Which rights do individuals have under the GDPR?
The GDPR provides the following rights to data subjects, i.e. individuals whose data is processed:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure (right to be forgotten)
- Right to restriction of processing
- Right to data portability
- Right to object
- Right not be subject to a decision based solely on automated processing
Please note that some of those rights do not apply in all situations, you can see the data subject rights for each legal basis table for more information.
The data controller is under an obligation to respond to requests of data subjects who exercise their rights and must facilitate the exercise of these rights. The data processor must assist the data controller in this task.
Checklist of what to do concerning data subject rights:
- Be prepared: Develop systems and procedures to respond to data subject rights requests and train your staff to integrate data subject rights requests into your internal workflows.
- Facilitate the exercise of rights: Make it easy for data subjects to know what their rights are and how to contact you to exercise them.
- Know your data flows: Keep your register up to date to rapidly identify the data you process and to locate and retrieve information efficiently.
- Be transparent: Always inform data subjects in a clear and understandable way about the personal data you process, prior to the processing (for instance in your privacy policy) and during the processing (for instance when complying with a data subject access request).
- Answer within 1 month: Always answer a data subject request within one month. If you need additional time to answer or if you cannot comply with the request: inform the data subject of this within the one month period.
- Pass it on: When you receive a request concerning personal data you have transferred to other recipients, do not forget, if need be, to inform the recipients of the result of the request.
- Document: Keep track of requests from data subjects, and record your answers, also keep track of your reasoning when you do not reply to a request.
How to handle data subject rights request
Transparency is key in data protection in general and, of course, in the context of data subject’s rights.
The data controller must:
- communicate with data subjects in a clear and understandable language (this is particularly important in cases when an organisation is addressing children); and
- facilitate the exercise of these rights, in particular via electronic means. For example, you can provide an online form on your website which data subjects can use to easily exercise their data protection rights.
Respond in writing
The general rule is that an organisation should respond to an individual’s access request in the same way the request was made, or in the way in which the data subject specifically asked for a response. Preferably, you should answer in writing, including where appropriate by electronic means. A reply to a data subject right request could be given orally, but that is not advised as you have to be able to prove that you have answered the request.
Respond within one month
The GDPR specifies in how much time a data controller must respond to a request, and in what cases it can charge fees.
When data subjects exercise one of their rights, the controller must respond within one month. If the request is too complex and more time is needed to answer, then your organisation may extend the time limit by two further months, provided that the data subject is informed within one month after receiving the request. If your organisation can prove that the request is manifestly unfounded or excessive, in particular because of its repetitive character, you may either charge a reasonable fee or refuse to grant the request.
If your organisation has reasonable doubts about the identity of the person making the request (for instance the request is made with another email address than the one usually used by your customer, or it is made outside of an authenticated customer account), you may request additional information to confirm the identity of the data subject before answering.
If you do not intend to comply with the data subject’s specific request, you must inform the data subject within one month of receiving the request of the reasons why you will not grant the request (e.g. why you are not erasing the requested data). In addition, you must inform the data subjects of the possibility of lodging a complaint with their national data protection authority and seeking a judicial remedy.
Do not charge a fee
Your organisation cannot claim any payment from a data subject asking to exercise one of their rights. You may, however, charge a fee if the data subject’s request is manifestly unfounded or excessive, in particular because of their repetitive character. The calculation of the fee must take into account the administrative cost of responding to the request for your organisation. As explained above, it is also possible to refuse to act on a request that is manifestly unfounded or excessive. In such a situation, you must be able to demonstrate that this is the case.
In practice
- A data subject lodges access requests every two months with the carpenter that manufactured their table. The carpenter answered the first request completely. As the carpenter does not process personal data as part of its core activity and they did not provide more than one service to the data subject, it is unlikely that changes occurred in the dataset concerning the data subject. The data subject has clarified that the new request concerns the same information as the last request. Consequently this request may be regarded as excessive due to its repetitive character.
- If the carpenter decides to provide the personal data to the data subject but against a fee, it is advisable to inform them in advance thereof, thus giving them a chance to withdraw the request to avoid being charged. Alternatively the carpenter can inform the data subject of the reasons why they will not reply to this request, as well as on the possibility to lodge a complaint with a data protection authority and seek a judicial remedy.
