, if the controller needs to process the data to provide the data subject with a service they signed up for, an objection isn’t possible.
8. The right to object to automated data processing and profiling
The eighth right, found in Article 23, refers to automated data processing and profiling. Data subjects can say no to any automated decision-making, including profiling.
In fact, automated data processing, including profiling, is only allowed in three cases:
- If it is needed as part of a contract.
- If it is authorized by a Union or Member State law.
- If the data subject gives their explicit consent.
The bottom line
GDPR data subject rights aim to achieve the regulation's main goal: to give people power over their personal data.
Data subjects need to know exactly why, when, how, and for how long you’ll be processing their data. They can withdraw consent at any time, request modification or even erasure, and move their data to a different controller.
DSARs are how data subjects can exercise most of these rights, and you need to respond quickly each time you receive one. Sometimes, however, it can be easy to lose track of the requests you receive or to find all the necessary data.
Osano’s DSAR solution can take some of that load off of your shoulders. It will support you in keeping track of data subject requests, responses, and even data management. Sign up for a free trial to try it for yourself, or request a demo to walk through Osano’s DSAR capabilities with an expert.