In addition to outlining requirements that organizations must meet, GDPR also outlines eight fundamental rights of individuals whose personal data is being processed that organizations must honor.
These rights are designed to give individuals more autonomy over their personal data and how it’s used.
If an organization violates these rights, then they are subject to the higher tier of GDPR fines and penalties, which could be up to €20 million, or 4% of the previous financial year’s worldwide annual revenue.
Below we’ll cover each of the most fundamental data subject rights of GDPR so you can better comply.
GDPR Data Subject Rights
Data subjects have certain rights under GDPR that organizations must honor to comply with the regulation. These include the following:
1. The right to be informed
Anyone whose personal data is collected has the right to know what that data includes, why it’s being processed, how long it will be retained, and if and with whom it is shared.
Organizations must clearly explain how they process personal data and for what purpose. They must also make it easy for people to opt-out and/or request their data be erased and respond to those requests in a timely manner.
When collecting data from a data subject, they must also explain how and why it is being collected, even if data is being transferred to a third party.
2. The right of access
Anyone whose personal data is collected has the right to contact the organization to request a copy of the data they hold on them.
3. The right of rectification
Data subjects have the right to check the accuracy of personal data that’s being processed and correct it if it is inaccurate or incomplete.
4. The right to erasure
Data subjects can request that an organization delete any of their personal information being processed or stored (with a few exceptions), and organizations have to make it easy for them to make these erasure requests.
5. The right to restrict processing
In addition to requesting their information be erased, data subjects can request that an organization change how it processes that information if they have reason to believe the data is inaccurate, being used illegally, or no longer needed for the stated purpose.
6. The right to data portability
Organizations must store personal data in a way that can be easily shared with others in the event a data subject requests it. For example, a data subject may want to download their profile information from Facebook to use it on Pinterest.
7. The right to object
Data subjects can object to an organization processing their personal data and demand they stop. They may do this if the organization is processing their data in order to mail them marketing materials, for example, or for another reason they object to.
Organizations must honor that objection unless they can prove that they have a legitimate basis for processing their personal data.
8. The right to object to automated processing
Anyone whose personal data is collected has the right to object to automated decisions being made with their data, like the use of targeted advertisements.