Right to be informed
The right to be informed allows people to understand what will be done with their data, and, consequently, to make informed decisions and have more control over their personal data. All data subjects have the right to receive information when you process their data.
As an organisation acting as controller you have an obligation to inform the data subjects.
Which information?
The information to be provided differs depending on whether you have collected the personal data directly from the data subject (direct collection, organised by Art. 13 GDPR) or whether you have obtained it from another source (indirect collection, organised by Art. 14 GDPR). The following tables provide an overview of the information you must provide to the data subject:
In addition, the GDPR requires your organisation to provide the following information to ensure fair and transparent processing:
Your organisation must again provide the information in this second table in case of further processing for a new compatible purpose which differs from the original purpose. This information must be provided prior to that further processing. In this case, you must also provide the data subject with an explanation as to how the new and former purposes are compatible with each other.
When should the information be provided?
If your organisation is collecting the personal data directly from the data subject, it must provide the necessary information at the time of collection.
In case of indirect collection of personal data, your organisation must provide the information at the latest within one month after the personal data has been initially obtained. This maximum period of one month is reduced:
- if the personal data is used for the purpose of communication with the data subject. In that case, you must inform the data subject at the latest at the time of the first communication to the data subject;
- if the data is transmitted to another recipient, the organisation informs the data subjects of this at the latest when the personal data is transferred.
In no circumstances can the maximum period of one month be extended.
In case of any subsequent changes to the processing (e.g. new recipients, compatible purpose, transfer outside the EEA, etc.), your organisation must inform the data subject in any case before the change takes effect and you should do so well in advance. The more substantial the change, the earlier your organisation should inform the data subject so that the latter has a reasonable time to appreciate the impact of this, and exercise their rights.
When is your organisation not obliged to communicate information?
Your organisation is not required to inform the data subject if this person has already received the necessary information.
In the case of indirect collection of personal data, additional exceptions apply. In this case, providing information is not necessary if:
- the provision of such information proves impossible or would require disproportionate efforts. The bar for this exception is, however, set very high, which implies that a controller can only invoke this criterion exceptionally;
- the obtaining or disclosure of data is expressly provided for by law;
- the personal data must be kept confidential based on a legal obligation of professional secrecy.
In practice
- In some EU countries, the national legislation may oblige the tax authorities to request certain information about employees from the employers. The tax authorities do not have to inform the employee in such a case. However, as part of its duty to inform, the employer will inform the employee that the tax authorities are one of the recipients of the personal data.
How should the information be provided to the data subject?
A good way of providing information is to work with different layers of information. This avoids that an excessive amount of information is provided at one time, which may be detrimental to transparency and drown the data subject with information. The use of a layered approach follows both the requirement for conciseness and the requirement to provide all necessary information. This not only simplifies the task of the controller but also allows the data subject to grasp the essential information quickly and efficiently. The presentation of the information could be as follows:
- A first layer of basic information
- WHAT? The organisation provides a summary of the basic information that the data subject needs to assess the impact and scope of the processing (i.e. identity of the controller, the purposes of processing, categories of recipients, source of data, data subject rights, ...).
- HOW? For instance in a table format, in a clearly visible place with the title «Basic data protection information» or via pop-ups that provide explanations when personal data is collected. If the processing is based on consent, it is preferable to mention this information at the place where the data subject has to give consent (near the “consent” button).
- A second layer of additional and more detailed information
- WHAT? This part presents in an understandable and comprehensive way the remaining information that the organisation is required to provide under Art. 13 and 14 GDPR.
- HOW? Additional information can be provided in several ways, for instance by means of hyperlinks included in the basic information, or by downloading a document. The provision of this additional information should provide a balance between conciseness on the one hand and completeness and accuracy on the other hand. The information should be structured in such a way that it is easily readable. Do not forget to adapt the information to the target group (for instance: if your service targets children, write the information in a way that they can understand).
Right of access
By exercising their right of access, data subjects can verify the lawfulness of each processing activity that concerns them.
