8 GDPR Data Subject Rights Explained

Explore the key rights granted by GDPR to EU residents over their personal data. Learn about information, access, correction, erasure, restrict processing, data portability, object, and avoiding auto decisions.

Save 90% on your legal bills

Start Today

The General Data Protection Regulation (GDPR) gives EU residents 8 key rights over their personal data:

Right What it means
1. Information Know what data is collected and why
2. Access See what personal data a company has
3. Correction Fix wrong information
4. Erasure Ask for data to be deleted
5. Restrict Processing Limit how data is used
6. Data Portability Move data to another service
7. Object Say no to certain data uses
8. Avoid Auto Decisions Not be subject to decisions made only by machines

These rights help protect privacy, make companies more careful with data, and build trust. Companies face fines up to €20 million for violations. This article explains each right in detail, showing how they work and why they matter for both individuals and businesses.

1. Right to Be Informed

The Right to Be Informed is a key part of GDPR. It makes sure people know how companies use their personal data. This right helps build trust between businesses and customers.

What Companies Must Tell You

When a company collects your data, they must provide this information:

Information Description
Company Details Name and contact info of the data controller
Data Use Why they're collecting your data and how they'll use it
Legal Reason Why they're allowed to process your data
Data Sharing Who will see or use your personal data
Storage Time How long they'll keep your data
Your Rights How you can access, fix, or delete your data
Complaints How to report issues to authorities

When You Should Get This Information

  • If a company gets data directly from you: They must tell you right away
  • If they get your data from somewhere else: They must tell you within one month

Real-World Impact

The European Commission did a survey in 2022. They found that 67% of EU citizens feel they have more control over their personal data since GDPR started. This shows that being open about data use helps people feel more secure.

Company Example: Airbnb

Airbnb

Airbnb updated its privacy policy after GDPR came into effect. They now use a clear, easy-to-read format. Their policy explains:

  • What data they collect (like your name and email)
  • Why they need it (to book stays and verify your identity)
  • Who they share it with (like hosts you book with)
  • How long they keep it (usually for as long as you have an account)

This approach helps Airbnb users understand their data rights and builds trust in the platform.

2. Right of Access

The Right of Access lets people ask companies for their personal data. This right is key to GDPR and helps people understand how companies use their information.

What You Can Ask For

When you make a Subject Access Request (SAR), companies must give you:

Information Description
Data confirmation Proof they have your data
Data copy A copy of your personal data
Processing purpose Why they use your data
Data categories Types of data they have
Recipients Who sees or uses your data
Storage time How long they keep your data
Your rights How to fix, delete, or limit data use
Complaints How to report issues
Data source Where they got your data
Auto decisions Info on computer-only choices about you

How It Works

Companies must answer SARs within one month. They can't charge you for this, except for extra copies. If you ask online, they should reply online too.

Real-World Example

In 2019, the UK's Information Commissioner's Office (ICO) changed how companies count days to answer SARs. For a request made on August 19, 2019, companies had to reply by September 19, 2019. This change came from a 2004 EU court decision.

Things to Know

  • Companies can take longer to answer if your request is hard or you ask for a lot.
  • They might ask you questions to make sure it's really you asking.
  • If they need more info from you, the one-month clock starts when they get it.
  • Companies can say no if you ask too much or too often.

Why It Matters

This right helps you:

  • Check if your data is correct
  • See how companies use your info
  • Make sure companies follow the rules

It's a powerful tool to protect your privacy and keep companies honest about data use.

3. Right to Rectification

The Right to Rectification lets people fix wrong or incomplete personal data that companies have about them. This right is part of GDPR and helps keep data correct.

How the Right to Rectification Works

What You Can Do What Companies Must Do Time Frame
Ask to fix wrong data Correct mistakes quickly Usually within 1 month
Add missing information Complete incomplete data Without delay
Provide proof if needed Tell other companies about changes As soon as possible

Steps to Fix Your Data

  1. Find the mistakes in your data
  2. Contact the company
  3. Explain what's wrong
  4. Give proof if you need to
  5. Follow up if they don't answer

Company Duties

Companies must:

  • Fix wrong data quickly
  • Fill in missing data
  • Tell other companies about changes
  • Stop using data if there's a dispute about its accuracy

Real-World Example

In Spain, a credit agency was fined €1 million for keeping wrong debt records. This shows how important correct data is.

