Data Subject Rights Guide: Who Holds the Actual Rights?

Updated August 22nd, 2023
Data subject rights guide

Share this article

Data subject rights is the set of entitlements granted to individuals, allowing them to exert control over their personal data that organizations collect, store, and process.

With an increasing number of businesses leveraging user data for insights, the boundaries of privacy are continually tested. Amidst this digital evolution, the concept of “data subject rights” has gained significant attention.

Given this context, a crucial question arises: Who exactly holds these rights?

In this article, we will explore about data subject rights and the individuals and conditions under which data subject rights are applicable.

Let us dive in!

Table of contents

  1. What is data subject right & what does it entail?
  2. What are the 8 data subject rights under GDPR ?
  3. Data subject rights guide: Who have the actual rights?
  4. How can you exercise these rights: A guide to users
  5. Data subject rights procedure: 8 things to adopt
  6. Mistakes to Avoid: Common oversights of data subject rights non-compliance
  7. Summary
  8. Related reads

What is data subject right and what does it entail?

Let’s delve into the concept of data subject rights and their significance.

What is data subject right?

Under the General Data Protection Regulation (GDPR), data subject rights refer to the entitlements and protections granted to individuals in relation to their personal data.

A “data subject” in GDPR terms is an identified or identifiable person to whom specific personal data relates. The data subject rights under the GDPR are designed to empower these individuals, ensuring that their personal data is handled with the utmost respect, and transparency.

The rights offer individuals a set of tools and mechanisms through which they can have agency over their personal data. This encompasses everything from the right to know if their data is being processed, to have incorrect data amended, to object to the processing of their data for marketing purposes.

Importance of data subject rights

  1. Individual autonomy & empowerment
  2. Promotion of transparency & accountability
  3. Building trust
  4. Protecting against exploitation
  5. Ensuring data accuracy
  6. Legal and financial implications
  7. Promotion of ethical data practices

Let us explain in detail:

1. Individual autonomy & empowerment

In a world dominated by digital transactions and online interactions, personal data has become a commodity. These rights restore some measure of power back to individuals, allowing them to dictate the terms of how their data is used, stored, and shared.

  • This massive collection can leave individuals feeling powerless regarding how their data is used.
  • The data subject rights restore a sense of agency to individuals. They can decide if they want their data stored, processed, or deleted.
  • They have a say in who has their information, how it’s used, and for what purpose, ensuring that their personal boundaries are respected.

2. Promotion of transparency & accountability

Data subject rights ensure that organizations are not just taking data without consent but are transparent about how they’re using it and for what purpose. This promotes ethical data practices and holds companies accountable.

  • One of the significant criticisms of many modern digital enterprises is the opaque nature of their data practices.
  • Users often don’t know how their information is used, sold, or shared. Data subject rights compel organizations to be open about their data practices.
  • Companies must now disclose their intentions clearly and obtain explicit consent. This openness not only builds trust but also holds organizations accountable for breaches or misuse.

3. Building trust

When consumers know that an organization respects their privacy and data rights, it fosters trust. In an era where data breaches and misuse of data are prevalent, trust becomes a significant differentiator in the market.

  • By ensuring that organizations adhere to data subject rights, individuals can have confidence that their data is being handled responsibly.
  • This trust is especially crucial for online enterprises or digital platforms, where users are more cautious about sharing personal information.
  • Respecting data subject rights thus becomes a competitive advantage, showcasing the company’s commitment to ethical practices.

4. Protecting against exploitation

Data is often referred to as the ‘new oil’ because of its value. Without proper rights in place, there’s a risk of individuals’ data being exploited for profit without their consent or benefit.

  • Personal data has immense value, both financially and strategically.
  • Data subject rights serve as a barrier against such exploitation, ensuring that personal data isn’t used unethically, and that individuals have the final say in how their data is used.

5. Ensuring data accuracy

With rights like the right to rectification, it ensures that the data held by organizations is accurate and up to date. This not only benefits individuals but also businesses by ensuring that decisions are made based on accurate data.

  • This right ensures that individuals can correct inaccuracies in their personal data.
  • This also empowers them but also benefits organizations by improving the quality of the data they hold.

6. Legal and financial implications

Non-compliance with data subject rights can lead to significant financial penalties under the GDPR. Beyond monetary penalties, businesses risk reputational damage, which can have long-lasting implications.

  • The GDPR comes with stringent penalties for non-compliance, which can be as high as 4% of an organization’s annual global turnover or €20 million, whichever is higher.
  • Beyond the immediate financial repercussions, non-compliance can lead to significant reputational damage.
  • Negative publicity around data breaches or misuse can deter potential customers and lead to lost business opportunities.

