Data Subject Rights
Data Subject Rights
A Data Subject is any person whose personal data is being collected, held or processed.
Individuals have a number of specific rights under data protection law to keep them informed and in control of the processing of their personal data. The most commonly exercised of those rights are found in Articles 12-22 and 34 of the GDPR.
Which data subject rights apply or not is also influenced by the legal (lawful) basis on which a processing operation is based. Some rights apply to all legal bases, like the right to be informed; right to access; right to rectification; and right to restriction. The remaining rights are linked to specific legal bases. It is important to inform individuals about the rights that apply via a privacy notice.
It should also be kept in mind that there can be other requirements or limitations regarding some of the data subject rights. Controllers should consider which rights might be applicable in the first place when assessing their data protection obligations.
The data subject rights under the GDPR include:
- Right to be informed if, how, and why their personal data are being processed
- Right to access and get a copy of their personal data (See Data Subject Access Requests for details)
- Right to have their personal data corrected (rectification) or supplemented if it is inaccurate or incomplete
- Right to have their personal data deleted or erased, if incorrect or no longer needed
- Right to limit or restricthow their personal data are used; but this is not an absolute right and only applies in certain circumstances
- Right to data portabilityallows individuals to obtain and reuse their personal data for their own purposes across different services; it allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability
- Right to objectto processing gives individuals the right to object to the processing of their personal data in certain circumstances; individuals have an absolute right to stop their data being used for direct marketing
- Right not to be subject to automated decisions without human involvement, where it would significantly affect them
- Information on the interplay between data subject rights and legal basis can be found atDPC - (opens in a new window)Legal Bases Infographic and (opens in a new window)Full Guidance on Legal Bases for Processing Personal Data