Data Subject Rights Under the GDPR
Access, rectification, erasure, data portability, and other data subject rights under the GDPR — what they mean and how controllers must respond.
The GDPR reinforces the position of data subjects by establishing a comprehensive catalogue of individual rights. Controllers are required to facilitate the exercise of these rights and to respond to requests within one month (Article 12(3) GDPR).
Access and Information Rights
The right of access under Article 15 GDPR entitles data subjects to know whether a controller is processing personal data concerning them. If so, they have the right to a copy of that data and to extensive information, including the purposes of processing, recipients, the envisaged period of retention, the right to rectification or erasure, and information about the source of the data.
Under Article 16 GDPR, data subjects have the right to obtain without undue delay the rectification of inaccurate personal data. They may also request the completion of incomplete personal data. This right is of considerable practical importance since accuracy is one of the data protection principles under Article 5 GDPR.
Right to Erasure and Rectification
The right to erasure — also known as the 'right to be forgotten' — is set out in Article 17 GDPR. Data subjects may request erasure where the data is no longer necessary for the original purpose, consent has been withdrawn, the data has been processed unlawfully, or a legal obligation to erase exists. The right is not absolute, however: it does not apply where processing is necessary for exercising the right of freedom of expression, for compliance with a legal obligation, or for archiving purposes.
Article 18 GDPR grants the right to restriction of processing where the accuracy of the data is contested, where processing is unlawful but the data subject opposes erasure, or where the data is needed for the establishment of legal claims.
Data Portability and Right to Object
The right to data portability under Article 20 GDPR allows data subjects to receive their data in a structured, commonly used, machine-readable format and to transmit it to another controller. It applies only to data processed by automated means on the basis of consent or a contract.
Finally, Article 21 GDPR confers a general right to object to processing based on Article 6(1)(e) or (f), and an unconditional right to object to direct marketing. Where a data subject exercises the right to object to direct marketing, the controller must cease processing for that purpose without delay.