8 GDPR Data Subject Rights Explained
Explore the key rights granted by GDPR to EU residents over their personal data. Learn about information, access, correction, erasure, restrict processing, data portability, object, and avoiding auto decisions.
Save 90% on your legal bills

The General Data Protection Regulation (GDPR) gives EU residents 8 key rights over their personal data:
Right | What it means |
---|---|
1. Information | Know what data is collected and why |
2. Access | See what personal data a company has |
3. Correction | Fix wrong information |
4. Erasure | Ask for data to be deleted |
5. Restrict Processing | Limit how data is used |
6. Data Portability | Move data to another service |
7. Object | Say no to certain data uses |
8. Avoid Auto Decisions | Not be subject to decisions made only by machines |
These rights help protect privacy, make companies more careful with data, and build trust. Companies face fines up to €20 million for violations. This article explains each right in detail, showing how they work and why they matter for both individuals and businesses.
Related video from YouTube
1. Right to Be Informed
The Right to Be Informed is a key part of GDPR. It makes sure people know how companies use their personal data. This right helps build trust between businesses and customers.
What Companies Must Tell You
When a company collects your data, they must provide this information:
Information | Description |
---|---|
Company Details | Name and contact info of the data controller |
Data Use | Why they're collecting your data and how they'll use it |
Legal Reason | Why they're allowed to process your data |
Data Sharing | Who will see or use your personal data |
Storage Time | How long they'll keep your data |
Your Rights | How you can access, fix, or delete your data |
Complaints | How to report issues to authorities |
When You Should Get This Information
- If a company gets data directly from you: They must tell you right away
- If they get your data from somewhere else: They must tell you within one month
Real-World Impact
The European Commission did a survey in 2022. They found that 67% of EU citizens feel they have more control over their personal data since GDPR started. This shows that being open about data use helps people feel more secure.
Company Example: Airbnb
Airbnb updated its privacy policy after GDPR came into effect. They now use a clear, easy-to-read format. Their policy explains:
- What data they collect (like your name and email)
- Why they need it (to book stays and verify your identity)
- Who they share it with (like hosts you book with)
- How long they keep it (usually for as long as you have an account)
This approach helps Airbnb users understand their data rights and builds trust in the platform.
2. Right of Access
The Right of Access lets people ask companies for their personal data. This right is key to GDPR and helps people understand how companies use their information.
What You Can Ask For
When you make a Subject Access Request (SAR), companies must give you:
Information | Description |
---|---|
Data confirmation | Proof they have your data |
Data copy | A copy of your personal data |
Processing purpose | Why they use your data |
Data categories | Types of data they have |
Recipients | Who sees or uses your data |
Storage time | How long they keep your data |
Your rights | How to fix, delete, or limit data use |
Complaints | How to report issues |
Data source | Where they got your data |
Auto decisions | Info on computer-only choices about you |
How It Works
Companies must answer SARs within one month. They can't charge you for this, except for extra copies. If you ask online, they should reply online too.
Real-World Example
In 2019, the UK's Information Commissioner's Office (ICO) changed how companies count days to answer SARs. For a request made on August 19, 2019, companies had to reply by September 19, 2019. This change came from a 2004 EU court decision.
Things to Know
- Companies can take longer to answer if your request is hard or you ask for a lot.
- They might ask you questions to make sure it's really you asking.
- If they need more info from you, the one-month clock starts when they get it.
- Companies can say no if you ask too much or too often.
Why It Matters
This right helps you:
- Check if your data is correct
- See how companies use your info
- Make sure companies follow the rules
It's a powerful tool to protect your privacy and keep companies honest about data use.
3. Right to Rectification
The Right to Rectification lets people fix wrong or incomplete personal data that companies have about them. This right is part of GDPR and helps keep data correct.
How the Right to Rectification Works
What You Can Do | What Companies Must Do | Time Frame |
---|---|---|
Ask to fix wrong data | Correct mistakes quickly | Usually within 1 month |
Add missing information | Complete incomplete data | Without delay |
Provide proof if needed | Tell other companies about changes | As soon as possible |
Steps to Fix Your Data
- Find the mistakes in your data
- Contact the company
- Explain what's wrong
- Give proof if you need to
- Follow up if they don't answer
Company Duties
Companies must:
- Fix wrong data quickly
- Fill in missing data
- Tell other companies about changes
- Stop using data if there's a dispute about its accuracy
Real-World Example
In Spain, a credit agency was fined €1 million for keeping wrong debt records. This shows how important correct data is.
Possible Problems
Sometimes companies might:
- Say they don't need to fix the data
- Not accept your proof
- Say their systems can't make the changes
Key Points to Remember
- You don't have to pay to fix your data
- You can ask in writing or by talking to the company
- Companies should answer within a month
- If they take longer, they must tell you why
This right helps keep your data correct and protects your privacy.
