Rights of a data subject


Under the General Data Protection Regulation (GDPR), which is a comprehensive data protection law in the European Union, data subjects (individuals whose personal data is processed) are granted several key rights. These rights are designed to give individuals more control over their personal data and ensure transparency and accountability from organizations handling it. Here’s a breakdown of the main rights of a data subject under GDPR:

Right to Be Informed

Individuals have the right to be informed about how their personal data is being collected, used, and processed. This includes knowing who is processing the data, the purpose of processing, and how long it will be stored. This information must be provided in a clear, concise, and transparent way (e.g., through privacy notices).

Right of Access

Data subjects can request access to their personal data held by an organization. This means they can ask for confirmation that their data is being processed and obtain a copy of it, along with details about how and why it’s being used.

Right to Rectification

If personal data is inaccurate or incomplete, individuals have the right to have it corrected or updated.

Right to Erasure (Right to Be Forgotten)

Individuals can request the deletion of their personal data under certain conditions, such as when the data is no longer necessary for the original purpose, they withdraw consent, or it was processed unlawfully.

Right to Restrict Processing

Data subjects can ask for the processing of their data to be limited in specific situations, such as when they contest its accuracy or when the processing is unlawful but they don’t want it erased.

Right to Data Portability

This allows individuals to obtain their personal data in a structured, commonly used, and machine-readable format and transfer it to another organization. This applies particularly to data provided by the individual and processed based on consent or a contract.

Right to Object

Individuals can object to the processing of their personal data in certain cases, such as when it’s used for direct marketing or based on legitimate interests. Once objected, processing must stop unless there are compelling legitimate grounds to continue.

Data subjects have the right not to be subject to decisions based solely on automated processing (including profiling) that significantly affect them, unless it’s necessary for a contract, authorized by law, or based on explicit consent. They can also request human intervention or challenge such decisions.

These rights apply to individuals within the EU or when their data is processed by organizations subject to GDPR (even if the organization is outside the EU but offers goods/services to EU residents or monitors their behavior). Organizations must respond to requests exercising these rights within one month, though this can be extended in complex cases.