Data subject rights under GDPR: everything you need to know

The right to be informed

Organizations must provide users with information about their data processing activities. Such information can be provided in writing, including electronically, through a privacy policy. The information should be concise, transparent, understandable, easily accessible, written in clear and simple language (especially when directed to a child), and free of charge.

If the data is collected from the actual user to whom it relates, then it must be provided with privacy information at the time the data is obtained. However, if the personal data is obtained from a source other than the individual user, the individual user must receive privacy information within a “reasonable period” from the data obtained. This period can be no later than one month in general, or at the latest when the first communication occurs (if you use the data to communicate with the user).

The right of access

Users have the right to access their personal data and information about how it is processed. At the user’s request, data controllers must provide an overview of the categories of data processed, a copy of the actual data collected, and a description of how the data are processed. It is also necessary to clarify the purposes of the processing, how the data were acquired, and with whom the data were shared, if any.

Finally, the organization must provide the requesting individual with a copy of his or her personal data free of charge (should the individual request multiple copies, a reasonable fee may be charged). The requested data must be provided to the individual without undue delay and no later than one month after receipt of the request; the exact number of days in which the organization must honor a request depends on the month in which it was made.

The right of access is closely related to the right to data portability, although these two rights are not identical. It is therefore important that there is a clear distinction between these two rights in the privacy policy.

The right of rectification

Users have the right to request rectification of their personal data if they are inaccurate or incomplete. This right also implies that rectification must be communicated to all third parties involved in the processing of the data in question, unless this is impossible or particularly difficult. If requested by the user, the organization must also inform the user of the identity of such third parties.

Requests may be extended for an additional two months if the request is complex or if numerous requests have been received from the individual. The individual must be notified within one month of receipt of the request with an explanation of why the extension is necessary. Requests must be honored without undue delay and no later than one month after receipt.

In most cases, organizations must comply with a request for rectification without charging a fee. However, if a request is found to be “manifestly unfounded or excessive,” a “reasonable fee” may be charged to satisfy it or refused to address it. In either scenario, the decision must be legitimately justified. If a request is denied, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving it.

The right to object

Under the GDPR, users have the right to object to certain processing activities of their personal data carried out by the data controller (also known as Controller). In summary, users may object to the processing of their data whenever it is based on a legitimate interest or the performance of a task of public interest/exercise of public authority or for the purpose of scientific/historical research and statistics. Users must give reasons for their objection, unless the processing is for direct marketing purposes. In the latter case, in fact, no justification is required to exercise this right

If an objection to the processing of personal data is received and there are no grounds for refusal, the processing activity must cease. While the processing activity (including storage) must be stopped for the particular processing activities objected to, deletion may not be necessary if the data are processed for other purposes (including fulfilling legal or contractual obligations), as the data will have to be retained for these purposes.

Requests must be honored without undue delay and no later than one month after their receipt. Requests may be extended for an additional two months if the request is complex or if numerous requests have been received from the individual. The individual must be notified within one month of receipt of the request with an explanation of why the extension is necessary.

If there are no grounds for refusal, in most cases organizations must comply with the request without charging a fee. However, if a request is found to be “manifestly unfounded or excessive,” a “reasonable fee” may be charged to fulfill it or refuse to deal with it. In either scenario, the decision must be legitimately justified. If a request is denied, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving it.

The right to data portability

You have the right to obtain (in a readable electronic format) your personal data for the purpose of transferring it to another data controller, without the current data controller creating any obstacles. Both data “provided” by the user and data “observed” fall under this provision. This right applies only to personal data and as such does not apply to genuinely anonymous data (data that cannot be traced back to the individual).

Requests must be honored without undue delay and no later than one month after their receipt. Requests may be extended for an additional two months if the request is complex or if numerous requests have been received from the individual. The individual must be notified within one month of receipt of the request with an explanation of why the extension is necessary.

In most cases, organizations must comply with the request without charging a fee. However, if a request is found to be “manifestly unfounded or excessive,” a “reasonable fee” may be charged to satisfy it or refused to address it. In either scenario, the decision must be legitimately justified. If a request is denied, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving it.

The right to cancellation

When the data are no longer useful for the purposes for which they were collected, if the user withdraws consent, or when the personal data have been processed unlawfully, the user has the right to request their deletion as well as the cessation of all other forms of dissemination.

Requests must be honored without undue delay and no later than one month after their receipt. Requests may be extended for an additional two months if the request is complex or if numerous requests have been received from the individual. The individual must be notified within one month of receipt of the request with an explanation of why the extension is necessary.

The right to cancellation can be denied:

• When personal data are processed for a public interest (such as scientific research);
• when the data is necessary for defense in court or to fulfill a legal obligation;
• For the performance of a task in the public interest;
• for the exercise of public authority vested in the data controller;
• when the data are necessary to exercise the right to freedom of expression;
• When processed for health and public interest purposes.

The right to restrict treatment

You have the right to request restriction of the processing of your personal data if:

• challenged their accuracy;
• objected to the treatment, and the organization is considering whether there is a legitimate reason to exclude him;
• processing is unlawful, but the user requests restriction rather than deletion;
• data is no longer needed, but the user needs it to establish, exercise, or defend a legal claim.

The restriction must be communicated to all third parties involved in the processing of the data in question, unless this is impossible or particularly difficult. If requested by the user, the organization must also inform the user of the identity of such third parties.

Requests must be honored without undue delay and no later than one month after their receipt. Requests may be extended for an additional two months if the request is complex or if numerous requests have been received from the individual. The individual must be notified within one month of receipt of the request with an explanation of why the extension is necessary.

In most cases, organizations must comply with the request without charging a fee. However, if a request is found to be “manifestly unfounded or excessive,” a “reasonable fee” may be charged to satisfy it or refused to address it. In either scenario, the decision must be legitimately justified. If a request is denied, the individual must be informed (along with the justification) without unnecessary delay and within one month of receiving it.

Rights related to automated decision making and profiling

Users have the right not to be subjected to decision-making processes that are based on automated processing or profiling and that produce a legal effect, or an equally significant effect.

Organizations may make automated decisions only if they are necessary for the performance of a contract, authorized by the legislation of the EU country applicable to the data controller, have no legal effect or similar relevance to the user, or are based on the explicit consent of the data subject. Automated decisions involving special categories of data may be made only with the explicit consent of the user or for reasons of important public interest.