When they are exercising their right of access, data subjects should get a confirmation of the controller as to whether or not their personal data is being processed. If this is the case, data subjects have access to their personal data and the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients (or categories of recipients) of the personal data;
- the retention period for the personal data, or the criteria used to determine that period;
- the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the existence of the right to lodge a complaint with a data protection authority;
- the source of the data (when the personal data is not directly collected from the data subject);
- the existence of automated decision-making, including profiling, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- when personal data is transferred out of the European Union, all the appropriate safeguards put into place (pursuant Art. 46 GDPR relating to data transfers).
Moreover, the person has a right to receive (free of charge) a copy of the personal data related to them that your organisation is processing. If the person asks for additional copies, your organisation could decide to charge a reasonable fee which is calculated on the basis of the administrative cost of making copies. Note that in most cases, individuals cannot be required to pay a fee to access their personal information.
Where a request is made electronically, your organisation should provide the required information in a commonly used electronic format, unless the individual requests otherwise.
Important to note
Before you provide a copy of the personal data, you must check that doing so will not affect the rights and freedoms of others (e.g. if information relating to more than one person is processed in the same file, or information relating to trade secrets and intellectual property).
Right to rectification
The data subject has the right to ask and obtain from the data controller the correction of inaccurate data and the completion of incomplete data. If your organisation has passed on the personal data to third parties, you must inform them of the rectification, unless this proves impossible or requires disproportionate efforts.
In practice
- A customer informs your organisation that they have moved to another city. You are required to change their address in your customer database.
Right to erasure (right to be forgotten)
A data subject may request that an organisation erases personal data concerning them in the following situations:
- the personal data is no longer necessary for the purpose for which they were collected
- the organisation processes the personal data unlawfully
- the organisation has to erase the personal data due to a legal obligation
- the data subject withdraws consent and the processing has no other legal basis
- the data subject has successfully exercised the right to object
- minors who have given their consent to use an online service can always request the erasure of such personal data (regardless of their current age)
When the personal data that is to be erased was previously transferred to other organisations, you must inform these recipients that the data subject has requested erasure, unless this proves impossible or would require disproportionate efforts.
When your organisation is required to erase personal data that it made public, it must take all reasonable steps to inform other controllers which are processing this data that the data subject has requested erasure of any links to, or copy or replication of, those personal data.
Your organisation can only refuse to erase personal data in a limited number of cases, such as:
- the exercise of the right to freedom of expression and information;
- the establishment, exercise or defence of a legal claims;
- compliance with a legal obligation to which the organisation is subject or the performance of a task in the public interest or in the exercise of official authority entrusted to the organisation;
- reasons of public interest in the area of public health;
- archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (under specific conditions).
In practice
- An employee from your organisation has been laid off. The employee requests that his personal data be deleted from his personnel file. However, labour law requires you to keep several HR documents (register of staff members, copies of salary statements, etc.) for a certain period of time. For these documents, you must refuse the request to delete the data.
- A former customer no longer wishes to receive marketing emails from your organisation and requests that you erase their contact details. As there are no compelling reasons for you to continue processing the contact details, you must erase them.
Right to restriction of the processing
In certain circumstances, the data subjects may request a restriction of the processing of their data. As a result, your organisation may still retain the personal data, but must cease all other processing activities.
The data subject has the right to obtain the restriction of the data processing when:
- the data subject disputes the accuracy of the personal data;
- the processing is unlawful: rather than erasure of the data, the data subject may request the restriction of the use of the personal data instead;
- the organisation no longer needs the personal data but the data is still necessary for the data subject to exercise a legal claim;
- the data subject has exercised the right to object. The restriction applies for the time necessary to verify whether the legitimate reasons pursued by the organisation prevail over those of the data subject.
If the data subject successfully exercises their right to restriction of the processing, your organisation can only use the data in certain specific circumstances, for example with the consent of the data subject or for the defence of legal claims. Have you previously passed on the ‘restricted’ data to other recipients? You must then inform these recipients of the restriction of processing, unless this proves impossible or requires disproportionate efforts.
Before lifting the restriction, make sure to inform the data subject of your intention to do so.
