GDPR Rights: What every data controller and the data subject must know

Blocksurvey blog author
Jun 25, 2024 · 3 mins read

GDPR rights

Source: Freepik

Most people might feel the need to protect their data in this fast-evolving digital world. This led to the evolution of the GDPR (General Data Protection Regulation), which aimed to protect the privacy of European Union citizens.

The Data Controller (Organization that collects data) and Data Subject (Customer who provides data) must know about GDPR rights. In this article, I have discussed the below GDPR rights that every data controller and subject must know.

  • Right to be Informed
  • Right to Access
  • Right to Rectification
  • Right to be Forgotten
  • Right to Restrict Processing
  • Right to Data Portability
  • Right to Object Processing
  • Right to Object Automated Processing

Right to be Informed

The data subject’s right to be informed is discussed in articles 12, 13 & 14 of GDPR.

The right to information allows the data subject to understand what personal data is collected about them.

A few of the additional information that can be received include,

  • Purpose of data processing
  • Legal basis of data processing
  • Third-party involved in data processing

It is also important to inform the data subject about all of their GDPR rights.

Right to Access

The data subject’s right to access data is widely discussed in article 15 of GDPR.

When a data access request is made, the data controller is required to provide a copy of the requested data to the data subject.

Along with data, they should also produce additional information, such as,

  • Source of data
  • With whom data is shared
  • Period for which data will be stored

Right to Rectification

The right to rectification is clearly outlined in article 16 of GDPR.

An organization may hold inaccurate or incomplete data about the data subject. In this case, the data subject holds the following rights to be exercised upon request.

  • Rectify the inaccurate data
  • Fill in the incomplete data

The data controller has a wider obligation to keep the data accurate and up-to-date even when the data subject has not exercised the right to rectify it.

Right to be Forgotten

The right to be forgotten is also known as the right to erasure.

This right is covered in article 17 of GDPR.

This right involves the data subject asking the controller to delete their data.

Usually, the data is deleted under the following situations.

  • If the personal data is no longer necessary
  • If the individual withdraws the consent

However, the data controller is not obliged to delete the data if it is collected to comply with GDPR requirements.

Right to Restrict Processing

User can evoke their right to restrict data processing upon request.

Article 18 clearly explains the Right to Restrict Processing.

This right empowers the data subject to restrict how their personal data is processed.

Users can evoke their right to restrict processing if their personal data is no longer accurate.

They can also evoke this right if an individual wants the Controller to hold their data even though the controller no longer needs this.

Once the data is restricted, the organization cannot process it without user consent.

Right to Data Portability

Right to Data Portability applies to electronically processed data.

Article 20 of GDPR clearly outlines the details of Right to Data Portability.

Individuals can ask the controllers to send them a copy of their personal data. The data will be sent to individuals in a structured and machine-readable format.

The individual is also entitled to ask the controller to send this data to another controller directly.

This right can be exercised only if the individual has already provided the data to the controller by consenting to it.

As already discussed, data should be processed electronically to exercise this right.

Right to Object Processing

The Right to Object Processing is discussed under article 21 of GDPR.

The data subject has the right to object processing of their data. The objection takes effect based on the purpose of data processing and the lawful basis for processing.

The data subject is required to provide the reason behind the objection to data processing.

The data controller has the right to dispel the objection based on compelling reasons for processing the data that override the data subject’s interest.

Right to Object Automated Processing

This right is outlined under article 22 of GDPR.

GDPR is very sensitive to data that is processed automatically without human involvement and has the right to object to such processing.

This is especially important if the data is used to assess work performance, personal health, and residing location, which significantly affect the individual.

This right cannot be exercised if the data that is processed is under the government’s legal mandate.

How do you raise Data Rights requests?

There is no predefined way that is set to make a GDPR rights request. Here are a few ways.

  • You can reach the data controller by writing through a letter or email.
  • Some big companies offer options to exercise data rights requests from the company website directly by filling out a data rights requests form.
  • Most companies have a designated Data Protection Officer. You have the contact details of DPO in the privacy policy. DPO is the best person in the organization who can help you with rights requests. You can reach the DPO for your data rights requests.

Be as specific as possible in relation to your data rights request.

Thanks to GDPR Rights

In this article, I discussed the GDPR Data rights that every data controller and data subject should know. I also discussed a few well-known ways of raising data rights requests.

With GDPR data awareness, the controller and subject will better know data access, deletion, restriction of processing, and object processing.

Thanks to GDPR rights.

GDPR Rights: What every data controller and the data subject must know FAQ

Who does GDPR apply to?

GDPR applies to any organization, regardless of location, that processes the personal data of EU citizens.

What rights do Data Subjects have under GDPR?

Data Subjects have the right to access their data, to correct inaccuracies, to erase data, to restrict processing, to data portability, to object to processing, and rights related to automated decision making and profiling.

What is a Data Controller under GDPR?

A Data Controller is an entity that determines the purposes, conditions, and means of the processing of personal data.

What should a Data Controller do in the event of a data breach?

In the event of a data breach, a Data Controller must notify the appropriate supervisory authority within 72 hours of becoming aware of it, unless it is unlikely to result in a risk to the rights and freedoms of individuals.

What is the penalty for non-compliance with GDPR?

Non-compliance with GDPR can result in hefty fines of up to €20 million or 4% of the company’s global annual turnover, whichever is higher.

Like what you see? Share with a friend.

blog author description

Sarath Shyamson

Sarath Shyamson is the customer success person at BlockSurvey and also heads the outreach. He enjoys volunteering for the church choir.


Explore more