Table of Contents
What is GDPR?
GDPR or the General Data Protection Regulation of the EU came into effect on the 25th of May 2018. The GDPR meaning is a regulation that allows individuals to exercise control of personal data. GDPR requirements enshrine the rights of the data subject, which allow data subjects or individuals to control who collects their data, its usage, and duration.
The GDPR gives data subjects eight fundamental rights. These GDPR rights of the data subject are listed in Chapter 3 from Article 12 to Article 23. At this point, it is important to understand who is a data subject. Any natural person whose personal data is processed by a processor or controller as per Article 3 of GDPR is referred to as a data subject.
What are the 8 GDPR Data Subject Rights?
The answer to the question of what are the 8 rights of individuals under GDPR can be found below. You must know along with these eight rights, the data subject also can withdraw consent. This right allows the data subject to withdraw the consent they have given earlier to process their data.
The GDPR data subject rights list is given below with a brief note on each of the rights.
1) Right to be informed
This particular right ensures data subjects know the following:
- Who is collecting data about them?
- What personal data the organization is collecting and why?
- With whom would the data be shared?
- How long the data would be kept?
- Who to contact in case of complaints?
The GDPR compliance for this right is related to personal data. Personal data is any information that identifies an individual like name, address, location data, etc.
2) Right to access
Data subjects are empowered to know if organization is processing personal data. They can submit a data subject rights request and the organization would then have to respond. The organization would then need to provide the following:
- The data subject’s personal data copy.
- Details of the data being processed (eg: which categories).
- Reason for which the organization is processing data.
- Details of who the organization is sharing the data with.
- The retention period of the data.
- Sources from where the organization got the data.
- Whether the organization is carrying out automated decision-making.
- Information on the data subject’s GDPR rights.
3) Right to rectify
This right makes it obligatory for organizations to rectify data related to individuals if they ask for it. A data subject can ask the organization to rectify their data, which may be incomplete or inaccurate.
In such a situation, the organization must respond within a month. This is a key right for the individual. For the organization, there are challenges involved since updating data can have many ramifications.
4) Right to erasure or be forgotten
This right gives the data subject rights to ask the organization to delete their data. An individual can make such a GDPR data subject rights request under any of the following circumstances:
- When the individual withdraws their consent for use of the data.
- Personal data is not necessary.
- The processing of personal data is not as per law.
- There is an objection by the data subject and there is no reason for the data controller to continue with the processing.
- EU or national laws call for such deletion.
A key aspect here is that the organization must notify third parties and ask them to erase the data.
5) Right to restrict data processing
Data subjects can ask organizations to restrict the way they process personal data. It is applicable when:
- The data is not accurate.
- Processing is not lawful and the data subject does not ask for erasure but for restricting processing.
- The organization does not need the data, however the data subject requires the data to be retained.
Once it is decided to restrict the data, the organization cannot further process the data without the data subject’s consent.
6) Right to portability of data
This right allows the data subject to port their data from one organization to another. It also allows them to get their own data in a format that is commonly used. The individual can make such a request even for data about the data subject’s behavior (eg: search history, website history, etc.)
7) Right to object to data processing
A data subject is empowered to oppose processing of personal data. They can object to the personal data’s processing for direct marketing purposes. The organization’s response depends on the purpose of processing and whether they are doing it lawfully.
8) Rights related to automated decision-making
When the data subject’s personal data is processed through automation, they can ask for it to be stopped. Such automated processing can be done for profiling where the subject’s behavior is analyzed or predicted. In case, the processing has to be done contractually or the law permits it, then the organization can continue with it. Else, they need to comply with the data subject’s request.