7. Promotion of ethical data practices

  • By emphasizing the importance of individual rights, GDPR encourages businesses to adopt a more ethical stance towards data collection, processing, and sharing.
  • This ensures that personal data isn’t just collected indiscriminately, but there’s a valid reason and respect for the individual’s preferences.
  • Instead of seeing it merely as a resource to be mined, organizations are now urged to treat personal data with respect and care, recognizing the inherent rights of the individuals behind the data.
  • This fosters a culture where data is collected and used ethically, ensuring that personal boundaries are respected, and the intrinsic value of personal data is recognized.

In essence, data subject rights are the cornerstone of the GDPR’s focus on personal data protection. They’re essential in today’s digital age to ensure the balance of power between individuals and organizations and to protect individuals from potential data-related abuses.

What are the 8 data subject rights under GDPR ?

The GDPR introduces several rights for data subjects, designed to empower individuals and provide them control over their personal data.

Here are the eight data subject rights under GDPR, explained in detail:

  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights related to automated decision-making and profiling

Let us understand each of them in detail:

1. Right to be informed

This right emphasizes the need for transparency regarding how personal data is collected, used, and processed. Organizations are required to provide clear information to individuals about how their data is used.

This is typically achieved through privacy notices or policies that are easily accessible, clear, and concise. Information should include the purposes of the processing, retention periods, and who it will be shared with, among other things.

2. Right of access

Under this right, individuals have the ability to request access to their personal data. This means they can ask organizations to provide a copy of the personal data held about them.

This allows individuals to confirm the accuracy of their data and check if it is being processed lawfully. Organizations typically have one month to respond to such requests and should provide the data free of charge.

3. Right to rectification

If personal data is inaccurate or incomplete, the individual concerned has the right to have it corrected. Organizations must respond to a request for rectification within one month.

If the request is complex, this can be extended by two further months. This ensures the accuracy of data and allows individuals to keep their information up to date.

4. Right to erasure

This right allows individuals to request the deletion or removal of personal data under specific circumstances, such as when the data is no longer necessary for the purposes it was collected, or if they withdraw their consent.

This is not an absolute right and only applies in certain situations, like when the individual’s rights outweigh the organization’s reasons for processing.

5. Right to restrict processing

Individuals have the right to request a pause or restriction on the processing of their personal data in certain circumstances.

For example, if someone contests the accuracy of their personal data and the organization is verifying its accuracy, the individual can request that their data is not used during this period. The data can remain stored, but not processed.

6. Right to data portability

This right allows individuals to obtain and reuse their personal data across different services. It allows them to move, copy, or transfer personal data easily from one IT environment to another in a safe and secure manner.

This is particularly relevant when switching service providers. The data should be provided in a structured, commonly used, and machine-readable format.

7. Right to object

Individuals have the right to object to the processing of their personal data in several circumstances. This includes objecting to processing based on:

  • Legitimate interests
  • Direct marketing (including profiling)
  • Processing for purposes of scientific/historical research and statistics.

Individuals have the right not to be subject to decisions based solely on automated processing, including profiling, if it produces significant effects concerning them or similarly significant decisions.

This means individuals can ask for human intervention, express their view, and challenge decisions made entirely by algorithms.

These rights are a manifestation of the GDPR’s goal to put individuals at the center of data protection and to empower them in the face of an increasingly data-driven world. Organizations need to be aware of these rights and ensure that their processes and systems allow for their swift and effective implementation.

Data subject rights: Who have the actual rights?

A “data subject” refers to any identified or identifiable person whose personal data is processed by a data controller or processor. In simpler terms, if an organization holds or uses data about an individual, that individual is a data subject.

But who exactly qualifies as a data subject under the GDPR? Under the GDPR, a data subject is identified as “an identifiable natural person.”

Let us know who can actually follow the rights:

1. Natural person

The GDPR protects individuals, not legal entities. Therefore, data subject rights apply to humans and not to companies or other legal persons.

This excludes entities like companies or organizations. Data subject rights pertain to these living individuals and not to deceased persons or fictional entities.

2. Directly or indirectly identifiable

This covers any data that can identify a person directly (like a name) or data that can identify a person when combined with other information. For instance, while a single piece of anonymous data might not identify someone, the combination of several pieces might.

A person is considered identifiable if they can be identified directly (e.g., by name) or indirectly (e.g., by an identification number or specific characteristics). It emphasizes the broad scope of what constitutes personal data.

3. Name

The most direct way of identifying someone. If an organization has data tied to a specific individual’s name, that individual becomes a data subject under the GDPR. Names, being unique and specific, fall under personal data protection.

