CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
January 27, 2023
When it comes to data subject rights, most companies focus on the right to access, modify, and delete data. But did you know there are actually eight rights under the EU’s General Data Protection Regulation? In this article, we’ll look at all of the GDPR data subject rights, what they require, and how to comply with them.
Articles 12 to 14 of the GDPR talk about a data subject’s right to know that you’ve collected and intend to process their personal data. If you collect the data yourself, you must notify the data subject immediately.
For third-party vendors who obtain data from another processor, the timeframe to notify the data subject is wider. The law specifies you need to act within a “reasonable period of time” but no later than 30 days.
Whether you collect data directly or indirectly, the notification sent to the data subject must be easily accessible.
The data subject’s right to access their personal data is described in Article 15. In short, data subjects have a right to know:
Data subjects can send a data subject access request (DSAR), through which they may request a copy of all their personal data. A good DSAR mechanism is essential to ensure you’ll comply with their request in a timely manner.
Note that although individuals commonly make DSARs to access their data, it has become the industry standard to refer to any request to exercise a data privacy right as a DSAR.
Although access requests are the most common, the GDPR requires you to respond to any DSAR within 30 days, unless the request is particularly complex, which allows you to extend that timeline for another 30 days.
You can also reject DSARs, but only if the requests are “excessive or unfounded.” Examples include repeated requests in a short period of time, or requests that are clearly meant as harassment. In either case, the burden of proving that a request is excessive or unfounded falls on you, so you should be careful when rejecting a DSAR request.
Detailed in Article 16, the right to rectification means data subjects can request the modification of any incorrect, outdated, or incomplete information.
According to Article 17 of the GDPR, data subjects have the right to request their personal data be deleted. For the request to be valid, at least one of the following conditions must be met:
If any of these situations apply, you must delete the person’s data within 30 days of receiving their request.
Article 18 gives data subjects the right to restrict the processing of their personal data. This is not the same as the right to erasure—here, you can still store the data. The right to restriction applies in certain situations, including:
As with other data subject requests, you have 30 days to respond when a restriction of processing is requested.
According to Article 20 of the GDPR, data subjects have the right to move their data from one platform/controller to another with ease. As a controller, you need to provide their data in a machine-readable format.
If a data subject makes an access request, you can’t just give them their data in multiple complex formats—it needs to be a common format that can be accessed reasonably easily.
Data subjects have the right to object to how their personal data is used for sales, marketing, or other non-service-related purposes according to Article 21. There are exemptions, but you need to prove you have legitimate grounds to continue processing the data.
For instance, if the processing is needed to carry out a task for public benefit, objecting is not permitted. Similarly, if the controller needs to process the data to provide the data subject with a service they signed up for, an objection isn’t possible.
The eighth right, found in Article 23, refers to automated data processing and profiling. Data subjects can say no to any automated decision-making, including profiling.
In fact, automated data processing, including profiling, is only allowed in three cases:
GDPR data subject rights aim to achieve the regulation's main goal: to give people power over their personal data.
Data subjects need to know exactly why, when, how, and for how long you’ll be processing their data. They can withdraw consent at any time, request modification or even erasure, and move their data to a different controller.
DSARs are how data subjects can exercise most of these rights, and you need to respond quickly each time you receive one. Sometimes, however, it can be easy to lose track of the requests you receive or to find all the necessary data.
Osano’s DSAR solution can take some of that load off of your shoulders. It will support you in keeping track of data subject requests, responses, and even data management. Sign up for a free trial to try it for yourself, or request a demo to walk through Osano’s DSAR capabilities with an expert.
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”