Possible Problems

Sometimes companies might:

  • Say they don't need to fix the data
  • Not accept your proof
  • Say their systems can't make the changes

Key Points to Remember

  • You don't have to pay to fix your data
  • You can ask in writing or by talking to the company
  • Companies should answer within a month
  • If they take longer, they must tell you why

This right helps keep your data correct and protects your privacy.

4. Right to Erasure (Right to Be Forgotten)

The Right to Erasure, also called the Right to Be Forgotten, lets people ask companies to delete their personal data. This right is part of the GDPR.

How the Right to Erasure Works

Aspect Details
Legal Basis GDPR Article 17
Time to Respond 1 month
Who Can Use It EU residents
What It Covers Personal data held by companies

When You Can Ask for Erasure

You can ask a company to delete your data when:

  • They don't need your data anymore
  • You take back your permission
  • You object to how they use your data
  • They used your data illegally
  • They must delete it by law
  • They collected data from a child

Limits to the Right

Companies can keep your data if they need it for:

  1. Free speech
  2. Following the law
  3. Public health reasons
  4. Research or statistics
  5. Legal claims

Real-World Example

In 2020, Google got a €600,000 fine in Belgium. They didn't remove links about a person when asked. The links had old, harmful info. This shows companies must take these requests seriously.

Tips for Companies

  1. Make clear steps for handling delete requests
  2. Keep track of what personal data you have
  3. Check your data regularly
  4. Train staff about GDPR rules
  5. Write down why you accept or deny requests
sbb-itb-ea3f94f

5. Right to Restrict Processing

The Right to Restrict Processing lets people limit how companies use their personal data without deleting it. This right is part of Article 18 of the GDPR.

When You Can Use This Right

You can ask a company to stop using your data when:

Reason Explanation
Wrong data You think the information is incorrect
Illegal use The company is using your data unlawfully
Legal needs You need the data for a lawsuit
Objection You've said no to data use and are waiting for a decision

How It Works

  1. Tell the company you want to restrict your data use
  2. The company must answer within one month
  3. They can only store your data, not use it
  4. The company must tell you before they start using your data again

Real-World Example

In 2022, the Irish Data Protection Commission fined Meta €265 million. Meta didn't protect user data properly, including the right to restrict processing. This shows how important this right is and what can happen if companies don't follow the rules.

What Companies Must Do

Action Details
Stop processing Can only store the data
Get permission Need your okay to use the data again
Tell others Let other companies know about the restriction
Keep records Track all restriction requests

Tips for Using This Right

  • Be clear about which data you want to restrict
  • Explain why you're asking for the restriction
  • Keep a copy of your request and the company's answer
  • Follow up if you don't hear back in a month

6. Right to Data Portability

The Right to Data Portability lets people get their personal data from companies and move it to other services easily. This right is part of Article 20 of the GDPR.

What This Right Covers

Aspect Details
Data format Easy for computers to read (like CSV files)
What data Personal info you gave the company
When it applies If the company uses your data based on your permission or a contract
How data is processed By computer systems
Cost Free (unless you ask too much)
Time to respond 1 month (can be 3 months if it's hard)

You can also ask companies to send your data straight to another company if it's possible to do so.

Limits of This Right

This right doesn't work for:

  • Data the company needs for public tasks
  • Data used because of official power

Also, using this right shouldn't hurt other people's rights.

Real Examples

  1. Google Takeout

    • What it does: Lets you download your data from Google services
    • How it works: You can get your emails, documents, and YouTube videos in formats easy to use elsewhere

  2. Open Banking (UK)

    • What it does: Makes banks share customer data with other companies
    • How it works: Uses standard ways to share data so you can use new financial services easily

Why It Matters

This right helps you:

  • Switch between services more easily
  • Try new services without losing your data
  • Have more control over your personal information

It also makes companies compete more, which can lead to better services for users.