Right to data portability
The right to data portability allows data subjects to obtain their personal data in a structured, commonly used and machine-readable format. This way they can easily reuse the data and, if they wish to do so, transmit their data to a different data controller. The right to data portability can only be exercised if these three conditions are met at the same time:
- the processing is based on consent or a contract;
- the processing is automated (i.e. no paper documents);
- and the data subjects have provided the data themselves. This includes also any data that your organisation has observed based on the data subject’s behaviour (e.g. with connected accessories).
Therefore this right does not concern data that the organisation itself creates on the basis of the abovementioned data.
More concretely, data subjects have the right:
- to obtain their personal data in a structured, commonly used and machine-readable format. The format must allow the data subject to reuse the personal data for another service.
Example: XML, JSON and CSV are common formats that meet this criterion. Metadata must also be provided so that the data can be used on another platform. A PDF format is not sufficient.
- to have their personal data directly transferred to another data controller. Your organisation should only do so if such a direct transfer is technically possible.
In practice
- Your organisation provides online music streaming services. Your customers can request the transfer of their song lists to another music streaming service.
- You are an SME that offers a webmail service. If your customer who has an email account for purely personal or household needs requests it, you must transfer his address list and his emails to another webmail service provided that this is technically feasible. If this is not possible, you have to provide the address list and emails to the customer in a reusable digital format.
Right to object
Data subjects may object to the processing of personal data concerning them «on grounds relating to their particular situation». The right to object can only be exercised if the processing is based on one of the following legal bases:
- the legitimate interest of the organisation or of a third party; or
- the performance of a task carried out in the public interest or in the exercise of official authority.
In other situations, the data subject cannot use the right to object because, for the other legal bases, there are alternatives to achieve the same purpose: in case of consent, the data subject can simply withdraw consent. The data subject cannot object to a processing imposed by law.
When data subjects exercise their right to object, your organisation needs to balance the interests of both parties. It shall cease all processing of this personal data unless it can show compelling legitimate reasons that override the rights and freedoms of the data subject (e.g. it is pursuing a legal action). Your organisation must document and communicate these reasons to the data subject.
Important to note
When the data is processed for marketing purposes, the data subject has a right to object to this processing without providing any reasons. In this case, the reasons why your organisation is processing this data are not of relevance, instead the objection must lead to the immediate end of the processing for this purpose.
In practice
- You are a small event marketing company. When a person buys a ticket for a band’s concert online, they receive advertisements for other similar concerts. If the person wishes to stop receiving these advertisements and objects, the organisation must stop the direct marketing.
- You are an SME active in the insurance industry. In this industry, personal data is required in certain situations to combat money laundering practices. You may, as an insurance broker, refuse to follow up on a right to object because your national anti-money laundering laws oblige you to process the data.
Right not be subject to a decision based solely on automated processing
A person has a right not to be subject to a fully automatic decision (i.e. without any human intervention in the decision making process), that has legal effects or significantly affects the person in question.
Automated decision-making often goes hand in hand with profiling, which is defined in the GDPR as «any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements» (Art.4 (4) GDPR).
For this right to apply, the automated processing must entail:
- a decision that is based exclusively on automated processing, without human intervention. This means that no natural person has any significant control over the decision and cannot, for example, change or reverse the decision;
- a decision which has legal effects for the data subjects or which significantly affects them.
In practice
- An example of legal effects could be the automatic termination of a telephony contract because the customer has not paid the monthly bill.
- A decision that significantly affects the person could be found in the following examples (though of course context must always be taken into account when evaluating if the impact on the data subject is significant) :
- decisions that affect people’s financial circumstances, such as their eligibility to withdraw credit;
- automatic refusal of applicants who apply via an online platform;
- price differentiation based on a consumer’s browsing history and purchasing habits;
- decisions that affect someone’s access to education, for example university admissions.
There are three situations in which an automated individual decision can still be made:
- if it is allowed by law (e.g. prevention of fraud or tax evasion);
- if the decision is based on the explicit consent of the data subject; or
- if it is necessary for the conclusion or performance of a contract. However, be aware that in this last situation, it always depends on a case-by-case assessment. As soon as less privacy-invasive methods exist to conclude or execute the contract, the automated decision is no longer deemed ‘necessary’.
If sensitive data is involved, the automated decision-making is only possible on the basis of explicit consent or a substantial public interest under Union or national law.
Data subject rights for each legal basis