The General Data Protection Regulation (GDPR) has been in effect since 2018 and is the ultimate rulebook for how organizations should handle the personal data of EU individuals in the EU.

‍

To promote transparency and accountability when processing such data, the GDPR defines eight data subject rights that underpin many of its compliance requirements. Honoring these rights is a core aspect of GDPR compliance, and failing to do so can result in non-compliance fines and penalties.

‍

In this article, we’ll break down the eight GDPR data subject rights and offer practical guidance on how to fulfill them efficiently.

‍

What are the 8 data subject rights under GDPR?

The eight GDPR data subject rights are a set of entitlements granted to individuals in the EU regarding their personal information. They were implemented into the GDPR to enhance transparency, protect privacy, and ensure that individuals can hold in-scope organizations responsible for what happens to their personal information. The eight rights are as follows:

‍

‍

1. Right to be informed
2. Right of access
3. Right to rectification
4. Right to object
5. Rights related to automated decision-making, including profiling
6. Right to erasure (‘right to be forgotten’)
7. Right to data portability
8. Right to restriction of processing

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

1. Right to be informed

Under the GDPR, individuals have the right to know which of their personal data is collected and processed, for what purpose, how long the information will be retained, and how they can file a complaint.

‍

Data subjects must be informed through a clear, plain-language privacy notice, presented in either written or electronic form. If it’s electronic, the notice should be separate from the rest of the content and easily accessible.

‍

There’s a difference in when you must inform the data subject. If you’re collecting information directly, you must inform them at the time of collection. Otherwise, you have a one-month window to provide this information.

‍

Data controllers must also establish procedures to help data subjects exercise their rights related to reading, correcting, or deleting their information. Typically, you should fulfill data subject requests within a month of receiving them, but this can be extended to three months for complex requests. If that happens, you must inform the subject about the delay and explain the reason.

‍

These requests should be handled free of charge. However, controllers are allowed to charge a fee or refuse to act if they can demonstrate that the data subject’s requests are unfounded or excessive.

‍

Example: When an individual signs up for a service, they must first receive a concise privacy notice. The service must also offer a communication channel and guidance on how to send requests related to the individual’s data privacy rights.

‍

2. Right of access

By submitting a data subject access request (DSAR), data subjects can ask a controller to confirm whether their personal data is being processed. They can also receive a copy of the processed data, along with details such as:

‍

• Identity of the controller
• Contact details
• Purpose
• Legal basis
• Data categories
• Recipient
• Storage period
• Data subject rights

‍

If you’re not collecting data directly from the subject, the content of the report slightly differs. Aside from the previously listed details, it must explain the source of the data and clarify if it’s publicly available.

‍

Example: An individual can submit a DSAR if they suspect that an organization has misused or incorrectly recorded their data. The organization would then have to inform them about the type of information collected, how it’s used, and whether it’s being shared.

‍

3. Right to rectification

Individuals can ask organizations to correct any inaccurate or incomplete information they have about them.

‍

Once a controller receives such a request, it must act on it within one month. For complex requests, this period may be extended by up to two additional months, but the controller must inform the data subject about the delay and explain what caused it.

‍

Example: If someone changes an address or receives a new ID, they can request their bank to update their records for accuracy.

‍

4. Right to object

Data subjects can object to the processing of their personal data based on: 

‍

• Public interest or official authority
• Legitimate interests

‍

When an objection is made, the controller must stop processing the information unless it can demonstrate that its lawful basis outweighs the data subject’s rights, or that the processing is required to establish, exercise, or defend legal claims.

‍

For direct marketing, including profiling, the right to object is absolute: individuals can object at any time, and the controller must stop processing activities immediately.

‍

Where data collection and processing are carried out for scientific, historical, and statistical purposes, the right to object still applies, but it may not prevail if the processing is necessary for completing a public-interest task. However, these activities still need to involve appropriate technical and administrative safeguards and comply with the data minimization principle.

‍

Example: An individual can object to the use of their data for personalized advertising, and the organization must stop using it for that purpose. By contrast, if someone objects within a public-interest research project, the researchers may be exempt from fulfilling their request.

‍

{{cta_withimage11="/cta-blocks"}} | The US data privacy checklist

‍

5. Rights related to automated decision-making, including profiling

Data subjects have the right not to be subjected to decisions based on automated processing or profiling when these decisions have legal or other significant effects on them. Automated decision-making may be lawful in scenarios where it’s:

‍

1. Necessary for contracts between individuals and data controllers
2. Based on explicit consent from the data subject
3. Authorised by state or EU law that also outlines data safeguards

‍

If processing is required for a contract or based on consent, controllers must implement additional safeguards. These include ensuring human intervention, enabling the data subject to express their point of view, and creating a channel to contest automated decisions.