4. Right to Erasure (Right to Be Forgotten)
The Right to Erasure, also called the Right to Be Forgotten, lets people ask companies to delete their personal data. This right is part of the GDPR.
How the Right to Erasure Works
Aspect | Details |
---|---|
Legal Basis | GDPR Article 17 |
Time to Respond | 1 month |
Who Can Use It | EU residents |
What It Covers | Personal data held by companies |
When You Can Ask for Erasure
You can ask a company to delete your data when:
- They don't need your data anymore
- You take back your permission
- You object to how they use your data
- They used your data illegally
- They must delete it by law
- They collected data from a child
Limits to the Right
Companies can keep your data if they need it for:
- Free speech
- Following the law
- Public health reasons
- Research or statistics
- Legal claims
Real-World Example
In 2020, Google got a €600,000 fine in Belgium. They didn't remove links about a person when asked. The links had old, harmful info. This shows companies must take these requests seriously.
Tips for Companies
- Make clear steps for handling delete requests
- Keep track of what personal data you have
- Check your data regularly
- Train staff about GDPR rules
- Write down why you accept or deny requests
sbb-itb-ea3f94f
5. Right to Restrict Processing
The Right to Restrict Processing lets people limit how companies use their personal data without deleting it. This right is part of Article 18 of the GDPR.
When You Can Use This Right
You can ask a company to stop using your data when:
Reason | Explanation |
---|---|
Wrong data | You think the information is incorrect |
Illegal use | The company is using your data unlawfully |
Legal needs | You need the data for a lawsuit |
Objection | You've said no to data use and are waiting for a decision |
How It Works
- Tell the company you want to restrict your data use
- The company must answer within one month
- They can only store your data, not use it
- The company must tell you before they start using your data again
Real-World Example
In 2022, the Irish Data Protection Commission fined Meta €265 million. Meta didn't protect user data properly, including the right to restrict processing. This shows how important this right is and what can happen if companies don't follow the rules.
What Companies Must Do
Action | Details |
---|---|
Stop processing | Can only store the data |
Get permission | Need your okay to use the data again |
Tell others | Let other companies know about the restriction |
Keep records | Track all restriction requests |
Tips for Using This Right
- Be clear about which data you want to restrict
- Explain why you're asking for the restriction
- Keep a copy of your request and the company's answer
- Follow up if you don't hear back in a month
6. Right to Data Portability
The Right to Data Portability lets people get their personal data from companies and move it to other services easily. This right is part of Article 20 of the GDPR.
What This Right Covers
Aspect | Details |
---|---|
Data format | Easy for computers to read (like CSV files) |
What data | Personal info you gave the company |
When it applies | If the company uses your data based on your permission or a contract |
How data is processed | By computer systems |
Cost | Free (unless you ask too much) |
Time to respond | 1 month (can be 3 months if it's hard) |
You can also ask companies to send your data straight to another company if it's possible to do so.
Limits of This Right
This right doesn't work for:
- Data the company needs for public tasks
- Data used because of official power
Also, using this right shouldn't hurt other people's rights.
Real Examples
-
- What it does: Lets you download your data from Google services
- How it works: You can get your emails, documents, and YouTube videos in formats easy to use elsewhere
-
Open Banking (UK)
- What it does: Makes banks share customer data with other companies
- How it works: Uses standard ways to share data so you can use new financial services easily
Why It Matters
This right helps you:
- Switch between services more easily
- Try new services without losing your data
- Have more control over your personal information
It also makes companies compete more, which can lead to better services for users.
7. Right to Object
The Right to Object lets people tell companies to stop using their personal data in certain cases. This right is part of Article 21 of the GDPR.
When You Can Object
You can object when a company uses your data for:
Reason | Example |
---|---|
Their own interests | Using your data to improve their products |
Public tasks | Government agencies using your data |
Direct marketing | Sending you ads or promotional emails |
Research | Using your data for studies or statistics |
How It Works
1. For Direct Marketing
- You can always stop companies from using your data for ads
- They must stop right away
- They can't say no
2. For Other Reasons
- You need to explain why you're objecting
- Companies can keep using your data if they have good reasons
- Their reasons must be more important than your privacy
3. Time to Answer
Companies have one month to respond. They can take up to two more months if it's a hard case.
How to Object
To object:
- Contact the company
- Say clearly that you object
- Explain why (except for direct marketing)
- Tell them which data and uses you're objecting to
Companies must tell you about your right to object, especially for marketing, public tasks, or their own interests.
Real-World Example
In 2019, the French data protection authority (CNIL) fined Google €50 million. One reason was that Google didn't make it easy for users to object to personalized ads. This shows how important it is for companies to respect this right.
