The General Data Protection Regulation (GDPR) protects individual users’ data privacy across the European Union member states. As an organization in the process of becoming GDPR compliant or maintaining your compliance stature, your GDPR framework must be designed to protect these eight GDPR Data Subject Rights.
What is a Data Subject?
Data Subject refers to an individual user who shares information with Controllers.
What are GDPR Data Subject Rights?
GDPR Data Subject Rights are provisions made by the GDPR law to allow a degree of control to the user to decide how their personal data is processed.
Here are the 8 GDPR data subject rights:
1) Right to be Informed:
Article 12 GDPR, Article 13 GDPR, and Article 14 GDPR focus on the data subject’s right to be informed about the data collection process.
As an organization collecting data, you must ensure that the user, when consenting for data collection, is informed about:
- The types of information you would be collecting
- How you intend to use it
- The duration for which it will be used
- The GDPR rights they are entitled to
2) Right of Access.
The GDPR Right of Access is extensively spoken about in Article 15 GDPR. Accordingly, any individual has the right to submit a Data Access Request. The Right to Access allows them to get a copy of their personal data from the Controller.
Once an individual processes a Data Access Request, you must share all the information you hold about them. This includes:
- The source of data collection
- The categories of data you process
- A list of entities/individuals their data is shared with
- Information on automated decision-making (if applicable)
- Information on the rights (the Eight Data Subjects Rights)
3) Right to Rectification
The Right to Rectification empowers the Data Subject to ask the Controller (your organization) to make rectifications to their personal data if they find the data to be incorrect. In instances where the rectifications are deemed valid, the organization has up to 30 days to make the changes.
Though this could look like a minor activity, changes in data sets can have widespread implications across the organization’s processing activities.
4) Right to be Forgotten
Commonly known as the Right to Erasure, this is a right that allows the Data Subject to ask the Controller to erase their information from the Controller’s database. Any individual can exercise this right if:
- Their personal data is no longer required for the Controller’s data processing activities
- The individual withdraws their consent
- Unlawful data processing
- The individual doesn’t want to cooperate with the Controller about their data being processed.
- There is a legal obligation that calls for data erasure.
An organization can decline these requests if a legal law mandates them not to delete their data.
It is also essential to know that when a Controller receives such requests, they must notify every entity they’ve shared the individual’s data with to erase it from their records.
This process becomes cumbersome when multiple third parties are involved in the Data Processing process.
5) Right to Restrict Processing
The Right to Restrict Processing empowers the Data Subjects to restrict how their personal data is processed. When a user evokes this right, the Controller is not obligated to delete their data from their records. However, they are bound to make all the changes necessary.
Users can evoke their Right to Restrict Processing:
- If their data is no longer accurate
- When their data is not processed lawfully, they wish to restrict it instead of deleting it from the Controller’s records.
- When the individual wants the Controller to hold their data even though the Controller no longer needs this. This empowers the individual to make a legal claim if necessary.
- The individual has already processed an erasure claim, and the Controller is working on it. And the Right to Rectification is used in the delta stage.
6) Right to Data Portability
Right to Data Portability is one of the novelty rights individuals are entitled to under the GDPR law.
By exercising this right, individuals can ask Controllers to send them a copy of all their previously provided personal data and any new information the Controller obtained with their internal processes.
This information is to be sent to the individual by the Controller in a structured and machine-readable format.
An individual can also ask the Controller to send this data to another Controller.
This right can only be exercised if:
- The individual has provided their data to the Controller by consenting to it
- And if this data is processed electronically
7) Right to Object to Processing
This is straightforward. Any individual is entitled to ask the Controller to stop processing their personal data at any time.
8) Rights in Relation to Automated Decision Making and Profiling
Individuals have the right to object to data processing when automated methods solely do it without any form of human intervention.
This includes profiling data that provides for aspects such as mental health, work performance, behavior, location, income etc. This right cannot be exercised if the data that is processed is under the government’s legal requirement.
Violation of Common GDPR Data Subject Rights
If found to be non-compliant with GDPR, you could be levied with a heavy administrative fine of € 20 million or 4% of your annual turnover, whichever is higher.
This could also cause irreparable reputational damage to your brand.
Operationalization of GDPR Rights of the Data Subject
If your organization processes large volumes of requests from Data Subjects, it is best to bring Sprinto onboard.
Sprinto automates the collection process of receiving these requests and automatically assigns them to the relevant teams responsible for this task.
Along with that, Sprinto is designed to become your single-central resource to process all your GDPR compliance requirements. Over 100 SaaS businesses have significantly reduced their time and cost to become compliance ready with Sprinto.
Talk to Sprinto today to see how we can revolutionize your GDPR compliance process.
What are the 8 data subject rights under GDPR?
The eight data subjects’ rights are the right to be informed, right of access, right to rectification, right to be forgotten, right to restrict processing, right to data portability, right to automated decision making, and the right to object processing. a
What is not a data subject right?
The right to data restrict data processing is removed from a data subjects list of rights when a federal agency does the processing of data for the purposes of the prevention, investigation, detection or prosecution of criminal offences.