‍

“

In the future, organizations may need to be transparent about how they automate decisions that significantly challenge outcomes or obtain an explanation of the decision-making process.”

‍

Jill Henriques

GRC Subject Matter Expert, GTM, Vanta

|

LinkedIn

‍

Example: If a bank uses an automated system to process loan applications using customers’ credit information, data subjects have the right to request a human review of the decisions, and to contest the outcome if they think it was unjustified.

‍

6. Right to erasure (‘right to be forgotten’)

Individuals have the right to ask the controller to erase their personal data. Controllers must act without undue delay if one of the following conditions applies:

‍

• The data is no longer necessary for the processing activity
• The data subject withdraws their consent, and there is no other lawful basis for processing. Keep in mind that processing with invalid consent is one of the most common GDPR violations
• The data subject exercises their right to object to processing, and there are no overriding legitimate grounds to continue
• The data was being unlawfully processed
• The data has to be deleted to comply with a legal obligation or EU law
• The data was collected from a child in relation to information society services

‍

If the controller has made the data public or shared it with another organization, it must take reasonable steps to inform other controllers and delete any copies, links, and replications of it.

‍

There are several situations where the right to erasure may not apply. These include cases where data processing is necessary for:

‍

• Exercising the right to freedom of expression and information
• Public interest in the area of public health
• The establishment, exercise, or defense of legal claims

‍

Example: Search engines like Google must review requests to remove certain personal information from their results and honor them if they meet the GDPR’s conditions for data erasure.

‍

7. Right to data portability

Individuals have the right to obtain the information they’ve provided to controllers in a structured, readable, and commonly used format. They may also request that this information be transferred to another controller.

‍

This right applies only if the data was collected through the subject's consent or a contract, and if the processing was automated. It doesn’t apply if the processing was conducted for public interest or under official authority.

‍

Example: A patient at a certain clinic can request that their electronic health records be transferred to a different clinic, which would then have to be provided in a readable, portable format.

‍

8. Right to restriction of processing

Data subjects may request that controllers limit the information they’re processing. The restriction doesn’t necessarily result in the erasure of the data. It typically means that the information can only be used with explicit consent, as part of legal proceedings, or in the public interest.

‍

The right to restrict processing applies in the following situations:

‍

• Challenged accuracy: Processing is limited while the controller verifies the data 
• Unlawful processing: Data subjects can request that processing be restricted instead of having their data erased
• Data is no longer needed by the controller: Even if the controller doesn’t need the data, the subject may require it to establish, exercise, or defend legal claims
• Lodged objection: If the data subject objects to processing, it can be restricted until the controllers determine whether the lawful basis used outweighs the individual’s rights and interests

‍

If the restriction is only temporary, the controller must inform the data subject before lifting it.

‍

Example: If someone has just moved and their address on file is inaccurate, they can request restriction of processing until the controller verifies and corrects the contact details.

‍

{{cta_withimage14="/cta-blocks"}} | GDPR compliance checklist

‍

How to efficiently fulfill GDPR data subject rights

Respecting data subject rights is a core GDPR requirement, but short deadlines, complex requests, and rigorous documentation standards can make compliance challenging. The following practices can help streamline your workflows:

‍

• Automate evidence collection to demonstrate rights provided: Implement automated processes to document every fulfilled data subject request in a single repository for easier demonstrability during audits
• Maintain thorough GDPR policies: Review and update your GDPR policies regularly to reflect any updates to the regulation and changes in your processing activities
• Continuously monitor data subject requests: Maintain continuous oversight to identify requests quickly and detect potential compliance issues before they escalate
• Have a centralized request intake process: Establish a secure channel that data subjects can use to send requests regarding their personal data
• Use templates to address different rights for efficiency: Create repeatable protocols that enable you to automatically categorize requests and map them to relevant teams

‍

Following up on data subject requests and ensuring ongoing alignment with GDPR may put significant pressure on your compliance teams, increasing the risk of human error and oversights. You can streamline the process with a dedicated solution that automates key steps and reduces manual workload.

‍

Streamline GDPR compliance workflows with Vanta

Vanta is a trust management platform that helps organizations achieve and maintain GDPR compliance with step-by-step guidance that operationalizes many of the regulation’s complex requirements. It also provides resources that cut down on research and consultation hours, helping speed up compliance, reducing costs, and strengthening overall security.

‍

Vanta’s dedicated GDPR product comes with various valuable features, such as:

‍

• GDPR stakeholder training materials
• Real-time monitoring with instant reports
• Pre-built policy templates and a customization tool
• Automated evidence collection powered by 375+ integrations
• Inventory management in a unified dashboard

‍

Schedule a custom demo to explore how Vanta can streamline GDPR compliance firsthand.

‍

{{cta_simple19="/cta-blocks"}} | GDPR product page

‍

‍A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.