Things to Remember
- Objecting doesn't erase past data use
- Companies might keep your info on a "do not contact" list
- Companies can charge you if you object too much or without reason
This right helps you control how companies use your data, especially for marketing.
8. Rights Related to Automated Decision Making
The GDPR gives people rights about computer-made decisions that affect them a lot. This is in Article 22 of the GDPR.
When This Right Applies
You can use this right when a company makes big decisions about you using only computers, without any human input. This applies in three main cases:
Case | Example |
---|---|
For a contract | A bank uses a computer to decide if you get a loan |
When the law allows it | A government uses a computer to check if you can get benefits |
If you agree to it | You let a job website use a computer to match you with jobs |
What Companies Must Do
If companies use computers to make big decisions, they must:
- Let you ask for a person to check the decision
- Let you share your opinion
- Let you challenge the decision
Real Examples
Here are some cases where this right mattered:
-
Amazon's Hiring Tool (2018)
- Problem: The tool didn't pick women for tech jobs
- Result: Amazon stopped using it
-
COMPAS Risk Tool (2016)
- Problem: It said black defendants were more likely to commit crimes again
- Result: Many courts stopped using it
-
Italian Teacher Placement (2019)
- Problem: A computer system placed teachers in schools
- Result: A court said it was unfair because no one knew how it worked
How to Use This Right
If you think a computer made a big decision about you:
- Ask the company how they made the decision
- If you don't like the decision, ask for a person to look at it
- Tell them why you think the decision is wrong
- Ask them to explain how the computer system works
Why This Matters
This right helps make sure that big decisions about your life aren't just made by computers. It lets you have a say and makes sure companies use computer systems fairly.
Conclusion
The GDPR's eight data subject rights give people more control over their personal information. These rights include:
Right | What it means |
---|---|
Access | Get a copy of your data |
Rectification | Fix wrong information |
Erasure | Ask to delete your data |
Restrict processing | Limit how your data is used |
Data portability | Move your data to another service |
Object | Stop certain data uses |
Automated decisions | Ask for human review of computer choices |
Companies must follow these rules or face big fines. In 2023, GDPR fines reached €2,054,277,662, according to CMS law firm's Enforcement Tracker Report.
These rights help build trust. A 2019 DMA study found 62% of UK consumers felt better about sharing data because of GDPR.
For people:
- Know your rights
- Ask companies about your data
- Companies must answer in one month, usually for free
For companies:
- Take these rights seriously
- Have clear processes to handle requests
- Train staff on GDPR rules
GDPR helps balance new tech with privacy. By respecting these rights, we can create a safer digital world.
Key takeaways:
- GDPR gives people more say over their data
- Big fines for companies that break the rules
- Rights help build trust between people and businesses
- Both people and companies play a part in protecting data
FAQs
What is the GDPR data subject right to access?
The GDPR data subject right to access lets people get information about their personal data. This includes:
Information | Description |
---|---|
Processing purposes | Why the data is being used |
Data categories | Types of personal data collected |
Recipients | Who receives or sees the data |
Storage duration | How long the data will be kept |
Other rights | Information on fixing, deleting, or limiting data use |
What is the EU's right to be forgotten?
The EU's right to be forgotten, also called the right to erasure, lets people ask companies to delete their personal data. This right is part of the GDPR and helps people control their information.
Does GDPR have right to be forgotten?
Yes, the GDPR includes the right to be forgotten. Article 17 of the UK GDPR gives people the right to have their personal data erased. This applies to data the company has when they get the request.
Which act gives right to data portability?
Article 20 of the GDPR gives people the right to data portability. This means people can:
- Get their personal data in a format that's easy to read by computers
- Move their data to another company without problems
How does the right to be forgotten work?
The right to be forgotten works like this:
- A person asks a company to delete their data
- The company must remove the data if:
- They don't need it anymore
- The person takes back their permission
- The data was used illegally
Can you give an example of the right to be forgotten?
In 2014, a man in Spain won a case against Google. He wanted old information about his financial troubles removed from search results. This case helped create the right to be forgotten in the EU.
How many requests has Google received about the right to be forgotten?
Google has received requests to remove nearly 2.5 million web addresses from its search results since this right was created.
What should companies do to follow the right to be forgotten?
Companies should:
- Check their data regularly
- Keep a list of personal data they have
- Have a clear process for handling delete requests
What happens if companies don't follow the right to be forgotten?
Companies can face big fines if they don't follow the GDPR rules, including the right to be forgotten.
Is there a time limit for companies to respond to data requests?
Yes, companies usually have one month to respond to requests about personal data. They can take up to two more months for complex cases, but they must explain why.