The European Union’s General Data Protection Regulation (GDPR) has grown to become a preeminent data privacy law aimed at protecting individual’s right to privacy and data security in an era where digital data is thriving left and right.
Among its core principles are the GDPR Data Subject Rights (GDPR DSRs), a set of fundamental entitlements designed to empower individuals with control over their personal data. These data subject rights have inspired several data privacy laws enacted worldwide.
This guide dives into the intricacies of GDPR Data Subject Rights, unraveling the fundamental rights of this vital regulation. It is crucial to understand GDPR Data Subject Rights whether you're a concerned individual, referred to as a data subject, or an organization struggling to navigate the complex GDPR landscape.
GDPR Data Subject Rights
In a world that is becoming increasingly data-driven, GDPR Data Subject Rights aims to protect the privacy and data security of data subjects while also ensuring accountability, fairness, and transparency in the processing of their personal data. Chapter 3 of the GDPR outlines several key data subject rights, which include:
Right To Be Informed – Article 12
Data subjects have the right to be informed about the collection and use of their personal data both where they are provided directly to a controller and where the controller has acquired it from another source. This information to the data subject must be provided in “a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
Right to Access – Article 15
Data subjects have the right to access their personal data collected, stored, or used by an organization. The data subjects should be provided with clear and easily understandable information that covers, at least, confirmation on whether a controller is processing their data, the purpose behind such processing, its legal basis, the source of the personal data, the entities with whom the data has been or might be shared, the anticipated duration of storage, insights into how their data is used for profiling and automated decision-making. When personal data is transferred to a third country or to an international organization, details of appropriate safeguards related to the transfer of personal data must be provided to the data subjects.
Right to Rectification – Article 16
Data subjects are entitled to have inaccurate personal data about them rectified as soon as possible, along with the right to complete any incomplete personal data, including by means of providing a supplementary statement.
Right to Erasure (Right to Be Forgotten) – Article 17
Data subjects have the right to request the deletion of their personal data under certain conditions, such as when the data is no longer necessary for the purpose it was collected or the consent is withdrawn by the data subject or when the data subject objects to the processing under Article 21(1), and there are no prevailing legitimate reasons that override the processing or the personal data have been processed unlawfully, or the personal data have been gathered for the offer of information society services as outlined in Article 8(1) of the GDPR or the personal data has to be erased to fulfill a legal obligation within EU or Member State law to which the controller is obligated.
Right to Restrict Processing – Article 18
Data subjects have the right to restrict the processing of their personal data when one of the following applies:
- when disputing the accuracy of personal data till the controller verifies the accuracy of personal data;
- when personal data processing is deemed unlawful, and the data subject opposes erasure, opting for restriction;
- when the controller no longer needs the data but the data subject requires it for legal claims; and
- when the data subject objects to processing, pending verification of the controller's legitimate grounds.
If the processing of personal data is limited due to any of the reasons listed above, the personal data can only be processed further—aside from storage—under specific circumstances. These include obtaining the data subject’s consent, processing for legal claims, protecting the rights of another legal or natural person, or for any important public interest at the Union or Member State level.
Right to Notification – Article 19
When a controller rectifies, erasures, or restricts the processing of personal data under Article 16, Article 17(1), and Article 18, the controller must communicate these actions to each recipient who received the personal data. However, this communication is not required if it is impossible or involves a disproportionate effort. Additionally, if the data subject requests information about these recipients, the controller must provide that information to the data subject.
Right to Data Portability – Article 20
The data subject is entitled to receive their personal data, which they have provided to a controller, in a structured, commonly used, and machine-readable format. Additionally, they have the right to transmit this data to another controller without restriction from the initial controller under the conditions outlined in Article 20(1) of the GDPR. This right is applicable when the processing is based on consent (Article 6(1)(a) or Article 9(2)(a)), is necessary for the performance of a contract (Article 6(1)(b)), or is conducted through automated means.
Specifically, when exercising the right to data portability as per Article 20(1) of the GDPR, the data subject has the right to have their personal data directly transferred from one controller to another, provided that it is technically feasible.
Right to Object – Article 21
Data subjects have the right to object to processing their personal data, particularly in cases where the processing is based on legitimate interests or public tasks. Unless the data controller can provide a clear and convincing justification that supersedes the interests, rights, and freedoms of the data subject or that the processing is necessary for the establishment, exercise, or defense of legal claims, the data controller will no longer be able to process the personal data of the data subject. Certain rights to object should be absolute, particularly in the context of direct marketing.
Rights Related to Automated Decision-Making and Profiling – Article 22
Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which may have legal or similarly significant effects on individuals except if the decision is required for entering into or fulfilling a contract between the data subject and a data controller; is permitted by EU or Member State law that includes appropriate measures to protect the data subject’s rights, freedoms, and legitimate interests; or is based on the explicit consent of the data subject.
Right to Withdraw Consent – Article 7(3)
Data subjects have the right to withdraw their consent at any time. The lawfulness of processing carried out using consent before its withdrawal is unaffected by the withdrawal of consent. Additionally, the withdrawal should be as easy as consenting.
Right to Lodge Complaints – Article 77
Data subjects have the right to lodge complaints. In addition to any other administrative or legal remedies, each data subject who believes that the processing of personal information about them violates this Regulation may file a complaint with a supervisory authority, particularly in the Member State where they regularly reside, work, or where the alleged infringement occurred.
Organizations that process personal data are obligated to comply with these rights and should be prepared to facilitate data subject requests in a timely and transparent manner to ensure GDPR compliance. Failure to do so can result in significant fines and legal consequences.
To be GDPR-compliant, organizations that process the personal data of EU residents are required to comply with these data subject rights and should be ready to expeditiously and transparently accommodate the growing number of data subject requests. Failing to comply with GDPR Data Subject Rights can potentially have serious consequences. Non-compliance may result in sizeable fines, legal actions, and reputational damage.
For less serious violations, an organization may be fined €10 million or 2% of its annual revenue from the previous fiscal year, whichever is higher. More serious infractions carry a fine of up to €20 million, or 4% of the organization’s previous year's revenue, whichever is higher.
How Securiti Can Help
Securiti’s Data Command Center enables organizations to comply with the European Union's General Data Protection Regulation (GDPR) by leveraging contextual data intelligence and automation to unify data controls across security, privacy, compliance, and governance through a single, fully integrated platform.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.
