Iubenda logo
Start generating


Table of Contents

Data Protection: Navigating GDPR Data Subject Rights

You must have already heard of the GDPR, the most robust data protection law to date in the EU. At its most basic level, the regulation lays out what constitutes lawful processing of personal data (how it is collected, used, protected, or interacted with in general) and grants individuals whose personal data is processed some rights, called “data subject rights”.

👀 In this article, we take a look at what these rights are and how you can lawfully respect them as a business.

Before diving in, let’s define what a data subject is. Who does it even refer to?

“Data Subject”: Who Does it Refer to?

The term “Data subject” has been used in the GDPR text to describe an “identified or identifiable natural person”. It is essentially the individual whose personal data (i.e. email address) is being collected, processed or stored by a business.

Personal data under the GDPR includes pieces of information that, when collected together, can lead to the identification of a person.

🔍 Read our article to learn more about what is considered personal information across major privacy laws.

data subject rights

What are Data Subject Rights under the GDPR?

The GDPR recognizes the necessity to protect personal data and to ensure individuals have control over it.

It allows data subjects to take some steps toward the personal data businesses have on them and has granted them a list of 8 data subject rights: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision-making and profiling. Keep reading for more detail.

📎 The Right to be Informed (GDPR Article 13, 14)

You need to inform users that their data is being collected, what data in particular, and why. This also means that your privacy notices should be concise, easy-to-understand and easily accessible throughout your website/app.

📎 The Right of Access (GDPR Article 15)

Users have the right to access their personal data and information about how their personal data is being processed.

📎 The Right to Rectification (GDPR Article 16)

Users have the right to have their personal data rectified if it is inaccurate or incomplete.

📎 The Right to Erasure (GDPR Article 17)

When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased.

📎 The Right to Restrict Processing (GDPR Article 18)

Users have the right to restrict the processing of their personal data in specific cases.

📎 The Right to Data Portability (GDPR Article 20)

Under certain conditions, users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.

📎 The Right to Object (GDPR Article 21)

Users have the right to object to certain activities in relation to their personal data.

📎 Rights Related to Automated Decision-Making and Profiling (GDPR Article 22)

Users have the right to not be subjected to a decision that’s based on automated processing or profiling, and which produces a legal or a similarly significant effect on the user.

🔍 You can find full details on the rights above in simplified terms in our GDPR guide here, or you can read the official GDPR text here.

💡 Not sure what privacy laws actually apply to you?

🚀 Do this free 1-min quiz to find out!

Your Role as a Business Regarding Data Subject Rights

What do these rights mean for your business, in practice?

Appointment of a Data Protection Officer

A Data Protection Officer (DPO) is usually appointed by a company to ensure that personal data is processed following the applicable data protection rules. This includes personal data:

  • of the organization’s employees;
  • of the organization’s customers;
  • of the organization’s providers;
  • of data subjects; and
  • processed by data processors.

You must know that if the GDPR applies to your company and if you process a significant amount of personal data, you are legally required to designate a DPO.

When it comes to data subjects and data subject rights, a DPO often acts as the main point of contact and needs to handle requests from individuals who would like to exercise their rights.

🔍 We have compiled a quick guide for what to look for when choosing your DPO. Check it out here!

Fulfill Data Subject Access Request (DSAR)

Filing a Data Subject Access Request is a step individuals can take to exercise their key right of access, under the GDPR. Data subjects can send a written request and ask for the following information:

  • why is the information collected/processed?
  • what are the categories of personal data collected/processed?
  • is the data shared with third parties?

As a company, you must provide a reply with a copy of the individual’s personal data, free of charge.
The request should be fulfilled without undue delay and, at the latest, within one month of receiving it.

🔍 Learn more about how to handle DSAR here.

Honor Data Subject Rights

Needless to say, the bottom line here is you are required to honor GDPR rights of the data subject. You should:

✅ Take these rights seriously and have appropriate technical and organizational measures in place to respect them;
✅ Oversee the training of your staff (if any) on data protection matters and handling data subject requests;
✅ Make sure your privacy documents are complete and up-to-date!

Failure to honor these rights can result in fines and reputational damage.

Are you GDPR-compliant?

Honoring data subject rights is just one part of GDPR compliance.

🚀 Here are 5 things you need to do now to comply with the GDPR

Learn more