GDPR Primer

Lesson 5 | Data subject rights under GDPR

Download Lesson PDF

Data subject rights are a huge part of GDPR. These rights grant end-users, individuals, the right to perform certain actions on their data that is stored and processed by controllers and processors. Technically, controllers field data subject rights requests but processors are obligated to assist controllers with these requests.

  • Right of access. Individuals can ask if organizations process personal data for the individual and, if the organization does process the individual’s data, the individual can request their data, the purpose of the processing, and sources of data.
  • Right to rectification. Individuals have the right to correct their personal data and make data complete incomplete personal data.
  • Right to erasure. Also known as the right to be forgotten, individuals can request the deletion of their personal data and organizations must comply without "undue delay".
  • Right to restrict processing. An individual can stop an organization from processing their personal data. In order to start processing said personal data again, the controller must notify the individual.
  • Right to data portability. An individual can request their personal data in a structured, commonly used, and machine-readable format. Where technically feasible, the individual can have data sent from one controller to another controller.
  • Right to object. Individuals have a right to object to the processing of their personal data mostly based on the allowed conditions for processing outlined in Article 6.

Data subject rights are new under GDPR and organizations need to document and implement processes to ensure they are able to meet data subject requests.