Contents

Run sensitive surveys.
Get insights.
Unlock value.

Free plan, no time limit
Set up in minutes
No credit card required

GDPR Rights: What every data controller and the data subject must know

Jun 25, 2024 · 3 mins read

GDPR rights

Most people might feel the need to protect their data in this fast-evolving digital world. This led to the evolution of the GDPR (General Data Protection Regulation), which aimed to protect the privacy of European Union citizens.

The Data Controller (Organization that collects data) and Data Subject (Customer who provides data) must know about GDPR rights. In this article, I have discussed the below GDPR rights that every data controller and subject must know.

Right to be Informed
Right to Access
Right to Rectification
Right to be Forgotten
Right to Restrict Processing
Right to Data Portability
Right to Object Processing
Right to Object Automated Processing

Right to be Informed

The data subject’s right to be informed is discussed in articles 12, 13 & 14 of GDPR.

The right to information allows the data subject to understand what personal data is collected about them.

A few of the additional information that can be received include,

Purpose of data processing
Legal basis of data processing
Third-party involved in data processing

It is also important to inform the data subject about all of their GDPR rights.

Right to Access

The data subject’s right to access data is widely discussed in article 15 of GDPR.

When a data access request is made, the data controller is required to provide a copy of the requested data to the data subject.

Along with data, they should also produce additional information, such as,

Source of data
With whom data is shared
Period for which data will be stored

Right to Rectification

The right to rectification is clearly outlined in article 16 of GDPR.

An organization may hold inaccurate or incomplete data about the data subject. In this case, the data subject holds the following rights to be exercised upon request.

Rectify the inaccurate data
Fill in the incomplete data

The data controller has a wider obligation to keep the data accurate and up-to-date even when the data subject has not exercised the right to rectify it.

Right to be Forgotten

The right to be forgotten is also known as the right to erasure.

This right is covered in article 17 of GDPR.

This right involves the data subject asking the controller to delete their data.

Usually, the data is deleted under the following situations.

If the personal data is no longer necessary
If the individual withdraws the consent

However, the data controller is not obliged to delete the data if it is collected to comply with GDPR requirements.

Right to Restrict Processing

User can evoke their right to restrict data processing upon request.

Article 18 clearly explains the Right to Restrict Processing.

This right empowers the data subject to restrict how their personal data is processed.

Users can evoke their right to restrict processing if their personal data is no longer accurate.

They can also evoke this right if an individual wants the Controller to hold their data even though the controller no longer needs this.

Once the data is restricted, the organization cannot process it without user consent.

Right to Data Portability

Right to Data Portability applies to electronically processed data.

Article 20 of GDPR clearly outlines the details of Right to Data Portability.

Individuals can ask the controllers to send them a copy of their personal data. The data will be sent to individuals in a structured and machine-readable format.

The individual is also entitled to ask the controller to send this data to another controller directly.

This right can be exercised only if the individual has already provided the data to the controller by consenting to it.

As already discussed, data should be processed electronically to exercise this right.

Right to Object Processing

The Right to Object Processing is discussed under article 21 of GDPR.

The data subject has the right to object processing of their data. The objection takes effect based on the purpose of data processing and the lawful basis for processing.

The data subject is required to provide the reason behind the objection to data processing.

The data controller has the right to dispel the objection based on compelling reasons for processing the data that override the data subject’s interest.

Right to Object Automated Processing

This right is outlined under article 22 of GDPR.

GDPR is very sensitive to data that is processed automatically without human involvement and has the right to object to such processing.

This is especially important if the data is used to assess work performance, personal health, and residing location, which significantly affect the individual.

This right cannot be exercised if the data that is processed is under the government’s legal mandate.

How do you raise Data Rights requests?

There is no predefined way that is set to make a GDPR rights request. Here are a few ways.

You can reach the data controller by writing through a letter or email.
Some big companies offer options to exercise data rights requests from the company website directly by filling out a data rights requests form.
Most companies have a designated Data Protection Officer. You have the contact details of DPO in the privacy policy. DPO is the best person in the organization who can help you with rights requests. You can reach the DPO for your data rights requests.

Be as specific as possible in relation to your data rights request.

Thanks to GDPR Rights

In this article, I discussed the GDPR Data rights that every data controller and data subject should know. I also discussed a few well-known ways of raising data rights requests.

With GDPR data awareness, the controller and subject will better know data access, deletion, restriction of processing, and object processing.

Thanks to GDPR rights.