The General Data Protection Regulation (GDPR) grants people, in their capacities as consumers, citizens and so forth a range of specific data subject rights concerning their personal data which they can exercise under particular conditions, as per usual always with a few exceptions. GDPR compliance among others means enabling the exercise of these rights. An overview of 8 fundamental data subject rights and additional citizen rights in specific circumstances.
You can read more about some of these main data subject rights in our GDPR guide where we, among other tackle the data subject’s right to access, the right to be forgotten, a.k.a. right to erasure, the data subject’s right to data portability and so forth.
Data subject rights are never absolute: there are, as mentioned conditions and exceptions, but there are also other rights to keep in mind. The right of freedom of expression and information, for instance, can have an impact with regards to the right of erasure.
Moreover, organizations have legal obligations and there might be contractual stipulations which override data subject rights.
Data subject rights are contextual – rights, obligations and circumstances
Controllers (and in several instances processors who process personal data for the controller) have duties, specific rights and in some cases they might not be able to meet a data subject right, again with specific rules. It isn’t always that easy indeed. The guidelines of the European Data Protection Board can be of help as can those of supervisory authorities in specific cases.
There is another reason why data subject rights are contextual. A good example is the right to withdraw consent. Exercising the right to withdraw consent means that there is no other legal basis in place. Consent is only one of several lawful grounds for personal data processing and, so, if another lawful ground has been chosen, in full compliance with the GDPR, there isn’t a ground to withdraw consent either of course. Still, things can be tricky. Do note that consent also isn’t the same as explicit consent as some people seem to believe.
Below is an overview of those data subject rights which of course should be in each single GDPR awareness program, at the very start of a strategic GDPR business approach and your journey towards GDPR compliance.
Speaking about awareness, there is an Irish, yet internationally active, fixed-term, not-for-profit organization with (professional) volunteers which set out to increase GDPR awareness overall. It is – aptly – called the GDPR Awareness Coalition.
They made an infographic which summarizes some essential data subject rights, in this case called consumer rights in the infographic.
8 fundamental data subject rights (and more beyond the fundaments)
GDPR consumer rights
As you could see, these GDPR ‘consumer rights’ in this infographic include:
- The mentioned right to data portability.
- The data subject’s right to access to information.
- The right of correction, technically known as the right to rectification.
- The also mentioned right to be forgotten (erasure).
- The rights in the scope of consent (if that’s the legal ground for processing).
The infographic makes it a bit more tangible. However, there are more data subject rights, especially when it boils down to special categories of personal data, for instance. Or in regards with direct marketing and profiling. So, you might find different infographics and lists of all those data subject rights. Yet, again, this infographic made some consumer rights tangible.
The 8 fundamental data subject rights
At the most essential level and technically speaking there are 8 essential data subject rights.
They are listed in GDPR Articles 15 until 22 as GDPR Article 12 on transparent information, communication and modalities for the exercise of the rights of the data subject stipulates.
Do note that the principles regarding the processing of personal data, the lawfulness of processing (which is about those mentioned legal grounds, including consent), the duties regarding the processing of special personal data categories, and so on stretch much further than the data subject rights (not each obligation or principle comes with a right for consumers of course).
However, when data subjects want to exercise one of those data subject rights – and have the right to – then the controller (and processors) need to be able to deliver upon it within the rule of the law (in this case the Regulation).
Data subject rights list
So, here are those 8 fundamental data subject rights.
- The data subject’s right of access which means 1) the right to know whether data concerning him or her are being processed and 2) if so, access it with loads of additional stipulations (GDPR Article 15).
- The data subject’s right to rectification. When personal data are inaccurate, then controllers need to correct them indeed (GDPR Article 16).
- The previously mentioned right to erasure or right to be forgotten with additional stipulations, among others if personal data has been made public (GDPR Article 17).
- The data subject right to restriction of processing. Simply said, the right of the consumer or whatever you call the natural person under the scope of the GDPR, to limit the processing of his/her personal data with, once more, several rules and exceptions of course (GDPR Article 18).
