Data controllers (“sellers”) and data processors (“their suppliers”), often use personal data to deliver products and services. The seller and their suppliers must both ensure that the data is managed safely and securely. Under the GDPR, the persons whose data is used (“data subjects”) have several new options to control the safety of their data. These controls are the new rights for data subjects.
Reading time: 1,5 minutes.
The different data subjects rights
Data controllers have a legal obligation to respond to requests from data subjects. If it’s not possible to fulfil a request, the data controller must state the reason for this. Sometimes data processors receive the requests and may have to help data controllers fulfil them.
The right to information
Data subjects have a right to be informed about the processing of their data. Data controllers have to give clear and concise information in this regard. The information needs to be very easy to understand.
The right to access
Data subjects have the right to request access to their data. Data controllers have to provide this access free of charge and in an accessible format.
Looking for a practical guide to the DPO role?
The book Data Protection Officer provides a practical guide to the DPO role, encompassing the key activities you’ll need to manage to succeed in the role. Coverage includes data protection fundamentals and processes, understanding risk and relevant standards, frameworks and tools, with DPO tips also embedded throughout the book and case studies included to support practice-based learning.
Available as an e-book and paperback. Get a preview or free sample: Data Protection Officer (BCS Guides to It Roles)
The right to rectification
Data subjects have the right to request rectification of incorrect or incomplete data. The data controller then has to correct the information as soon as possible.
The right to erasure
Data subjects may ask to exercise their right to erasure. Erasure means that the data controller has to delete the personal data about the data subject. This right is not absolute, though, and there are times when the data controller does not have to comply.
The right to data portability
Data subjects have the right to data portability. Portability means that the data controller has to transfer the personal data when asked. Data subjects can request that the data be transferred either to themselves or to another controller. The other controller may be a company that provides a service that the data subject wants to use. The controller only has to fulfil this request if it’s technically possible.
The right to objection
Data subjects have the right to object to the processing of their data if they have not given their consent. Generally, data controllers have to stop processing personal data if this happens. As an exception, processing may continue due to reasons of public interest, such as for scientific research.
The right to restriction
Data subjects may request restriction. Restriction means that the data controller has to stop processing data for certain things. In other words, the data controller does not have to stop the processing completely.