What are GDPR Data Subject Rights?

GDPR - General Data Protection Regulation. EU map and flag. Vector illustration

Under the General Data Protection (GDPR) legislation, which becomes effective tomorrow, Friday May 25, individuals who are European Union (EU) citizens have eight fundamental rights.

Many EU citizens, and companies that have collected their personal data seem to be working under the assumption that these eight rights are carved in stone. However, the rights are not absolute. They are contextual. That means in certain circumstances, these rights cannot or may not be granted.

The eight fundamental rights are listed in GDPR Articles 15 and 2.

  1. Right to Access: The person whose data is being collected has the right to examine their personal data file. A Right to Access request must be responded to within a month. There are special circumstances where right to access may be denied under GDPR Article 15.
  2. Right to Rectification: The person whose data has been collected has the right to request modification, deletion, addition, or correction of data that is incomplete, incorrect or unimportant to the reason for its collection. Stipulations are laid out in Article 16.
  3. Right to be Forgotten: Also known as the right to erasure, the individual whose data was collected has the right to ask that his data be erased. Under Article 17 he may ask for erasure if the personal data has been made public.
  4. Right to Restriction of Processing: Under Article 18, an individual has the right to limit the processing of his data. There are several reasons why this right may not be granted. If this right is not granted, the company controller must state the reason under GDPR guidelines and offer the individual data subject a means to appeal.
  5. The Right to be Informed: GDPR states that the data controller of a business or organization must inform data subjects in clear, correct language of their rights. They must also be told how they can proceed if they feel their rights are being impeded. Article 19 states that the company controller must inform data subjects what was collected, why, how it is processed and what will be done with it. Moreover, their rights must clearly be outlined.
  6. The Right to Data Portability: The rights of the data subject around this issue are contained in Articles 5 and 22. Basically the individual has the right to request that his data file or information contained in this file be sent electronically to another individual or business. The sending business has the right to ensure that the receiving institution has a secure means of receiving and storing this data.
  7. The Right to Object: Under GDPR Article 21, the data subject has the right to state that he does not want their personal data to be processed. The data subject can object. Under specific conditions, the data collector can deny this right.
  8. The Right not to be Subject to a Decision Based solely on Automated Processing: Often referred to as profiling, this is covered under GDPR Article 22, paragraph 1. It states that data subjects can object to collection, processing and use of any data that is collected and/or processed by machine only.

While these rights are clearly stated in GDPR, exceptions do occur in which a company’s data controller might well be within their rights in denying or limiting these rights.

For example, individual rights of a data subject might be superseded by other more important rights that affect the population versus individual rights. To assume that data subject rights are absolute is naive. For example such rights as freedom of expression and information might well have an impact on the individual rights of the data subject.