Iubenda logo
Start generating

Documentation

Table of Contents

Data Protection: Navigating GDPR Data Subject Rights

You must have already heard of the GDPR, the most robust data protection law to date in the EU. At its most basic level, the regulation lays out what constitutes lawful processing of personal data (how it is collected, used, protected, or interacted with in general) and grants individuals whose personal data is processed some rights, called “data subject rights”.

👀 In this article, we take a look at what these rights are and how you can lawfully respect them as a business.

Before diving in, let’s define what a data subject is. Who does it even refer to?

“Data Subject”: Who Does it Refer to?

The term “Data subject” has been used in the GDPR text to describe an “identified or identifiable natural person”. It is essentially the individual whose personal data (i.e. email address) is being collected, processed or stored by a business.

Personal data under the GDPR includes pieces of information that, when collected together, can lead to the identification of a person.

🔍 Read our article to learn more about what is considered personal information across major privacy laws.

data subject rights

What are Data Subject Rights under the GDPR?

The GDPR recognizes the necessity to protect personal data and to ensure individuals have control over it.

It allows data subjects to take some steps toward the personal data businesses have on them and has granted them a list of 8 data subject rights: right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, rights related to automated decision-making and profiling. Keep reading for more detail.

📎 The Right to be Informed (GDPR Article 13, 14)

You need to inform users that their data is being collected, what data in particular, and why. This also means that your privacy notices should be concise, easy-to-understand and easily accessible throughout your website/app.

📎 The Right of Access (GDPR Article 15)

Users have the right to access their personal data and information about how their personal data is being processed.

📎 The Right to Rectification (GDPR Article 16)

Users have the right to have their personal data rectified if it is inaccurate or incomplete.

📎 The Right to Erasure (GDPR Article 17)

When data is no longer relevant to its original purpose or where users have withdrawn consent, users have the right to request that their data be erased.

📎 The Right to Restrict Processing (GDPR Article 18)

Users have the right to restrict the processing of their personal data in specific cases.

📎 The Right to Data Portability (GDPR Article 20)

Under certain conditions, users have the right to obtain (in a machine-readable format) and use their personal data for their own purposes.

📎 The Right to Object (GDPR Article 21)

Users have the right to object to certain activities in relation to their personal data.

📎 Rights Related to Automated Decision-Making and Profiling (GDPR Article 22)

Users have the right to not be subjected to a decision that’s based on automated processing or profiling, and which produces a legal or a similarly significant effect on the user.

🔍 You can find full details on the rights above in simplified terms in our GDPR guide here, or you can read the official GDPR text here.

💡 Not sure what privacy laws actually apply to you?

🚀 Do this free 1-min quiz to find out!

Your Role as a Business Regarding Data Subject Rights

What do these rights mean for your business, in practice?

Appointment of a Data Protection Officer

A Data Protection Officer (DPO) is usually appointed by a company to ensure that personal data is processed following the applicable data protection rules. This includes personal data:

  • of the organization’s employees;
  • of the organization’s customers;
  • of the organization’s providers;
  • of data subjects; and
  • processed by data processors.

You must know that if the GDPR applies to your company and if you process a significant amount of personal data, you are legally required to designate a DPO.

When it comes to data subjects and data subject rights, a DPO often acts as the main point of contact and needs to handle requests from individuals who would like to exercise their rights.

🔍 We have compiled a quick guide for what to look for when choosing your DPO. Check it out here!

Fulfill Data Subject Access Request (DSAR)

To comply with GDPR requirements, it’s essential to fulfill Data Subject Requests (DSRs), which encompass a range of rights that individuals can exercise under the regulation. These include the right to access, rectify, erase, restrict processing, data portability, object to processing, and not be subject to automated decision-making.

While fulfilling DSRs, organizations must respond promptly and effectively, adhering to the legal timelines (typically within one month). Among these, Data Subject Access Requests (DSARs)—where individuals request access to their personal data—are particularly common and must be handled with care to ensure compliance. However, honoring DSRs goes beyond DSARs, as it involves respecting all rights granted under GDPR.

Filing a Data Subject Access Request is a step individuals can take to exercise their key right of access, under the GDPR. Data subjects can send a written request and ask for the following info

🔍 Learn more about how to handle DSAR here.

Honor Data Subject Rights

Honoring all Data Subject Requests (DSRs), including DSARs, requires a robust and organized approach. Start by ensuring clear internal procedures for identifying, tracking, and responding to requests. Here’s a practical roadmap:

  1. Establish a DSR Process: Implement processes to handle DSRs, from initial receipt to fulfillment. Consider creating a dedicated team or assigning specific roles for managing these requests.
  2. Verify the Requester: Ensure the identity of the individual making the request is verified to prevent unauthorized data access or misuse.
  3. Respond Within Legal Timelines: Respond to all DSRs promptly, providing the required information or taking action within one month, with extensions only when necessary and justified.
  4. Maintain Transparency: Clearly communicate the actions taken in response to a DSR, especially in cases of denial or partial fulfillment, providing the rationale and informing the individual of their right to appeal.

Needless to say, you should:

✅ Take these rights seriously and have appropriate technical and organizational measures in place to respect them;
✅ Oversee the training of your staff (if any) on data protection matters and handling data subject requests;
✅ Make sure your privacy documents are complete and up-to-date!

Failure to honor these rights can result in fines and reputational damage.

Honoring data subject rights is just one part of GDPR compliance.

🚀 Here are 5 things you need to do now to comply with the GDPR

Ready to Simplify Your Data Subject Rights Management Process?

Streamline your data subject rights management with our powerful, intuitive tool and see the benefits for your business

Activate Now

Learn more