GDPR Data Subject Rights for Businesses: A Complete Guide

In a data-driven world, honouring privacy rights are crucial more than ever and that is exactly what GDPR’s objective is. The General Data Protection Regulation secures 8 rights for EU citizens. Get a detailed understanding of these GDPR data subject rights with this comprehensive guide.

Data subject rights are privacy-related rights granted by GDPR to EU citizens allowing individuals to have control over their personal data. These rights are significant for protecting the interests and privacy of data subjects. 

Why are data subject rights important?

Data subject rights are important in the following ways:

• Promotes transparency among data controllers, processors and individuals

• Data subjects have greater decision-making powers over their personal data

• Controls the misuse of personal data and cultivates trust
  
• Helps in protecting the confidentiality and integrity of personal data
  
• Allow individuals to rectify any inaccuracy or incompleteness in their personal data

Data subjects can exercise their GDPR rights by submitting data subject requests to businesses. All organisations that fall under the scope of GDPR must provide sufficient effective mechanisms to submit and fulfil these requests.

The European data protection law offers its citizens the following data subject rights.

Right to be informed

Data subjects have the right to be informed of the data collection based on how the data is collected, whether directly or indirectly. For example, the identity of the business, the purpose of collection, who has access to the data, the data retention period, etc.

The following slides depict the information that must be provided to the data subjects based on the source of data collection as outlined by the European Data Protection Board.

The information must be provided in an accessible, concise and understandable format without any jargon. Businesses usually give them out as a privacy policy, also known as a privacy notice, privacy statement or privacy information.

Provide the information at the time of data collection if you obtain personal data directly from individuals and within a reasonable time not longer than one month if you collect them from other sources. 

If your website uses cookies, you must also provide a cookie policy along with cookie consent banners to adhere to GDPR requirements and avoid non-compliance penalties.

 It is not necessary to provide the information that the data subjects already know or if it takes a disproportionate effort to provide the information.

Right to access

Individuals have the right to verify whether a data controller is utilizing their personal data under GDPR. If this is the case, they can also obtain details about how you process the data. 

Data subjects have a right of access to the following information:

• Purposes of the processing
• Categories of personal data processed
• Recipients/categories of recipients with whom you share the data
• Data retention period/ the criteria used to determine the period
• The existence of data subject rights such as to correct, erase, restrict or object
• Right to lodge a complaint
• The source from which you received the personal data if not collected directly from the data subject
• The existence of automated decision-making or profiling and its impact
• Information regarding the security safeguards implemented in case of cross-border transfer
• Copy of the personal data processed

As a business handling EU personal data, you must have a streamlined process to fulfil data subject access requests.

Right to rectification

Data subjects can request data controllers to correct any inaccuracies or complete incomplete personal data. This right is closely related to a controller’s duty to keep the data updated and accurate.

Equip your organisation to verify and carry out the requests without any delay. Additionally, you must also take proper measures to ensure that the data you keep are correct and free from errors. 

Right to erasure/ Right to be forgotten

This right enables individuals to get their personal data erased from the database of data controllers. However, this is not an absolute right and is subject to the following conditions.

• Personal data is no longer required for the original purpose of collection
  
• Consent is the legal basis for processing and the data subject withdrew their consent
  
• The data subject objects to processing their data and there is no overriding legitimate interest to continue the processing
  
• The controller carries out data processing unlawfully
  
• To comply with legal obligations
  
• The processing activities were carried out to provide information society services to a child

The law also requires that businesses that have disclosed personal data to others must take steps to inform the recipients of the erasure request made by the data subject. 

In most cases, the right to erasure applies to both backup and live systems. In addition to the immediate deletion from live systems, ensure that the data is at least rendered unusable from the backups until overwritten.

Right to restrict processing

Data subjects can require a data controller to limit using their personal data under special circumstances. This includes collection, dissemination, structuring and sometimes even data erasure. 

The conditions under which individuals can restrict the processing are:

• The data subject questions the accuracy and the data controller needs time to verify the accuracy
  
• The data is unlawfully processed and the individual requires restriction instead of deletion of the data
  
• The original purpose of the collection exhausts but the data is required for legal purposes
  
• The data subject has requested a restriction of processing and the data controller is confirming whether its legitimate interests override those of the data subject

Right to data portability

The data portability right allows data subjects to receive their personal data in a structured, commonly used and machine-readable format or to transmit the data directly to another data controller.

The right only applies to the personal data provided by the data subject and not the ones collected from other sources. It also includes the ones obtained by analysing the data subject’s activities such as online behaviour. Still, it does not include the data created by the data controller like the profile created using the analysis. 

Data subjects can exercise this right under the following conditions:

• The lawful basis for processing was the data subject’s consent or performance of a contract
  
• The processing of data is carried out by automated means 

The right allows individuals to store their data in a transmittable format or reuse it for other purposes. Ensure that you have a channelled system for data processing and storing to comply with the GDPR requirements. 

Right to object

This right enables individuals to object to the processing of their personal data under the following circumstances:

• When personal data is used for direct marketing purposes including profiling
• Public interest or exercise of official authority
• The legitimate interest of the controller

GDPR requires all controllers to inform the data subjects of their right to object processing during their first communication.

The right to object processing personal data for direct marketing purposes is absolute. Therefore, once a controller receives such a request, they must stop the processing. 

However, the right is limited when the data is being processed for scientific or historical research and statistical purposes. This implies that data subjects can raise objections only if the processing does not serve a public interest.

Automated decision-making and profiling rights

This is one of the ground-breaking rights that GDPR introduced for EU citizens. Because of this, they can direct businesses to not subject them to automated decision-making including profiling that can produce legal or similar effects on the data subject.

Automated decisions are made by technology without any human intervention.  For example, Checking your eligibility for a credit card online without any human involvement in the decision.

Profiling is an automated processing of personal data used to evaluate personal aspects of a person such as their interests or behaviour to make predictions about them. Targeted advertising is a common result of profiling. Many online platforms widely use this process to advertise their products.

The rights related to automated decision-making and profiling do not apply in the following cases:

• If it is necessary to enter or perform a contract between the data controller and the data subject
  
• Such a decision is authorised by a union or member state law
  
• The decision was based on the data subject’s consent

The law also obligates businesses to permit individuals to at least challenge the automated decision to safeguard the individual’s rights and freedoms in the first and second situations.

All privacy laws including GDPR grant citizens privacy rights to give them control over their personal data. It requires the data controller to take a privacy-centric approach including the efficient handling of data subject requests. 

Below is a short checklist that you may follow while handling requests.

• Confirm that the data subject request is valid and reasonable
• Verify the data subject’s identity 
• Understand the requirements of the data subject
• Take steps to fulfil their request at the earliest possible
• Train your employees on how to handle requests
• Have a proper channel of communication for data subject requests
• Inform the data subject of the receipt of the request and be prompt in fulfilling them (30 days)