7. Right to Object

The Right to Object lets people tell companies to stop using their personal data in certain cases. This right is part of Article 21 of the GDPR.

When You Can Object

You can object when a company uses your data for:

Reason Example
Their own interests Using your data to improve their products
Public tasks Government agencies using your data
Direct marketing Sending you ads or promotional emails
Research Using your data for studies or statistics

How It Works

1. For Direct Marketing

  • You can always stop companies from using your data for ads
  • They must stop right away
  • They can't say no

2. For Other Reasons

  • You need to explain why you're objecting
  • Companies can keep using your data if they have good reasons
  • Their reasons must be more important than your privacy

3. Time to Answer

Companies have one month to respond. They can take up to two more months if it's a hard case.

How to Object

To object:

  1. Contact the company
  2. Say clearly that you object
  3. Explain why (except for direct marketing)
  4. Tell them which data and uses you're objecting to

Companies must tell you about your right to object, especially for marketing, public tasks, or their own interests.

Real-World Example

In 2019, the French data protection authority (CNIL) fined Google €50 million. One reason was that Google didn't make it easy for users to object to personalized ads. This shows how important it is for companies to respect this right.

Things to Remember

  • Objecting doesn't erase past data use
  • Companies might keep your info on a "do not contact" list
  • Companies can charge you if you object too much or without reason

This right helps you control how companies use your data, especially for marketing.

The GDPR gives people rights about computer-made decisions that affect them a lot. This is in Article 22 of the GDPR.

When This Right Applies

You can use this right when a company makes big decisions about you using only computers, without any human input. This applies in three main cases:

Case Example
For a contract A bank uses a computer to decide if you get a loan
When the law allows it A government uses a computer to check if you can get benefits
If you agree to it You let a job website use a computer to match you with jobs

What Companies Must Do

If companies use computers to make big decisions, they must:

  1. Let you ask for a person to check the decision
  2. Let you share your opinion
  3. Let you challenge the decision

Real Examples

Here are some cases where this right mattered:

  1. Amazon's Hiring Tool (2018)

    • Problem: The tool didn't pick women for tech jobs
    • Result: Amazon stopped using it

  2. COMPAS Risk Tool (2016)

    • Problem: It said black defendants were more likely to commit crimes again
    • Result: Many courts stopped using it

  3. Italian Teacher Placement (2019)

    • Problem: A computer system placed teachers in schools
    • Result: A court said it was unfair because no one knew how it worked

How to Use This Right

If you think a computer made a big decision about you:

  1. Ask the company how they made the decision
  2. If you don't like the decision, ask for a person to look at it
  3. Tell them why you think the decision is wrong
  4. Ask them to explain how the computer system works

Why This Matters

This right helps make sure that big decisions about your life aren't just made by computers. It lets you have a say and makes sure companies use computer systems fairly.

Conclusion

The GDPR's eight data subject rights give people more control over their personal information. These rights include:

Right What it means
Access Get a copy of your data
Rectification Fix wrong information
Erasure Ask to delete your data
Restrict processing Limit how your data is used
Data portability Move your data to another service
Object Stop certain data uses
Automated decisions Ask for human review of computer choices

Companies must follow these rules or face big fines. In 2023, GDPR fines reached €2,054,277,662, according to CMS law firm's Enforcement Tracker Report.

These rights help build trust. A 2019 DMA study found 62% of UK consumers felt better about sharing data because of GDPR.

For people:

  • Know your rights
  • Ask companies about your data
  • Companies must answer in one month, usually for free

For companies:

  • Take these rights seriously
  • Have clear processes to handle requests
  • Train staff on GDPR rules

GDPR helps balance new tech with privacy. By respecting these rights, we can create a safer digital world.

Key takeaways:

  • GDPR gives people more say over their data
  • Big fines for companies that break the rules
  • Rights help build trust between people and businesses
  • Both people and companies play a part in protecting data

FAQs

What is the GDPR data subject right to access?

The GDPR data subject right to access lets people get information about their personal data. This includes:

Information Description
Processing purposes Why the data is being used
Data categories Types of personal data collected
Recipients Who receives or sees the data
Storage duration How long the data will be kept
Other rights Information on fixing, deleting, or limiting data use

What is the EU's right to be forgotten?