4. Identification number

This can include various numbers issued by institutions or governments to recognize individuals, such as Social Security numbers, tax IDs, or driver’s license numbers.

Such numbers are unique to individuals and thus can be used to pinpoint a specific person. These numbers, if mishandled, can lead to identity theft or fraud.

5. Location data

This data pertains to the geographical position of a data subject. With the proliferation of smartphones and other location-aware devices, this kind of data has become increasingly prevalent.

Information that determines an individual’s location, be it through mobile data, GPS coordinates, or addresses, is considered personal. Such data can reveal patterns about a person’s habits, routines, and preferences.

6. Online identifier

This encompasses things like IP addresses, cookie strings, or device identifiers. While they might not point directly to an individual in every case, when combined with other data, they can be used to track or infer personal details or behaviors.

With the surge in digital activity, these identifiers can provide extensive insights into a person’s online behavior, making their protection vital.

7. Physical, physiological, genetic, or mental factors

This covers a wide range of personal attributes. For instance, biometric data used for ID purposes, health data, or any other data that pertains to an individual’s physical or mental state falls under this category.

Such information can be deeply personal and sensitive, warranting careful handling.

8. Economic, cultural, or social identity

Information like an individual’s salary, cultural preferences, or social activities can be used, especially in aggregate, to identify and profile them.

Data that sheds light on an individual’s economic status, cultural affiliations, or social inclinations can be used to draw conclusions or make judgments about them. It’s essential to ensure such data remains private unless shared with explicit consent.


It’s essential to understand that the GDPR applies to data subjects who are in the European Union. Therefore, any entity, regardless of where it’s based, that processes the personal data of individuals in the EU, must adhere to the GDPR.

This means that a US-based e-commerce site serving customers in France, for example, would need to comply with the GDPR concerning its French users’ data.

In conclusion, the GDPR’s definition of a data subject is comprehensive, aiming to ensure robust protection for individuals in an age where personal data has become a valuable commodity. Organizations need to understand these nuances to ensure full compliance.

How can you exercise these rights: A guide to users

The exercise of data subject rights is essential for the GDPR’s effectiveness. Here’s how users (data subjects) can assert these rights, along with what organizations should expect and how they should prepare:

For users to exercise their rights under the GDPR effectively, they must take specific practical steps.

Here’s a guide for data subjects on how to assert their GDPR rights:

  1. Understand your rights
  2. Identify the data controller
  3. Make a formal request
  4. Set a deadline
  5. Keep records
  6. Know When to expect fees
  7. If unsatisfied, seek clarification
  8. Escalate if needed
  9. Exercise the right to data portability
  10. Stay informed

Let us understand each of them in detail:

1. Understand your rights

Familiarize yourself with the main data subject rights under the GDPR: the right to be informed, access, rectification, erasure, restrict processing, data portability, object, and rights related to automated decision-making and profiling.

  • Begin by reading the GDPR’s text, guides, or summaries from reliable sources to gain a comprehensive understanding.
  • Speak to knowledgeable peers, lawyers, or data protection professionals to clarify any doubts or complexities.

2. Identify the data controller

Before making any request, identify who the data controller is. The data controller is the entity responsible for your data’s processing and is your main point of contact for GDPR-related queries.

  • Locate the entity’s privacy policy, which usually contains the details of the data controller.
  • Use contact details provided (usually in the ‘Contact Us’ or ‘About’ sections of websites) to confirm if they are the correct point of contact.

3. Make a formal request

  • Written communication: Always make your requests in writing to maintain a record. Use email, official online forms provided by the company, or postal mail.
  • Be specific: Clearly state which right(s) you are invoking and provide any necessary information to help locate your data.
  • Identification: Attach a copy of a personal ID or any other document that can vouch for your identity without giving away too much additional personal information.
  • Template use: Use GDPR request templates available online to ensure you cover all necessary details.

4. Set a deadline

According to the GDPR, organizations usually have one month to respond to your request. Remind them of this timeframe and set a deadline in your initial communication.

  • Timelines: While organizations have a month as per the GDPR, provide a specific date for clarity.
  • Follow-Up: If there’s no acknowledgment within a week, consider sending a follow-up message.

5. Keep records

Save copies of all communications. This will be essential if there’s any dispute or delay, or if you need to escalate your request.

  • Documentation: Maintain a folder or digital record of all correspondence.
  • Timestamp: Make a note of when you sent requests and when you received responses.

