Data Subject Rights Under GDPR: What They Are and How to Comply

The General Data Protection Regulation (GDPR) grants individuals, known as data subjects, specific rights concerning their personal data. Understanding and complying with these data subject rights is crucial for organizations handling personal information within the European Union (EU) and the European Economic Area (EEA). This comprehensive guide delves into the essence of data subject rights, outlines the eight fundamental rights under the GDPR, discusses their legal and practical implications, and provides actionable steps for organizations to ensure compliance.
Data subject rights are provisions under the GDPR that empower individuals to have control over how their personal data is collected, processed, and utilized. These GDPR rights aim to enhance transparency, allow individuals to access and manage their data, and hold organizations accountable for data protection. Find out more details here: Who does GDPR apply to.
A data subject is any individual whose personal data is processed by an organization. This includes customers, employees, and any other individuals whose data is collected and used by a data controller or processor.
The GDPR outlines eight fundamental rights of data subjects:
Data subjects have the right to be informed about the collection and use of their personal data. Organizations must provide clear and concise information regarding the purposes of data processing, data retention periods, and who the data will be shared with. This information is typically conveyed through privacy notices or policies.
Under Article 15, individuals have the right to access their personal data held by an organization. This includes obtaining confirmation of whether their data is being processed, accessing the actual data, and receiving information about how the data is being used. Organizations must provide a copy of the personal data upon request, free of charge, within one month.
Article 16 grants data subjects the right to have inaccurate or incomplete personal data corrected. If an individual identifies that their data is incorrect or outdated, they can request the organization to rectify it promptly.
Also known as the "Right to Be Forgotten," Article 17 allows individuals to request the deletion of their personal data in certain circumstances, such as:
However, this right is not absolute and may be overridden by other legal obligations or public interest considerations.
Article 18 provides individuals with the right to restrict the processing of their personal data under specific circumstances, including:
When processing is restricted, organizations can store the data but not use it.
Article 20 grants data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format. It also allows for the direct transfer of data from one controller to another, where technically feasible. This right applies when processing is based on consent or a contract and is carried out by automated means.
Under Article 21, individuals have the right to object to the processing of their personal data based on legitimate interests or performance of a task in the public interest. If an individual objects, the organization must cease processing unless it can demonstrate compelling legitimate grounds that override the individual's rights or for legal claims.
Article 22 provides individuals with the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects them. Exceptions exist if the decision is necessary for a contract, authorized by law, or based on explicit consent.
Understanding the legal framework supporting GDPR rights and the consequences of non-compliance is essential for organizations.
The GDPR dedicates Chapter 3 (Articles 12 to 23) to outlining data subject rights and the obligations of data controllers and processors in facilitating these rights. Each right is detailed within specific articles, providing legal grounding and guidance for implementation.
Non-compliance with data subject rights can lead to significant penalties under the GDPR. Fines can reach up to €20 million or 4% of the organization's global annual turnover, whichever is higher. Beyond financial penalties, organizations may suffer reputational damage and loss of customer trust.
Several organizations have faced substantial fines for failing to uphold data protection rights. For instance, in 2020, H&M was fined €35,3 million for violating GDPR rights
Organizations must first determine whether the request falls under data subject rights and categorize it appropriately (e.g., access, rectification, erasure, etc.).
Before processing a request, it is essential to confirm the identity of the requester to prevent unauthorized data access or manipulation.
Under GDPR, organizations must respond to data subject requests within one month. In some cases, an extension may be granted if the request is complex.
Organizations should document all requests, responses, and any actions taken to demonstrate compliance in case of audits or legal inquiries.
With increasing awareness of GDPR privacy rights, organizations may receive a large number of requests, requiring efficient processes and automation.
While honoring the rights of data subjects, businesses must also ensure operational efficiency and regulatory compliance without compromising security.
Handling requests accurately and within the legal timeframe is challenging, especially for organizations managing vast amounts of personal data.
Organizations can leverage specialized GDPR compliance software to streamline request management, documentation, and reporting.
Data mapping tools help organizations track and categorize personal data, ensuring quick data subject access rights and compliance with GDPR requirements.
Regular GDPR training programs ensure that employees are well-equipped to handle data subject requests and maintain GDPR compliance.
Organizations must implement strong policies and procedures to handle data subject rights requests effectively. Here are some actionable steps to ensure compliance:
Organizations should create transparent data subject right policy that clearly outline how personal data is collected, processed, stored, and shared. These notices should be easy to access and understand.
A structured process should be in place to manage and respond to requests related to data subject rights, including:
All employees handling personal data should be trained on the GDPR compliance checklist and how to handle data subject requests effectively.
Organizations should use encryption, access controls, and data minimization strategies to ensure personal data is securely managed and protected from unauthorized access.
Periodic audits should be conducted to ensure ongoing compliance with GDPR regulations, identify potential gaps, and address any compliance risks.
For organizations that process large amounts of personal data, appointing a Data Protection Officer (DPO) can help oversee GDPR compliance and manage data subject requests.
Under Article 30 of the GDPR, organizations must maintain records of their data processing activities, including details about data subject requests and how they were handled.
Organizations should have clear systems in place for obtaining, recording, and managing user consent, ensuring compliance with GDPR’s requirements for lawful data processing.
DPO consulting offers expert GDPR compliance services ensuring your organization covers all the crucial aspects of this regulation.
The right to access under GDPR allows individuals to request and obtain a copy of their personal data that an organization holds. This right ensures transparency by enabling individuals to understand how their data is being processed and whether it is handled lawfully.
Yes. Organizations may refuse deletion requests if the data is necessary for legal obligations, public interest, freedom of expression, or the establishment, exercise, or defense of legal claims.
Under GDPR, businesses must respond within one month for any data subject request. If a request is complex or requires additional information, the organization may extend the deadline by up to two additional months, but the individual must be informed of the delay.
In most cases, businesses cannot charge for handling data subject requests. However, if the request is clearly unfounded, excessive, or repetitive, organizations may charge a reasonable fee to cover administrative costs or refuse the request.
If a business refuses to comply with a data subject request, it must provide a clear explanation for the refusal and inform the individual of their right to lodge a complaint with a supervisory authority. Non-compliance can result in fines and reputational damage.
Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.
External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.
Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.
Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.
We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.
Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.
Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.
Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.
On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.
Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.
Grained Template comes with eCommerce set up, so you can start selling your services straight away.
To give you 100% control over the design, together with Webflow project, you also get the Figma file.