The GDPR (General Data Protection Regulation) grants people, in their capacities as consumers, citizens and so forth a range of specific data subject rights they can exercise under particular conditions, as per usual always with a few exceptions. GDPR compliance among others means enabling the exercise of these rights. The 8 fundamental data subject rights and beyond.
You can read more about some of these main data subject rights in our GDPR guide where we, among other tackle the data subject’s right to access, the right to be forgotten, a.k.a. right of erasure, the data subject right to data portability and so forth.
Data subject rights are never absolute: there are, as mentioned conditions and exceptions, but there are also other rights to keep in mind. The right of freedom of expression and information, for instance, can have an impact with regards to the right of erasure. Moreover, organizations have legal obligations and there might be contractual stipulations which override data subject rights.
Data subject rights are contextual – rights, obligations and circumstances
Controllers (and in several instances processors who process personal data for the controller) have duties, specific rights and in some cases they might not be able to meet a data subject right, again with specific rules. It isn’t always that easy indeed. The guidelines of the European Data Protection Board can be of help as can those of supervisory authorities in specific cases.
There is another reason why data subject rights are contextual. A good example is the right to withdraw consent. Exercising the right to withdraw consent means that there is no other legal basis in place. Consent is only one of several lawful grounds for personal data processing and, so, if another lawful ground has been chosen, in full compliance with the GDPR, there isn’t a ground to withdraw consent either of course. Still, things can be tricky. Do note that consent also isn’t the same as explicit consent as some people seem to believe.
If you fill in the search form of our online GDPR Text (all Articles) you can find back the essential data subject rights. For your convencience, however, below is an overview of those data subject rights which of course should be in each single GDPR awareness program, at the very start of a strategic GDPR business approach and your journey towards GDPR compliance.
Speaking about awareness, there is an Irish, yet internationally active, fixed-term, not-for-profit organization with (professional) volunteers which set out to increase GDPR awareness overall. It is – aptly – called the GDPR Awareness Coalition.
They made an infographic which summarizes some essential data subject rights, in this case called consumer rights in the infographic.
8 fundamental data subject rights (and more beyond the fundaments)
As you could see, these GDPR ‘consumer rights’ in this infographic include:
- The mentioned right to data portability.
- The data subject’s right to access to information.
- The right of correction, technically known as the right to rectification.
- The also mentioned right to be forgotten (erasure).
- The rights in the scope of consent (if that’s the legal ground for processing).
The infographic makes it a bit more tangible. However, there are more data subject rights, especially when it boils down to special categories of personal data, for instance. Or in regards with direct marketing and profiling. So, you might find different infographics and lists of all those data subject rights. Yet, again, this infographic made some consumer rights tangible.
At the most essential level and technically speaking there are 8 (or 7.5 perhaps as we’ll see) essential data subject rights.
They are listed in GDPR Articles 15 until 22. How do we now? Easy enough: GDPR Article 12 on transparent information, communication and modalities for the exercise of the rights of the data subject says so.
Do note that the principles regarding the processing of personal data, the lawfulness of processing (which is about those mentioned legal grounds, including consent), the duties regarding the processing of special personal data categories, and so on stretch much further than the data subject rights (not each obligation or principle comes with a right for consumers of course).
However, when data subjects want to exercise one of those data subject rights – and have the right to – then the controller (and processors) need to be able to deliver upon it within the rule of the law (in this case the Regulation).
So, here are those fundamental data subject rights:
- The data subject’s right of access which means 1) the right to know whether data concerning him or her are being processed and 2) if so, access it with loads of additional stipulations (GDPR Article 15).
- The data subject’s right to rectification. When personal data are inaccurate, then controllers need to correct them indeed (GDPR Article 16).
- The previously mentioned right to erasure or right to be forgotten with additional stipulations, among others if personal data has been made public (GDPR Article 17).
- The data subject right to restriction of processing. Simply said, the right of the consumer or whatever you call the natural person under the scope of the GDPR, to limit the processing of his/her personal data with, once more, several rules and exceptions of course (GDPR Article 18).
- The right to be informed. Here we stretch it a bit. In general, the GDPR asks controllers and so on to inform data subjects on several matters. Providing clear and correct information is a key duty in many regards. Simply said, the GDPR wants consumers to know because if you don’t know you can’t decide, right? However, here we rather mean GDPR Article 19 which, again simply put, means that personal data that have undergone an action as a consequence of one of the other, just mentioned data subject rights, the controller must inform recipients who got these data, where feasible. And then the data subject also has a right, even if not strictly called a right, to ask “who are all these recipients who got to see my data”. So, right or not? It explains why we said 7.5 but it really is a right. More about information duties further below.
- The right to data portability. This is again one of those data subject rights that are in the infographic and which we covered more in depth previously. With the right to data portability we’re in GDPR Article 20, so, keeping in mind that data subject rights are covered in Articles 5 until 22 that means two more to go.
- GDPR Article 21 is all about the data subject’s right to object. That does indeed mean what it says: data subjects can say they don’t want the personal data processing to be done or going on. This might seem a bit overlapping with other data subject rights but it isn’t. Of course in practice the data subject can, again within specific conditions, exercise the right to object and the right to be forgotten. Especially direct marketers and people who do profiling should pay a lot of attention to the right to object as it’s a lot about them and certainly profiling with automated means (though not solely).
- The data subject right not not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This is pretty much a copy and paste of GDPR Article 22, Paragraph 1, which ends the ‘official’ list of data subject rights.
Additional data subject rights in the scope of particular circumstances and of consent
So, let’s say 8 fundamental data subject rights anyway with that right to information being far broader than what’s said in GDPR Article 19 and even GDPR Article 15 but the right to clear information overall as, it comes back again and again in the GDPR.
Especially GDPR Article 13 and GDPR Article 14 cover the information which needs to be provided to the data subject, when personal data is collected from the data subject (Article 13), or when processed but not obtained from the data subject (Article 14).
And then we aren’t counting rights regarding consent (if it’s the chosen legal basis for a specific type of personal data processing), additional ‘rights’ with regards to those special categories of personal data which are called ‘sensitive data’ in GDPR Recital 10, rights in the scope of proceedings, lodging complaints, representation, compensation, rights in the scope of the occurrence of personal data breaches (e.g. notification if serious risks) and far more.
Below is another infographic, this one from Law Infographics who added a few of those rights. Oh, the abbreviations in this infographic: the DS is the Data Subject, the DC is the Data Controller (simply ‘controller’ in the GDPR text) and the DP is the Data Processor (‘processor’ in the GDPR text).
Top image: Shutterstock – Copyright: sdecoret – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.