The Ultimate Guide to Data Subject Rights Under the GDPR

Petar Todorovski

By Petar Todorovski . 10 June 2022

Data Privacy Specialist

Miklos Zoltan

Fact-Checked this

In terms of comprehensive data protection, you can divide the history on times before the GDPR and times after the GDPR.

This article will teach you:

  • Who has data subject rights under the GDPR
  • What data subject rights does the GDPR grant to users
  • How they can exercise these rights
  • What businesses have to do if approach by a user who wants to exercise a right
  • What are the consequences of non-compliance with a data subject request

In terms of comprehensive data protection, you can divide the history into times before the GDPR and after the GDPR.

The landmark EU regulation was one the first to grant internet users extensive data privacy rights and tools to protect themselves. It has a major influence on governments worldwide, so most of the data protection laws being passed since the GDPR tend to be similar to the EU law.

Among other things, it means that the recent privacy laws grant users extensive data protection rights.
But before diving into that, you need to understand the difference between the data controller, data processor, and data subject because we will be using these terms.

A data controller is a business that collects personal data.

A Data processor is a business that processes the data on behalf of the controller.

The difference is that the controller decides what, why, and how the data will be processed, and the processor does the job. For example, you decide that you are going to collect email addresses (the “what”) via the signup form the “how”) for delivering your newsletter (the “why”). Mailchimp does the job for you. You are the data controller, and Mailchimp is your data processor.

On the other hand, the data subject is any internet user whose data you have collected and/or processed. They have rights. When they decide to exercise the rights, you have to comply. If you don’t, you may be fined.

You need to learn about the data subject rights under the GDPR.

Related guide: GDPR Fines
Related guide: CCPA Compliance
Related guide: How to submit a GDPR complaint

Data Subjects' Rights Under GDPR

Who Has GDPR Data Subject Rights?

GDPR applies to the interactions between businesses and users in which at least one comes from the European Union.

This means that it applies where:

  • Both the business and the user are from the EU
  • The business is from the EU, and the user is from anywhere in the world
  • The user is from the EU, and the business is from anywhere in the world

What Rights Does the GDPR Grant to Users?

What Rights Does the GDPR Grant

The GDPR grants data subjects the following data subject rights:

Right to know

What it means: This right allows data subjects to request information on whether you collect personal data, what categories of data you collect, why you do that, and anything related to your privacy practices. This arises from the transparency principle. It requires you to be transparent with users about what you do with personal data and the motives behind that.

What data controllers need to provide: When a business, i.e., the data controller, receives a request to know, they have to provide the data subject with the information requested, such as the categories of data collected and processed, purposes for processing, methods of collection and processing, third parties to whom the data has been disclosed, where the data has been transferred, and so on.

Right to access

What it means: The right to access grants the data subject the opportunity to access their data under your control.

What data controllers need to provide: If you hold their name and email address, they have the right to access it. Sometimes the request will pertain to all their data, and sometimes only to parts. You must stick to the actual demand and provide access to the requested data.

Right to rectification

What it means: The right to rectification means a right to correct own personal data. For example, the data controller who sends discount codes to customers may have a mistake in a customer’s email address, so she does not receive any codes. That user, i.e., the data subject, has the right to request rectification of their data, to have their email address corrected, and receive the codes.

What data controllers need to provide: The data controller must correct the subject’s data according to their request.

Right to erasure (right to be forgotten)

What it means: The right to erasure personal data, also widely known as the right to be forgotten, means deleting a data subject’s data from the data controller’s records. The data subject may request deletion of all their data or only parts. They can, for example, request you to erase their phone number because they want to communicate with you only by email.

What data controllers need to provide: They must delete personal data according to the request. Remember that the proposal to delete some categories of data does not mean deletion of all the data.

Right to restriction of processing

What it means: The data subject can request the data controller to cease processing their personal data if any of the following is true:

  • The personal data is inaccurate
  • The processing is unlawful, but the data subject chooses restriction of processing over erasure
  • The data controller no longer needs the data for processing
  • The data subject has objected to the processing, but still awaits for the verification

What data controllers need to provide: The data controller should comply with the request to restrict the data processing of the categories of personal data to which the request pertains.

