What Are the Rights of Data Subjects Under the GDPR?

Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data.

When collecting personal data – whether it’s directly from the data subject, or indirectly through third parties – controllers must clearly inform the data subject of:

1. Who is responsible for the data.
2. How to contact them.
3. Why and on what legal basis the data are processed.
4. Who receives the data, including any international transfers.
5. How long the data are kept.
6. The individual’s data privacy rights.
7. How to make a complaint.
8. Whether providing data is an obligation and the impact of not providing their personal data.
9. If they use personal data for automated decision-making, and if so – the logic involved and how they protect the rights of data subjects where automated decision making occurs.

If any data is re-used for new purposes, the data subject must be notified before or at the time of processing, unless they already have this information.

Right of Access

Data subjects have the right to confirm whether their personal data are being processed and to access those data, and other supplementary data.

Controllers must provide information on processing purposes, data categories, recipients, retention periods, rights to correction or deletion, complaint options, data sources, and any automated decision-making. Controllers must supply a free copy of the data, with reasonable fees for additional copies, provided electronically where requested, without infringing others’ rights.

Right to Rectification

Data subjects have the right to correct inaccurate personal data concerning them, or complete any incomplete data concerning them without undue delay.

Right to Erasure

Data subjects have the right to request deletion of their personal data without delay when the data are no longer needed, consent is withdrawn, processing is unlawful, legal obligations require erasure, or valid objections are made. Controllers must also take reasonable steps to remove publicly shared data. This right does not apply where processing is necessary for freedom of expression, legal duties, public interest tasks, public health, research, archiving, or legal claims.

Right to Restrict Processing

Data subjects have the right to request restricted processing when data accuracy is disputed, processing is unlawful but erasure is opposed, the data are needed for legal claims, or an objection is under review. While restricted, data may only be stored or used with consent, for legal purposes, rights protection, or public interest. Controllers must notify individuals before lifting restrictions.

Right to Data Portability

Data subjects have the right to receive their personal data in a structured, commonly used, machine-readable format and to transfer it to another controller when processing is based on consent or contract and carried out automatically. Where feasible, data may be transferred directly between controllers. This right does not apply to public interest tasks and must not infringe on the rights of others.

Right to Object

Data subjects have the right to object to their data being processed at any time based on public interest or legitimate interests, including profiling, unless controllers show overriding legitimate grounds or legal necessity. They may always object to direct marketing, after which processing must stop. This right must be clearly communicated. Objections can be exercised electronically. Individuals may also object to research or statistical processing unless it serves the public interest.

Right Not to Be Subject to a Decision Based Solely on Automated Processing

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, that significantly affect them. Exceptions apply where decisions are necessary for a contract, authorized by law, or based on explicit consent. In these cases, controllers must implement processes to protect the rights of their data subjects, including human review and the right to challenge decisions. Automated decisions cannot rely on sensitive personal data unless specific legal conditions and protections apply.

Right to Lodge a Complaint

Data subjects have the right to file a complaint with a supervisory authority if they believe their data rights have been infringed. If a compliant is lodged, the supervisory authority must inform the complainant on the progress and outcome of the complaint, including how to seek court intervention if they are dissatisfied with the authority’s formal actions or if the authority fails to fulfill its procedural duties.

Right to an Effective Judicial Remedy

Data subjects have the right to seek a court remedy if they are dissatisfied with the authority’s formal actions in regards to a complaint, or if the authority fails to fulfill its procedural duties.

Right to Compensation

Data subjects have the right to compensation from responsible controllers or processors if they suffer material or non-material damage from GDPR infringements. Controllers are liable, unless they can prove the infringement was due to a processors breaching their data processing agreement or acting unlawfully. Liability may be avoided if responsibility is disproved. Where multiple parties are involved, each may be held fully liable to ensure compensation, with the right to recover costs from others according to fault. Claims must be brought before the competent national courts.