Log in Contact

Data Subject Rights

Topics

Data Analysis Tools & Methods
Want to see the platform in practice?
Get in touch with us

What data subject rights do individuals have under the GDPR?

Under the General Data Protection Regulation (GDPR), individuals — known as data subjects — have a range of rights designed to give them greater control over their personal data. These include:

  • Right to Access (Article 15): Individuals can request confirmation of whether their personal data is being processed and, if so, access to that data, including details of its purpose, category, and recipients.
  • Right to Rectification (Article 16): Individuals can request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Article 17) – “Right to Be Forgotten”: Individuals can request deletion of their data when it is no longer necessary, consent is withdrawn, or processing is unlawful.
  • Right to Restrict Processing (Article 18): Individuals can request that processing of their data be limited, for example while accuracy is being verified.
  • Right to Data Portability (Article 20): Individuals can receive their data in a structured, commonly used, machine-readable format and request its transfer to another controller.
  • Right to Object (Article 21): Individuals can object to processing based on legitimate interests or for direct marketing. Processing must stop unless there are overriding legitimate grounds.
  • Rights in Relation to Automated Decision-Making and Profiling (Article 22): Individuals can request human review of decisions made solely by automated means and challenge such decisions.
  • Right to Withdraw Consent (Article 7): Where processing is based on consent, individuals can withdraw it at any time.
  • Right to Be Informed (Articles 13–14): Individuals must be informed about who is processing their data, why, and how.
  • Right to Lodge a Complaint (Article 77): Individuals can file a complaint with a supervisory authority if they believe their rights have been violated.

These rights ensure individuals have meaningful control over how their personal data is collected, used, and shared. Organisations must respond to data subject requests within specific timeframes set by the GDPR.


Why do I need consent, and how is it obtained?

If you carry out certain personal data activities, such as online marketing, you must first obtain the individual’s consent.
Consent must be:

  • Clear and explicit – separate from other text and unambiguous.
  • Freely given and specific – the person must understand exactly what they are agreeing to.
  • Active – silence, inactivity, or pre-ticked boxes do not count as valid consent.

Individuals must also be able to withdraw consent (opt out) easily at any time.


Can a data subject withdraw consent?

Yes. Under the GDPR, a data subject can withdraw consent at any time.
Withdrawal applies only to future processing, not to data already processed before the withdrawal.
If the original consent did not meet GDPR standards, it must be re-obtained.


What is the “Right to Be Forgotten”?

The Right to Be Forgotten (also known as the Right to Erasure) allows individuals to request that their personal data be deleted or anonymised.
Organisations must erase data without undue delay — usually within one month of receiving the request — if one of the following applies:

  • The data is no longer necessary for its original purpose.
  • The individual withdraws consent and there is no other legal basis for processing.
  • The organisation relies on legitimate interest, but the individual objects and there is no overriding justification.
  • The data is processed for direct marketing and the individual objects.
  • The processing is unlawful.
  • Erasure is required to comply with a legal obligation.

However, the right to be forgotten does not apply where data is processed for:

  • Exercising freedom of expression or information.
  • Compliance with a legal obligation.
  • Performing a task in the public interest or vital interest.
  • Establishing or defending legal claims.


What does the “Right to Be Informed” mean?

Individuals have the right to be informed about how and why their personal data is being processed.
Organisations must provide information that is concise, transparent, easily accessible, and clearly written — free of charge.

When collecting data, individuals must be informed about:

  • The name and contact details of the organisation (and DPO, if applicable).
  • The purposes and lawful basis for processing.
  • The categories of data collected (if not from the individual).
  • The recipients or categories of recipients of the data.
  • Any international data transfers.
  • The data retention period.
  • The rights available to the individual.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if not collected directly).
  • Any legal or contractual obligations related to providing data.
  • The existence of automated decision-making or profiling.

You can read more in the EDPB Guidelines on the Right of Access (also known as the Right to Be Informed).


What does the “Right to Data Portability” mean?

The Right to Data Portability allows individuals to obtain their personal data from one service provider and reuse it with another.
This data must be provided in a structured, commonly used, and machine-readable format, enabling easy and safe transfer without affecting usability (where technically possible).


What is the “Right to Rectification”?

Under Article 16 of the GDPR, individuals have the right to request correction of inaccurate data or completion of incomplete data.
Controllers must take reasonable steps to ensure accuracy and promptly correct data where necessary, taking into account the information provided by the data subject.


How is data from children handled?

If you process data from children under the age of 16 for online services, you must obtain parental consent before processing their personal data.


Does the GDPR affect direct marketing?

Yes. Marketing activities that use personal data must comply with the GDPR.
Consent must be obtained before sending marketing communications, and existing consent forms should be reviewed to ensure they meet GDPR standards.

There are specific rules for B2B and B2C marketing under the GDPR.
You can read more about these in the guidelines on Direct Marketing and GDPR.