Right to data portability

What it means: Sometimes, users want to transfer their data to another data controller. This usually happens when the user changes service providers. For example, they can move from Hulu to Netflix and want to take the data that Hulu has collected about them.

What data controllers need to provide: The controller has to create a file with all the requester’s personal data and give it to them. The data has to be in a format that could be usable by other data controllers. If the data subject requests transfer of all the personal data, the controller must not hold any more data of the subject, except about compliance and legal claims.

Right to object

What it means: The data subject can object to the data processing and request the controller cease processing it.

What data controllers need to provide: The controller should cease processing data as requested unless they show legitimate grounds for doing so. The fair grounds have to override the objection grounds of the data subject.

For example, the data subject may object to processing their payment data. The controller will have to comply, but if they show that processing such data is necessary for fraud prevention, they can keep processing the payment data.

The exception is the objection to data processing for direct marketing purposes. If the data subject objects to that, the controller must comply.

Right not to be part of automated individual decision-making, including profiling

What it means: Some businesses make automated decisions about customers based on algorithms. For example, an insurance company may calculate insurance rates for potential customers based on their personal data (including health data, salary, etc.). GDPR allows users to request not to be subject to such decision-making.

What data controllers need to provide: They must cease making decisions about the data subject based on automated means, including profiling.

Exercising the Rights

Exercising the Rights

The road from data subject right on paper to deliverable in practice leads through exercising the data subject rights by the data subjects themselves.

Data subject rights are exercised by submitting data subject requests. Users can submit any data subject request, and you will be required to respond timely.

The GDPR requires data controllers to respond to the requests in 30 days or 60 days for more complex requests. They have to inform the user about the extension of additional 30 days.

If the data controller does not respond or responds insufficiently, the data protection authority may fine them.

In general, exercising data subject rights go through five steps. Here’s what each one of them looks like from the perspective of the data subject and the data controller:

Submitting the request

The data subject submits the request to the data controller. He can submit the request in any way he likes – whether by email, a web form dedicated to requests, over the phone, or any other way.

The data controller receives the request. For them, it doesn’t matter how the request has been submitted. They have to accept it. Businesses often include data subject request forms on websites or dedicated email addresses, but if the data subject has ignored them, it makes no difference. Every data subject request that has been received in any way has to be treated equally and responded to.

Identity verification

The data controller has to verify the identity of the requester. This is an important step because personal data may be disclosed in the process; if that happens, it must be disclosed to the right person. The controller has to ensure that they do not provide any data to a person who should not access it.

The data controller should not demand additional personal data for identity verification unless necessary. It would be ideal to make the verification based on personal data that is already available. For example, you may verify the data related to an email address based on the email address from which the request has been sent.

If the data controller cannot reasonably verify the data subject’s identity, they can refuse the request.

The data subject should provide any information required by the controller.

Identify the request

The data controller should identify the request. Data subjects sometimes submit unclear requests. In such a case, the controller should clarify the request. They may also ask the data subject for clarifications.

The data subject should respond to any questions the controller may have. If there are no any, they should wait at this phase.

Collect and package data

Next, the data controller should inspect, collect, and package the data needed to fulfill the request.

The data subject doesn’t have to do anything.

Fulfill the request

The data controller should fulfil the request in the end. Fulfilling the request may mean providing some data, correcting, deleting, or something else.

The data subject should review the delivery. If they are unsatisfied, they may submit additional requests or complain to the data protection authority.

Final Words

Data subject requests are not a burden to businesses nor a tool for users to bother them.

Transparency builds trust, and users’ trust is a great asset for any business. It is a means for a better connection between companies and users. It provides an opportunity for transparency that could eventually strengthen their bond.

Awareness around online data privacy grows steadily. Businesses need to comply not only to avoid the hefty fines but also to grow resources.

The input is not as high as it seems. Compliance with the requests is rather simple and easy to achieve. The upside, on the other hand, is higher and well worth putting the effort to comply. It is a no-brainer.

Leave a Comment