- The right to be informed. Here we stretch it a bit. In general, the GDPR asks controllers and so on to inform data subjects on several matters. Providing clear and correct information is a key duty in many regards. Simply said, the GDPR wants consumers to know because if you don’t know you can’t decide, right? However, here we rather mean GDPR Article 19 which, again simply put, means that personal data that have undergone an action as a consequence of one of the other, just mentioned data subject rights, the controller must inform recipients who got these data, where feasible. And then the data subject also has a right, even if not strictly called a right, to ask “who are all these recipients who got to see my data”. So, right or not? It explains why we said 7.5 but it really is a right. More about information duties further below.
- The right to data portability. This is again one of those data subject rights that are in the infographic and which we covered more in depth previously. With the right to data portability we’re in GDPR Article 20, so, keeping in mind that data subject rights are covered in Articles 5 until 22 that means two more to go.
- GDPR Article 21 is all about the data subject’s right to object. That does indeed mean what it says: data subjects can say they don’t want the personal data processing to be done or going on. This might seem a bit overlapping with other data subject rights but it isn’t. Of course in practice the data subject can, again within specific conditions, exercise the right to object and the right to be forgotten. Especially direct marketers and people who do profiling should pay a lot of attention to the right to object as it’s a lot about them and certainly profiling with automated means (though not solely).
- The data subject right not not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This is pretty much a copy and paste of GDPR Article 22, Paragraph 1, which ends the ‘official’ list of data subject rights.
Additional data subject rights in the scope of particular circumstances and of consent
So, let’s say 8 fundamental data subject rights anyway with that right to information being far broader than what’s said in GDPR Article 19 and even GDPR Article 15 but the right to clear information overall as, it comes back again and again in the GDPR.
Especially GDPR Article 13 and GDPR Article 14 cover the information which needs to be provided to the data subject, when personal data is collected from the data subject (Article 13), or when processed but not obtained from the data subject (Article 14).
And then we aren’t counting rights regarding consent (if it’s the chosen legal basis for a specific type of personal data processing), additional ‘rights’ with regards to those special categories of personal data which are called ‘sensitive data’ in GDPR Recital 10, rights in the scope of proceedings, lodging complaints, representation, compensation, rights in the scope of the occurrence of personal data breaches (e.g. notification if serious risks) and far more.
Below is another infographic, this one from Law Infographics who added a few of those rights. Oh, the abbreviations in this infographic: the DS is the Data Subject, the DC is the Data Controller (simply ‘controller’ in the GDPR text) and the DP is the Data Processor (‘processor’ in the GDPR text).
Data subject rights: the EU citizen perspective
As mentioned protecting the personal data of EU citizens and making sure that data subject rights can be exercised according to the GDPR rules needs to be seen from a balanced risk perspective whereby the appropriate safeguards to take are balanced with the specific risks in the specific data processing context and operation.
Such safeguards need to be appropriate in all perspectives but the risk for the data subject comes first. They are typically a mix of more ‘technical cybersecurity safeguards’ (ranging from password protection, user authentication and encryption to pseudonymization and more) and of organizational (processes, people) measures, anything that properly secures and protects the data of citizens, on top of all the measures that need to be taken in order to enable the exercise of data subject rights (which de facto overlaps).
So, it is important to look at data subject rights from the EU citizen perspective and how citizens will be made aware of their rights and the ways to exercise them. As written in an article regarding the question to what extent EU citizens and consumers will exercise their rights this depends on many factors.
However, it is clearly the intention of the European Commission to inform and empower citizens regarding their rights under the GDPR. The European Commission is doing so itself as part of its concerted efforts whereby GDPR guidance for SMEs and first citizen awareness steps were announced.
In that scope the European Commission explicitly called upon EU citizens to know their rights and contact data protection authorities when they feel data subject rights have not been protected. In January 2018 the Commission elaborated on initiatives to make citizens aware and started with the first actions.
It’s interesting to see how exactly this is done or, rather, what the Commission says with regards to the data subject rights to citizens – and it does serve as a reminder too.
The images below were released in January 2018, along with other initiatives by the European Commission. It is one of several factsheets in PDF, in this scope a GDPR and overal data protection reform factsheet for citizens (which you can also download here for a better resolution).
Next in regulations and compliance: EU DORA Digital Operational Resilience Act
Top image: Shutterstock – Copyright: sdecoret – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.