The General Data Protection Regulation (GDPR) came into force in the EU on May 25, 2018. Its purpose is to make sure that data protection laws are equally applied in all member states. The rights of data subjects were also expanded under the GDPR giving them greater control over how entities collect and use their data.
The eight fundamental rights of data subjects are detailed in Chapter 3, Articles 12 to 23 of the GDPR. These are:
Right to Access Personal Data
Article 15 gives data subjects the right to access their personal data collected by a data controller. The data controller has 30 days to respond to the data subject’s request.
Right to Rectification
Article 16 gives data subjects the right to request the modification of their data, such as correcting errors and adding missing information.
Right to Erasure
Article 17 gives data subjects the right to stop the processing of their data and to have their personal data erased, deleted or forgotten.
Right to Restrict Data Processing
Article 18 gives data subjects the right to request all processing of their personal data be stopped (under certain circumstances).
Right to be Notified
Article 19 states that data subjects need to be informed clearly:
- how their personal data will be used
- what actions should be taken in case their rights are violated
- If there is any rectification or deletion of their personal data
Right to Data Portability
Article 20 gives data subjects the right to request the sending of their personal data to a third party. It should be provided in a machine readable format.
Right to Object
If a data controller does not honor a data subject’s request to stop the processing of personal data, Article 21 gives the data subject the right to object the denial of their request.
Right to Reject Automated Individual Decision-Making
Article 22 gives data subjects the right to refuse the automated processing of their personal data (including profiling), if it will significantly affect the data subject or it will produce legal effects.
The rights of data subjects as per the GDPR are not absolute. In certain situations, the above mentioned rights may not be granted. For instance, the data subject cannot exercise the right to restrict data processing if the processing is necessary to prevent, investigate or prosecute criminal offenses. Data subjects are allowed to access their personal data file only if it does not adversely affect other people’s rights and freedoms.
Data controllers should educate themselves on the rights of data subjects under GDPR. They should be aware when requests must be honored and when requests can be legally denied.