6. Know When to expect fees

Generally, you shouldn’t be charged for exercising your GDPR rights. However, companies can charge a “reasonable fee” for repetitive, excessive, or manifestly unfounded requests. Know this so you aren’t caught off guard or unjustly charged.

  • Initial requests: The first request is usually free. However, subsequent ones may incur a fee, especially if they’re repetitive.
  • Challenge unjust fees: If you believe a fee is unreasonable, challenge it and ask for a breakdown or justification.

7. If unsatisfied, seek clarification

If the organization’s response is unclear or seems incomplete, don’t hesitate to seek clarification or ask for additional information.

  • Specific inquiries: If data provided seems incomplete, request specific pieces of data you believe are missing.
  • Secondary review: Ask the organization to review their decision if you believe they’ve wrongfully denied your request.

8. Escalate if needed

If your request is denied without a valid reason or isn’t addressed within the stipulated timeframe:

  • Contact the organization’s Data Protection Officer (DPO): Larger organizations and public bodies must appoint a DPO. Contact them directly with your concerns.
  • Lodge a complaint with a Supervisory authority: Each EU country has a Data Protection Authority (DPA) responsible for enforcing the GDPR. If you believe your rights have been infringed, you can file a complaint with the relevant DPA.
  • DPO communication: Many organizations will have a Data Protection Officer. This person is specially trained and is often more equipped to handle your concerns.
  • Legal recourse: If the organization remains uncooperative, consider seeking legal counsel or advice to understand your best course of action.
  • National authorities: The ultimate escalation point would be to lodge a complaint with the national Data Protection Authority in the relevant EU member state.

9. Exercise the right to data portability

If you’re moving between service providers (e.g., social networks, telecommunications, utilities), utilize your right to data portability to ease the transition.

Request your data in a structured, commonly-used, and machine-readable format, and, where feasible, ask for direct transmission from one controller to another.

  • Selecting format: Specify the data format you want (e.g., CSV, XML). Ensure it’s one you can access or is accepted by another service provider you’re considering.
  • Direct transfer: If possible, ask for direct data transfer between old and new service providers, minimizing risks associated with data loss or exposure.

10. Stay informed

GDPR and the broader domain of data protection are evolving areas. Stay updated on your rights and any changes to regulations by occasionally visiting the website of your national DPA or subscribing to relevant newsletters.

  • Regular updates: Data protection landscapes can change, with potential amendments to laws or new precedents. Keep an eye on updates from the European Data Protection Board or your national authority.
  • Engage with communities: Join online forums, communities, or social media groups focused on data privacy. They can be valuable sources of information and support.

By following these practical steps, users can ensure they’re proactively taking control of their personal data and compelling organizations to respect their rights under the GDPR.

Data subject rights procedure: 8 things to adopt

To ensure compliance with the GDPR, it’s essential that organizations have a structured procedure in place for addressing data subject rights.

Let’s break down a typical procedure that organizations might adopt:

  1. Awareness and training:
  2. Receiving the request
  3. Verification
  4. Logging and tracking
  5. Evaluation and action
  6. Communication
  7. Handling refusals
  8. Documentation and review

Let us understand each of them in detail:

1. Awareness and training

  • Staff education: Make sure all staff, especially those who interact with data subjects or handle personal data, understand the rights individuals have under the GDPR.
  • Regular updates: GDPR-related processes and responsibilities should be updated regularly, and staff should be made aware of these updates.

2. Receiving the request

  • Designated point of contact: Specify a point of contact for receiving and handling data subject requests. This could be the Data Protection Officer (DPO) or another dedicated individual/team.
  • Accessible means: Offer multiple means for individuals to submit their requests—email, web forms, physical mail, etc.

3. Verification

  • Identity verification: Before processing any request, confirm the identity of the person making the request to prevent data breaches. This may involve requesting ID or other verification means.
  • Clarify the request: If the request is broad or unclear, ask the data subject for further details or clarification.

4. Logging and tracking

  • Record keeping: Log all received requests, including the date of receipt, details of the request, and the identity of the requester.
  • Time management: Monitor the timeframes closely. The GDPR typically allows a month to respond, but this can vary depending on the nature and complexity of the request.

5. Evaluation and action

  • Assess validity: Not all requests have to be fulfilled. Determine if the request is valid under GDPR. For example, a “right to erasure” request might be declined if there are overriding legal obligations to retain the data.
  • Coordination: Liaise with relevant departments to gather the requested information or execute the requested action (e.g., erasure or rectification).

6. Communication

  • Acknowledge receipt: Send an acknowledgment to the data subject upon receiving their request, informing them of the expected processing time.
  • Provide information: Once the request is processed, communicate the results to the data subject. For example, if they requested access, provide them with their data. If they asked for deletion, confirm that the data has been erased.

