GDPR Data Subject Rights
GDPR grants individuals eight rights over their personal data. Organizations must implement processes to honor these rights and respond to requests within one month. Failure to respect data subject rights is one of the most common sources of GDPR complaints and enforcement actions.
The Eight Rights
Right to be informed — individuals must be told how their data is collected and used, typically through privacy notices.
Right of access — individuals can request a copy of their personal data and information about how it is being processed. This is the most commonly exercised right.
Right to rectification — individuals can request correction of inaccurate or incomplete personal data.
Right to erasure (right to be forgotten) — individuals can request deletion of their personal data in certain circumstances, such as when data is no longer necessary or consent is withdrawn.
Right to restrict processing — individuals can request that processing be limited while other requests or disputes are resolved.
Right to data portability — individuals can request their data in a structured, machine-readable format and have it transferred to another controller.
Right to object — individuals can object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, the objection is absolute.
Rights related to automated decision-making — individuals can request human intervention in decisions made solely by automated processing that significantly affect them.
Response Timelines
You must respond to data subject requests within one month. This can be extended by two additional months for complex or numerous requests, but you must inform the individual of the extension within the first month. Responses must be provided free of charge, though a reasonable fee can be charged for manifestly unfounded or excessive requests.
Implementation
Build internal processes for receiving, verifying, and fulfilling requests. Train customer-facing staff to recognize requests. Maintain a log of all requests and responses. Use privacy management tools to automate DSAR fulfillment where possible.
In the next lesson, we will cover the lawful basis for processing.