It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 24, 2024
Published: January 27, 2023
When it comes to data subject rights and freedoms, most companies focus on the right to access, modify, and delete data. But did you know there are actually eight rights under General Data Protection Regulation of the EU that give users control over their personal data and how it's used? Additionally, guidance from the European Data Protection Board (EDPB) provides further clarity on the interpretation and application of these rights under the data protection law.
In this article, we’ll examine the GDPR rights of data subjects, what they require, and how to comply with them.
Articles 12 to 14 of the GDPR discuss data subject rights to know that you’ve collected and intend to process personal data. If you collect the data yourself, you must notify the data subject immediately.
Third-party vendors who obtain data from another data controller have a longer timeframe to notify the data subject. The law specifies that you need to act within a “reasonable period of time” but no later than 30 days.
Whether you collect data directly or indirectly, the notification sent to the data subject must be easily accessible.
The data subject’s right to access their personal data is described in Article 15. In short, data subjects have a right to know:
Data subjects can send a data subject access request (DSAR), through which they may request a copy of all their personal data. A good DSAR mechanism is essential to ensure you’ll comply with their request promptly.
Note that although individuals commonly make DSARs to access their data, it has become the industry standard to refer to any request to exercise a data privacy right as a DSAR.
Although access requests are the most common, the GDPR requires you to respond to any DSAR within 30 days, unless the request is particularly complex, which allows you to extend that timeline for another 30 days.
You can also reject DSARs, but only if the requests are “excessive or unfounded.” The EDPB provides guidance on what constitutes “excessive or unfounded” requests, which is crucial for managing data subject’s requests. Examples include repeated requests in a short period, or requests that are clearly meant as harassment. In either case, the burden of proving that a request is excessive or unfounded falls on you, so you should be careful when rejecting a DSAR request.
Detailed in Article 16, the right to rectification means data subjects can request the modification of any incorrect, outdated, or incomplete information. When such a request is made, the data controller must promptly correct the inaccuracies in the personal data to ensure that it accurately reflects the subject's situation.
This right is particularly important in contexts where inaccurate data could adversely affect the rights and freedoms of the data subject, such as decisions based solely on automated processing or where the data is necessary for the performance of a contract.
Ensuring that personal data is accurate and up-to-date complies with GDPR and upholds the broader principles of data privacy law by protecting the individual's fundamental rights.
According to Article 17 of the GDPR, data subjects have the right to request their personal data be deleted. For the request to be valid, at least one of the following conditions must be met:
If any of these situations apply, you must delete the person’s data within 30 days of receiving their request. Additionally, this right helps protect the rights and freedoms of others, ensuring that personal data is not processed unnecessarily or without proper legal basis.
Furthermore, this right complements the right not to be subject to a decision based solely on automated processing, safeguarding individuals from actions that could affect them significantly without human intervention.
Article 18 gives data subjects the right to restrict the processing of their personal data. This is not the same as the right to erasure—here, you can still store the data. The right to restriction applies in certain situations, including:
As with other data subject requests, you have 30 days to respond when a restriction of processing is requested.
According to Article 20 of the GDPR, data subjects have the right to move their data from one platform/controller to another with ease. As a controller, you need to provide their data in a machine-readable format.
If a data subject makes an access request, you can’t just give them their data in multiple complex formats—it needs to be a common format that can be accessed reasonably easily.
Data subjects have the right to object to how their personal data is used for sales, marketing, or other non-service-related purposes according to Article 21, including the exercise of these rights. There are exemptions, but you need to prove you have legitimate grounds to continue processing the data.
For instance, if the processing is needed to carry out a task for public benefit, objecting is not permitted. Similarly, if the controller needs to process the data to provide the data subject with a service they signed up for, an objection isn’t possible.
The eighth right, found in Article 23, refers to automated data processing and profiling. Data subjects can say no to any automated decision-making, including profiling.
In fact, automated data processing, including profiling, is only allowed in three cases:
GDPR rights of data subject aim to achieve the regulation's main goal: to give people power over their personal data.
Data subjects need to know exactly why, when, how, and for how long you’ll be processing their data. They can withdraw consent at any time, request modification or even erasure, and move their data to a different controller.
DSARs are how data subjects can exercise most of these rights, and you need to respond quickly each time you receive one. Sometimes, however, it can be easy to lose track of the requests you receive or to find all the necessary data.
Osano’s DSAR solution can take some of that load off of your shoulders. It will support you in keeping track of data subject requests, responses, and even data management. Request a demo to walk through Osano’s DSAR capabilities with an expert.
Are you in the process of refreshing your current privacy policy or building a whole new one? Are you scratching your head over what to include? Use this interactive checklist to guide you.
Download Now
Osano Staff is pseudonym used by team members when authorship may not be relevant. Osanians are a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.