7. Handling refusals

  • Provide reasons: If a request is denied or only partially fulfilled, inform the data subject of the reasons. They have the right to know why their request wasn’t completely honored.
  • Inform about further rights: Let them know about their right to lodge a complaint with a supervisory authority or seek a judicial remedy.

8. Documentation and review

  • Maintain records: Keep detailed records of all data subject requests and their outcomes for accountability purposes.
  • Periodic review: Regularly review the procedure to identify any inefficiencies or areas for improvement. Consider seeking feedback from data subjects who have made requests to understand their experience and refine the process.

9. Considerations for implementation

  • Tools and resources: Invest in tools that can streamline the data subject request process. This might include software that can quickly locate and extract specific data or automated systems for handling requests.
  • Data mapping: Understand where all personal data is stored within the organization. This will expedite the process when a request is made.
  • Transparency: Always be open with data subjects about how their data is used and their rights concerning this data.

While this provides a general procedure, the specific processes and nuances might vary based on the organization’s size, the nature of its operations, and the jurisdictions in which it operates. Always consider seeking expert advice when implementing such procedures.

Mistakes to Avoid: Common oversights of data subject rights non-compliance

Violations of the GDPR data subject rights can have significant repercussions for organizations, both in terms of financial penalties and reputational damage.

Let’s delve into common violations of the data subject rights:

  1. Failure to inform (Right to be Informed):
  2. Denying access (Right of Access)
  3. Ignoring rectification requests (Right to Rectification)
  4. Refusal to delete data (Right to Erasure)
  5. Continuing unauthorized processing (Right to Restrict Processing)
  6. Denying data transfer requests (Right to Data Portability)
  7. Not respecting objections (Right to Object)
  8. Misusing automated decisions (Rights related to Automated Decision Making and Profiling)

Let us understand each of them in detail:

1. Failure to inform (Right to be Informed)

If an organization collects or processes personal data without providing clear and accessible information (usually via a privacy notice) about why they’re collecting it, how it will be used, and who it will be shared with, they’re violating the right to be informed.

2. Denying access (Right of Access)

If a user requests a copy of their personal data and the organization refuses without a legitimate reason or doesn’t respond within the stipulated one-month timeframe, they’re violating the right of access.

3. Ignoring rectification requests (Right to Rectification)

If an individual points out inaccuracies in the data held about them and the organization either refuses to correct it or delays the correction without justification, they are violating the right to rectification.

4. Refusal to delete data (Right to Erasure)

If an individual requests the deletion of their data under valid circumstances (e.g., where the data is no longer necessary, or they withdraw consent) and the organization refuses without a valid reason, they’re in breach of the right to erasure.

5. Continuing unauthorized processing (Right to Restrict Processing)

If a user flags an issue with their data or objects to its processing and the organization fails to halt its use during the dispute, they’re violating the right to restrict processing.

6. Denying data transfer requests (Right to Data Portability)

Organizations violate this right if they refuse to provide an individual’s data in a structured, commonly used, and machine-readable format when requested, especially if the refusal prevents them from moving to a different service provider.

7. Not respecting objections (Right to Object)

If an individual objects to the processing of their data for specific reasons like direct marketing and the organization continues to use it for that purpose, they’re breaching the right to object.

If an organization subjects individuals to decisions based solely on automated processing that has significant legal or similar effects without offering a way to challenge or seek human intervention, they’re violating this right.

Consequences of non-compliance

Violations can lead to severe penalties. Depending on the nature and gravity of the infringement, fines can reach up to €20 million or 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher).

Additionally, the reputational damage can have long-term implications on business trust and credibility.

Organizations should prioritize data protection, ensuring that processes are in place to honor all data subject rights and that staff is adequately trained to handle such matters.

Regular audits and reviews can help in identifying potential weaknesses and rectifying them before they become problematic.

Summarizing it all together

Data subject rights refer to the set of entitlements granted to individuals under data protection laws, allowing them to control, access, and rectify their personal data held by organizations. These rights are pivotal in promoting transparency and accountability in the processing of personal information.

These rights empower individuals, granting them the authority to control and manage how their personal data is used by organizations. At the heart of these provisions lies the belief that personal data, while a valuable commodity, remains intrinsically tied to the identity and dignity of individuals.

Therefore, it is not just organizations, regulators, or legal entities that should be familiar with these rights, but every individual. By recognizing and actively exercising these entitlements, each person plays a vital role in ensuring that the digital future remains transparent, ethical, and respects individual privacy.

Share this article

[Website env: production]