The General Data Protection Regulation (GDPR) protects privacy and secures personal data throughout the European Union. The regulation also requires organizations to respect a series of data subject rights. Failure to protect these rights will lead to severe fines. This article explains the different GDPR rights. We will look at how they work, when they apply, and how to comply with requests from data subjects.

Rights of data subject definition

Under GDPR data subjects have fundamental rights that data controllers and processors must protect. Data subjects have the right to access, rectify, and erase personal data. They have the right to limit data processing and object to data usage. Subjects have a right to data portability, and they also have the right to reject decisions based only on automated systems.

What are the rights of data subjects under GDPR?

When complying with GDPR, the rights of the data subject are a critical concern. Knowing what these rights are is essential.

What are the rights of data subjects under GDPR

Fundamental privacy and data protection rights under Chapter 3 of GDPR include:

  • The right to information
  • The right to access personal data
  • The right to rectify inaccurate personal data
  • The right to erase personal data
  • The right to withdraw consent
  • The right to object to data processing
  • The right to refuse decisions based on automation
  • The right to be forgotten (permanent erasure of identifiable data)
  • The right to data portability

That may seem like a long list of rights to consider. However, if we look at each right in detail, it should become easier to understand how to achieve compliance.

The right to information

Data controllers must provide certain information to data subjects at the point of data collection. This information includes:

  • The controller's identity or the identity of their representative
  • How to contact the data controller
  • How to complain about personal data processing
  • How to request changes or deletion of data
  • How to withdraw consent to share data
  • The purpose of data collection and processing
  • How long the controller will retain data
  • Legitimate interests of controllers and third parties
  • Who will receive personal data
  • Whether the controller will transfer personal data across international boundaries
  • Whether automation systems will process personal data

The right to access

Under the right to access, data subjects can request details about whether controllers hold their personal data. Individuals can request copies of data stored by the controller, as well as information about how the controller uses their data.

For example, data subjects can obtain information about whether security and privacy controls apply to international transfers and have the right to details about automated decision-making.

Organizations must provide data free of charge when individuals make an initial request. However, small charges can apply for repeated information requests.

The right to rectify personal data

GDPR allows data subjects to review and change their personal data if necessary. This could include out-of-date information, such as financial details or postal addresses. Rectification also includes the right to add personal data where records are incomplete.

There are some exceptions to this legal obligation. In some cases, individuals may not have the right to erase data. Subsequently, they may seek to change data to render their records unrecognizable. If this happens, controllers can request evidence that the rectification request is legitimate.

The right to erase data

Individuals resident in the EU have the right to erase personal data held by controllers. This right is conditional. Controllers must delete data where:

  • There is no longer a legal justification for processing, or the controller collected the data unlawfully
  • The subject withdraws consent to process data
  • The subject objects to data collection successfully
  • National laws inside the EU change, requiring data erasure
  • The controller collected data relating to a child

Controllers can refuse to delete data where there is a public interest. For instance, data processing may be valid for public health reasons. The controller may also use data to assist with legal cases.

However, controllers must comply if the data subject has a legitimate reason to demand erasure. They must also inform third parties or joint controllers with access to the data. These associated organizations must also delete data promptly.

The right to withdraw consent

The right to withdraw consent is one of the core GDPR data subject rights. Under Article 7 of the regulations, individuals can withdraw consent whenever required. Withdrawal must also be easy to achieve. As the regulations state, "It shall be as easy to withdraw as to give consent."

The right to object to data processing

GDPR allows data subjects to prevent data collection and processing in certain scenarios. Individuals can object to the use of their data for direct marketing purposes. They can also object to using personal data in research studies, providing there is no overriding public interest.

When exercising this right, subjects must supply a reason for their objection. Data controllers can contest objections, and some considerations may override individual freedoms. For example, law enforcement agencies may need personal data to protect national security.

However, there is no exemption for direct marketing. Companies must immediately comply if individuals want to opt out of marketing campaigns.

Along with objecting to all data sharing, subjects can also restrict processing in various ways:

  • If the data used by controllers is inaccurate. In this case, restriction may be temporary while the controller checks data accuracy and makes necessary changes.
  • If regulators are evaluating whether data collection is lawful. Data subjects can object to processing pending a legal judgment.
  • If processing is declared unlawful but the data subject elects to continue processing instead of erasing their personal data.
  • If the controller no longer has a lawful reason to process data, but the subject requires personal data for use in legal cases.

The right to reject automated processing

GDPR includes specific rights related to automated processing. Article 22 of the regulations states that individuals can opt out of decisions made by automated systems.

The rules mention "profiling". This includes many forms of web- or smartphone-based data collection that groups users for marketing purposes. However, this rule is not absolute. Objections from data subjects may not apply if the controller "lays down suitable measures to safeguard the data subject’s rights and freedoms."

Controllers can also continue to use automated data collection if they obtain "explicit consent" from the data subject. This makes it important to provide accurate consent forms when commencing data collection.

The right to be forgotten

The right to be forgotten is one of the most high-profile GDPR rights. Generally, controllers must delete all data when an individual exercises their right to be forgotten. However, this is also an area where user rights are hedged by many qualifications.

Fundamentally, the rules listed above about personal data erasure also apply to the right to be forgotten. The main difference is that when an individual exercises their data subject rights to be forgotten, the data controller must permanently delete all data held about the individual.

Compliance requires a comprehensive search across internal databases. Controllers also have a legal obligation to inform related third parties who may process the subject's personal data.

The right to portability

The right to data portability is also known as the right to transfer data. This right ensures that subjects can move their data between organizations without obstruction.

To comply with data subject rights around portability, controllers must structure data in a consistent format. Controllers must store data in a way that enables easy transfer. When users make legal claims to transfer data, the data controller must not obstruct transferral to an alternative organization.

As with all GDPR data subject rights, there are exceptions. The right to portability does not apply when processing is in the public interest. And moving data cannot harm the interests of others.

Key takeaways

  • GDPR grants individuals several rights regarding their personal data.
  • Data subject rights include the right to access their data. This includes information about how data is processed, stored, and shared.
  • Individuals can request the transfer of their data to another controller. They can make legal claims to rectify their data if it is inaccurate or incomplete.
  • Data subject rights include the right to object to processing. This right allows data subjects to stop controllers from processing their personal data under specific circumstances.
  • The "right to be forgotten" enables individuals to request the complete erasure of their personal data, with certain exceptions.


Protecting the rights of data subjects is a critical GDPR compliance challenge. All organizations need clear policies and procedures to ensure they meet their obligations.

When organizations receive a subject rights request, they have one calendar month to comply. The regulations specify that companies should respond "without undue delay", so acting quickly is recommended. One-month extensions are possible, but only in exceptional circumstances.

Clear communication is vital when responding to subject requests. If the request is denied, provide a clear reason with the legal justification. If there are delays, explain why. If additional fees apply, state why this is the case.

Remember that not all claims are valid. Organizations can refuse unfounded and frivolous requests. However, documenting the reasons for rejections is essential.

Disclaimer: This article is for informational purposes only and not legal advice. Use it at your own risk and consider consulting a licensed professional for legal matters. Content may not be up-to-date or applicable to your jurisdiction and is subject to change without notice.