In addition to outlining requirements that organizations must meet, GDPR also outlines eight fundamental rights of individuals whose personal data is being processed that organizations must honor.
These rights are designed to give individuals more autonomy over their personal data and how it’s used.
If an organization violates these rights, then they are subject to the higher tier of GDPR fines and penalties, which could be up to €20 million, or 4% of the previous financial year’s worldwide annual revenue.
Below we’ll cover each of the most fundamental data subject rights of GDPR so you can better comply.
GDPR Data Subject Rights
Data subjects have certain rights under GDPR that organizations must honor to comply with the regulation. These include the following:
1. The right to be informed
Anyone whose personal data is collected has the right to know what that data includes, why it’s being processed, how long it will be retained, and if and with whom it is shared.
Organizations must clearly explain how they process personal data and for what purpose. They must also make it easy for people to opt-out and/or request their data be erased and respond to those requests in a timely manner.
When collecting data from a data subject, they must also explain how and why it is being collected, even if data is being transferred to a third party.
2. The right of access
Anyone whose personal data is collected has the right to contact the organization to request a copy of the data they hold on them.
3. The right of rectification
Data subjects have the right to check the accuracy of personal data that’s being processed and correct it if it is inaccurate or incomplete.
4. The right to erasure
Data subjects can request that an organization delete any of their personal information being processed or stored (with a few exceptions), and organizations have to make it easy for them to make these erasure requests.
5. The right to restrict processing
In addition to requesting their information be erased, data subjects can request that an organization change how it processes that information if they have reason to believe the data is inaccurate, being used illegally, or no longer needed for the stated purpose.
6. The right to data portability
Organizations must store personal data in a way that can be easily shared with others in the event a data subject requests it. For example, a data subject may want to download their profile information from Facebook to use it on Pinterest.
7. The right to object
Data subjects can object to an organization processing their personal data and demand they stop. They may do this if the organization is processing their data in order to mail them marketing materials, for example, or for another reason they object to.
Organizations must honor that objection unless they can prove that they have a legitimate basis for processing their personal data.
8. The right to object to automated processing
Anyone whose personal data is collected has the right to object to automated decisions being made with their data, like the use of targeted advertisements.
FAQs
What are the 8 privacy rights of data subjects?
The 8 privacy rights of data subjects under GDPR are:
- The right to be informed
- The right of access
- The right of rectification.
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right to object to automated processing
What is a GDPR data subject?
A GDPR data subject refers to any individual who resides in the EU and can be identified, directly or indirectly, via identifiers such as a name, date of birth, phone number, customer number, IP address, telephone number, credit card number, or location or biometric data.
What is data subject consent under GDPR?
Under GDPR, organizations are required to obtain explicit consent from data subjects. Article 4(11) defines consent as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