The EU's right to be forgotten, also called the right to erasure, lets people ask companies to delete their personal data. This right is part of the GDPR and helps people control their information.

Does GDPR have right to be forgotten?

Yes, the GDPR includes the right to be forgotten. Article 17 of the UK GDPR gives people the right to have their personal data erased. This applies to data the company has when they get the request.

Which act gives right to data portability?

Article 20 of the GDPR gives people the right to data portability. This means people can:

  • Get their personal data in a format that's easy to read by computers
  • Move their data to another company without problems

How does the right to be forgotten work?

The right to be forgotten works like this:

  1. A person asks a company to delete their data
  2. The company must remove the data if:
    • They don't need it anymore
    • The person takes back their permission
    • The data was used illegally

Can you give an example of the right to be forgotten?

In 2014, a man in Spain won a case against Google. He wanted old information about his financial troubles removed from search results. This case helped create the right to be forgotten in the EU.

How many requests has Google received about the right to be forgotten?

Google has received requests to remove nearly 2.5 million web addresses from its search results since this right was created.

What should companies do to follow the right to be forgotten?

Companies should:

  • Check their data regularly
  • Keep a list of personal data they have
  • Have a clear process for handling delete requests

What happens if companies don't follow the right to be forgotten?

Companies can face big fines if they don't follow the GDPR rules, including the right to be forgotten.

Is there a time limit for companies to respond to data requests?

Yes, companies usually have one month to respond to requests about personal data. They can take up to two more months for complex cases, but they must explain why.

Related posts

Legal help, anytime and anywhere

Join launch list and get access to Cimphony for a discounted early bird price, Cimphony goes live in 7 days
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Unlimited all-inclusive to achieve maximum returns
$399
$299
one time lifetime price
Access to all contract drafting
Unlimited user accounts
Unlimited contract analyze, review
Access to all editing blocks
e-Sign within seconds
Start 14 Days Free Trial
For a small company that wants to show what it's worth.
$29
$19
Per User / Per month
10 contracts drafting
5 User accounts
3 contracts analyze, review
Access to all editing blocks
e-Sign within seconds
Start 14 Days Free Trial
Free start for your project on our platform.
$19
$9
Per User / Per Month
1 contract draft
1 User account
3 contracts analyze, review
Access to all editing blocks
e-Sign within seconds
Start 14 Days Free Trial
Lifetime unlimited
Unlimited all-inclusive to achieve maximum returns
$999
$699
one time lifetime price

6 plans remaining at this price
Access to all legal document creation
Unlimited user accounts
Unlimited document analyze, review
Access to all editing blocks
e-Sign within seconds
Start 14 Days Free Trial
Monthly
For a company that wants to show what it's worth.
$99
$79
Per User / Per month
10 document drafting
5 User accounts
3 document analyze, review
Access to all editing blocks
e-Sign within seconds
Start 14 Days Free Trial
Base
Business owners starting on our platform.
$69
$49
Per User / Per Month
1 document draft
1 User account
3 document analyze, review
Access to all editing blocks
e-Sign within seconds
Start 14 Days Free Trial

Save 90% on your legal bills

Start Today
Services
Company FormationEmployment / HRCommercial ContractsAssistantFundraise Wills, Trust & Estate plan
Industries
SMBsStartupsLegal TeamsLaw Firms
Resources
Contact usBlogDocumentsTerms of servicePrivacy policyAffiliate ProgramCompliance Audit
© 2025 Cimphony AI, Inc | All Rights Reserved

Cimphony P.C. is a registered law firm in the state of Pennsylvania. Cimphony AI, Inc. is a non-law corporation incorporated under the laws of the State of Delaware. Legal services are provided exclusively by Cimphony P.C. and require both an onboarding call and a signed engagement letter. Self-help services are offered by Cimphony AI, Inc., which is not a law firm, does not provide legal advice, and is not a substitute for an attorney. All content on our website and communications via email, chat, social media, or other channels are for informational and educational purposes only