Skip to main content

What are data subject rights?

Data subject rights are based on the premise that each individual (i.e., data subject) is the owner of their own personal information.

As such, they have the right to decide what is done with their personal data. They are also entitled to information about their data and how it is used.

In this guide, we will consider 8 data subject rights outlined in the EU’s General Data Protection Regulation (GDPR). Most global regulations follow the GDPR’s lead when it comes to people’s data rights. For this reason, no matter where your company is located, or where your customers are in the world, it is important to know and understand data subject rights.

Rights of the data subject

Rights of the data subject, according to the GDPR Chapter 3, include:

  • The right to insight about how you will collect and use their data
  • The right to access a copy of personal data you store about them and information about it
  • The right to have inaccurate personal data corrected or completed
  • The right to be forgotten, i.e., to have you delete their data (with some exceptions)
  • The right to restrict data processing in certain circumstances
  • The right to data portability, i.e., to have their data forwarded to them or a third party
  • The right to object to data processing in certain circumstances
  • The right to object to automated decision-making and profiling

Let’s look at each of these data subject rights and how you can honor them.

Right to insight/right to be informed

The right to insight/information means you should let people know what personal data is collected about them, and for what purpose.

Make it clear who is collecting the data and how long it will be kept. If you will share the person’s data with anyone else, say so. Finally, let people know how they can file a complaint if they choose to.

The information you provide should be clear and easy to understand. We suggest listing the following in your privacy policy:

  • Your company’s information and contact details
  • Your purpose for collecting and processing data
  • Your legal basis for collecting and processing data
  • Information and contact details for any third party with whom you share data
  • Whether the data will be used for automated decision-making
  • Your data retention period
  • A list of their data subject rights
  • How to file a complaint

Want more free data privacy tips?

Get the latest data privacy management news, trends and expert tips delivered straight to your inbox.

    Right of access

    People have the right to submit subject access requests to get information from you about whether their personal information is being processed.

    If you get this type of request you should respond within 30 days. You should provide a copy of the personal data they have about the person, plus additional information including:

    • The purpose of the processing
    • The categories of personal data you are processing
    • Who you share their data with (including third countries or international organizations)
    • How long you will keep their data
    • Information about their GDPR data subject rights
    • Whether you use the data for automated decision-making and profiling
    • The source of the data (if the data was not collected from the individual)

    Hopefully, all of this information about how you process their data in practice should be in agreement with what you’ve already stated in your privacy policy.

    Right to rectification

    The right to rectification lets people ask you to update or correct any inaccurate or incomplete data you have on them.

    If you get this type of request, you should respond within 30 days. First, check to see if the data is really inaccurate. Once you have confirmed that changes are in fact needed, make them. Then, respond to the person’s request with confirmation of the changes made.

    Right to be forgotten

    The right to be forgotten is the right to have personal data deleted. It applies under certain circumstances, for example:

    • The personal data is no longer needed for the purpose for which it was collected
    • The person withdraws their consent
    • The personal data was processed unlawfully
    • The person objects to the processing and you have no legal reason to continue processing
    • The personal data has to be erased for compliance with a legal obligation in the EU or a Member State law to which you are subject

    There are also some exceptions where you might refuse someone’s request to be forgotten. For example, if the data is being used for the public interest or for legal purposes.

    You should respond to requests to be forgotten within 30 days with confirmation that the person’s data has been deleted.

    You should also notify any third parties or additional processors you shared the data with and request they delete it too.

    Can you prove that deleting the person’s data is impossible or would require a disproportionate effort? If so, data regulators may release you from this obligation.

    Right to restrict processing

    People can ask you to limit the way you use their personal data. In this case, you can keep the data, but you should not use it.

    You must comply with requests to restrict processing in the following situations:

    • The data is inaccurate
    • Processing is unlawful
    • You no longer need to use the data, but the person wants the data kept for  a legal claim
    • You are taking measures to verify a data erasure request

    You should respond to requests to restrict data processing within 30 days. Once you restrict processing, you are not allowed to use the data, with some exceptions. For example, unless you need it for legal claims or to protect the rights of other individuals.

    To use the person’s data again, you must inform them and get their consent beforehand.

    Right to data portability

    Data portability is meant to make it easy for people to get/forward a copy of their own personal data. The person may ask you to transfer their data directly to someone else.

    When you get a data portability request, you should deliver the data in a structured, commonly used, and machine-readable format. Make sure you do so within 30 days.

    This applies to all digital data the person has given you by consent or contract. It includes data related to the behavior of the individual: their searches, location data, browsing history, and more.

    Right to object to processing

    The right to object lets people object to the processing of personal data at any time, in certain situations, depending on the purpose and lawful basis for processing.

    For example, people can always object to their data being used for direct marketing purposes.

    They can also object to their data being used for purposes that are normally considered acceptable legal bases for processing. For example, someone may object to you using their data for scientific, historical research, or statistical purposes.

    The GDPR right to object is similar to CCPA’s right to opt-out. The right to opt-out specifically lets people object to the sale of their data, while the right to object can be used under a wider variety of circumstances.

    You should respond to these objections within 30 days.

    Rights related to automatic processing

    Data subject rights include the right not to be subject to a decision based solely on automated processing, including profiling, if it produces legal effects or significantly affects them in other ways.

    Some examples of profiling based on personal data might be: Analysing or predicting someone’s work performance and reliability, their economic situation, their health, or their personal preferences, interests, behavior, and location.

    People have the right to ask for human intervention when automated processing is used to make decisions that could affect them. They also have the right to express their point of view or contest such decisions.

    You should always honor a person’s objection to automated decision-making, with some exceptions. For example, if you need to use it for the performance of a contract, if it is authorized by the law, or if the processing is based on explicit consent.

    Whenever you use automated decision-making, be aware of how it might affect someone. Put suitable measures in place to safeguard people’s rights, freedoms and legitimate interests.

    Data subject rights and customer service

    Does your whole team understand data subject rights and respect them? Why not take a few minutes to review data subject rights as a group with the help of this guide?

    Here are a few steps you can take right now:

    • Review information about data subject rights with your team
    • Update your privacy policy to keep data subjects informed
    • Set up a system to respond to data subject access requests

    Responding promptly to data subject rights requests shows transparency and good faith. It is also just good customer service.

    Make sure you never miss a data subject access request!

    Read about how our RequestManager can help.

    Sebastian Allerelli

    Governance, risk, and compliance specialist