Get 4 FREE months of Conformio to implement ISO 27001

Data subject rights according to GDPR

8 fundamental rights of data subjects under GDPR

One of the key objectives of the new European General Data Protection Regulation (GDPR) is to ensure the privacy and protection of the personal data of data subjects. To help data subjects in being assured of the protection and privacy of their personal data, GDPR empowers data subjects with certain rights. Through these rights, data subjects can make a specific request and be assured that personal data is not being misused for anything other than the legitimate purpose for which it was originally provided. Let us understand the different GDPR data subject rights and requests that a data subject can make as a customer, as an employee, and as personnel of a supplier.

Data subject rights according to GDPR
  1. Right to information
  2. Right to access
  3. Right to rectification
  4. Right to withdraw consent
  5. Right to object
  6. Right to object to automated processing
  7. Right to be forgotten
  8. Right for data portability

1) Right to information

This right provides the data subject with the ability to ask a company for information about what personal data (about him or her) is being processed and the rationale for such processing. For example, a customer may ask for the list of processors with whom his or her personal data is shared.

Data subject rights according to GDPR - Advisera

2) Right to access

This right provides the data subject with the ability to get access to his or her personal data that is being processed. This request provides the right for data subjects to see or view their own personal data, as well as to request copies of the personal data.

3) Right to rectification

This right provides the data subject with the ability to ask for modifications to his or her personal data in case the data subject believes that this personal data is not up to date or accurate.

4) Right to withdraw consent

This right provides the data subject with the ability to withdraw a previously given consent for processing of their personal data for a purpose. The request would then require the company to stop the processing of the personal data that was based on the consent provided earlier.

GDPR data subject rights - 8 fundamental & additional rights

 

5) Right to object

This right provides the data subject with the ability to object to the processing of their personal data. Normally, this would be the same as the right to withdraw consent, if consent was appropriately requested and no processing other than legitimate purposes is being conducted. However, a specific scenario would be when a customer asks that his or her personal data should not be processed for certain purposes while a legal dispute is ongoing in court.

6) Right to object to automated processing

This right provides the data subject with the ability to object to a decision based on automated processing. Using this right, a customer may ask for his or her request (for instance, a loan request) to be reviewed manually, because he or she believes that automated processing of his or her loan may not consider the unique situation of the customer.

7) Right to be forgotten

Also known as right to erasure, this right provides the data subject with the ability to ask for the deletion of their data. This will generally apply to situations where a customer relationship has ended. It is important to note that this is not an absolute right, and depends on your retention schedule and retention period in line with other applicable laws.

8) Right for data portability

This right provides the data subject with the ability to ask for transfer of his or her personal data. As part of such request, the data subject may ask for his or her personal data to be provided back (to him or her) or transferred to another controller. When doing so, the personal data must be provided or transferred in a machine-readable electronic format.

Who can make a rights request, and how?

A rights request can be made by an individual or an individual’s legal representative.  Such individual could be a customer, an employee, or personnel of a supplier working for the company. Also, such request should usually be made in writing.

Conclusion

Data subject rights form the core of GDPR, and your company must implement these rights in the context of its individual clients, employees, and personnel from other suppliers.

Click here to read the full text of the GDPR to learn more about the data subject rights.

Advisera Punit Bhatia

Punit Bhatia

Punit Bhatia is a senior professional with more than 18 years of experience in executing change and leading transformation initiatives. Across three continents, Punit has led projects and programs of varying complexity in business and technology. He has experience on both sides of the table in a variety of industries, serving as a consultant who worked for IT consulting companies, and as a key influencer and driver who has defined and delivered change for large enterprises.
Read more articles by Punit Bhatia