The General Data Protection Regulation (GDPR) gives individuals located in the EU rights over their personal data. Whether someone wants to access, edit, or delete their information in your system, it’s your legal responsibility to respond.
As data privacy concerns grow, an increasing number of people are exercising these rights. In fact, access requests have grown by 50 percent in just two years.
But understanding these rights and responding to them consistently is a challenge. As Adelina Peltea, CMO of Usercentrics, says, “One of the most common pitfalls businesses face in their efforts to uphold GDPR data subject rights is treating compliance as a one-time checkbox exercise rather than an ongoing commitment to user-centric privacy.”
She goes on to underline a further challenge: “Many organizations underestimate the operational complexity of responding to rights requests at scale. This can lead to delays and errors, which raise the risk of noncompliance.”
Our guide can help set you up for success. We detail the eight GDPR data subject rights and explain how to build scalable systems to uphold them and support your compliance efforts.
What are data subjects in the GDPR?
According to Art. 4(1) GDPR, a data subject is any identified or identifiable natural person within the European Union (EU). They could be directly identifiable through details like their name and email address or indirectly through their browser activity.
Information like the websites a person has visited and their language settings may seem innocuous, but the GDPR treats them as personal data because they leave a digital trail that makes identification possible, particularly when a number of these data points are combined.
For example, someone might log into an education portal from the same cafe three times a week and select ‘Spanish’ from the language settings. Individually, none of these details identifies the user, but when combined, they paint a picture that businesses could use to create customer profiles, better understand preferences, and deliver targeted advertisements.
What are the 8 rights of data subjects?
Data subject rights build on core GDPR principles — including transparency, accuracy, and confidentiality — to empower individuals within the EU. Here’s an overview of each:
- Right to be informed: Individuals have the right to know what personal data organizations have collected and how it’s being processed.
- Right of access: Individuals can request a copy of their data in an easily accessible format.
- Right to rectification: Individuals can ask businesses to correct or update inaccurate personal data.
- Right to erasure: In many cases, data subjects can request that an organization delete some or all of their information.
- Right to restrict processing: Individuals can limit how companies process their data under certain circumstances.
- Right to data portability: Businesses must allow data subjects to move, copy, or transfer personal data easily from one controller to another safely and securely.
- Right to object: People are free to opt out of the processing of their personal data at any time, which must be easy to do, even if they previously consented to it.
- Rights related to automated decision-making and profiling: Data subjects have the right to not be subject to decisions based solely on automated processing.
8 GDPR data subject rights with practical examples
Let’s break down what each of these provisions means in practice. We’ll look at real-life GDPR data subject rights examples to help you fully understand your obligations to users.
1. Right to be informed
Individuals have the right to know how organizations process their personal information, from seemingly insignificant details to sensitive personal data.
Art. 13 GDPR states that you must provide data subjects with the following details before processing their information:
- Data controller’s name (whether an individual, business, or other organization)
- Controller’s contact details
- Legal basis for collecting personal data (consent is one option)
- Purpose of data processing
- User’s rights
- How long your organization retains data
- Which third parties you share data with
- Whether you use automated processing
If personal data passes to you from another organization, you have one calendar month to inform the individual, according to Art. 14 GDPR.
Art.12 GDPR states that notifications concerning your data practices must use clear and plain language rather than legal jargon like “data controller” and “supervisory authority.” This gives individuals the best chance of understanding their rights and acting in their own interests.
While the GDPR doesn’t explicitly outline how to uphold the right to inform, it has become standard practice to use cookie banners. These notifications appear when someone first visits your website or whenever their consent information or your data processing activities change.
Here’s an example of a Cookiebot by Usercentrics CMP cookie banner that Usercentrics’ customer PeopleForce uses to notify users and uphold their right to be informed:
This cookie banner uses clear, simple language to inform users of what information they collect, who they share it with, and why.
2. Right of access
The GDPR’s right of access is twofold: Data subjects can obtain both confirmation from controllers of whether or not their personal data is being processed, as well access to that personal data.
Under Art.15 GDPR, data subjects can also inquire about the purpose of processing, the nature of the data in question, who the data is shared with, how long the data will be stored, and more.
In short, individuals can request access to most details concerning their personal data.
Here’s a real-world example. Austrian non-profit noyb requested that a group of organizations, including TikTok and SHEIN, confirm that they had not transferred personal data outside the EU (specifically not to China where the companies are headquartered.)
These companies failed to respond adequately, according to noyb, so the organization filed an official GDPR complaint to require a legally adequate response.
3. Right to rectification
Under Art.16 GDPR, individuals can ask your organization to correct errors, update outdated information, and fill gaps in incomplete data. You must respond regardless of where the error originated.
For example, a new employee might notice that their prefix is recorded as ‘Mrs.’ instead of ‘Ms.’ in company files. That employee can ask the employer to correct the prefix, even if the error came from the recruiting agency that helped her procure the job.
4. Right to erasure/to be forgotten
Art. 17 GDPR states that data subjects can ask organizations to delete information under specific circumstances:
- The data is no longer needed for the original purpose
- The data subject withdraws consent and there’s no legal basis to keep processing it
- The information was unlawfully collected
- The data must be deleted to fulfill a legal directive
- The data was collected from a child for online services
Organizations can refuse the request if they need to keep storing information to meet industry-specific data retention requirements. For example, when someone switches physicians, they can’t ask the hospital to delete their files if national law requires healthcare providers to retain medical records for a specific period.
5. Right to restrict processing
This right enables individuals to limit what companies do with their personal data under certain circumstances. Under Art.18 GDPR, data subjects may restrict processing in any of the following situations:
- Challenging the accuracy of the data
- Their data is being used unlawfully but they don’t want it erased
- They need the data for the establishment, exercise, or defense of legal claims, even if the data is no longer needed for the purpose of processing
- Objecting to how their data is being used
While the data is restricted, you can continue processing it only with the person’s consent or in order to meet legal requirements.
Suppose a bank records that a customer defaulted on a loan payment. The customer could dispute this and provide evidence that they paid on time. While the bank investigates their claim, the customer can tell them to stop processing their data and potentially using it for credit scoring.
6. Right to data portability
Data portability means individuals can ask for a copy of their personal data or request that you transfer it to a third party. Art. 20 GDPR states that the data must be in a “structured, commonly used, and machine-readable format” such as CSV or Excel files.
Individuals often exercise this right when switching healthcare providers or being referred to a specialist. Under the GDPR, they can ask their current provider to transfer their medical history to their new one, including test results and any treatments they’ve received.
7. Right to object
Individuals have the right to challenge why organizations process their personal data. When someone exercises this right, you must immediately cease processing unless you as the Controller have an overriding compelling legitimate ground for overruling them, as established in a documented balancing test, or doing so is in the public interest.
For example, someone might object to their bank tracking their login locations. But if the bank is monitoring for fraud, they could argue they need this information to protect business interests.
However, if you’re using someone’s data for direct marketing, you must immediately stop processing after receiving an objection. Art. 21 GDPR states that there are no exceptions.
The right to object is under pressure as AI use increases. In a precedent-setting case, Meta claims it can use personal data to train AI under legitimate interests without opt-in consent. noyb disputes this and has filed a cease and desist, estimating the legal claims could reach up to EUR 200 billion.
8. Rights related to automated decision-making and profiling
Art. 22 GDPR gives data subjects the right to challenge automated decision-making and request human intervention, especially if the automation results in legal effects concerning them or that significantly impacts them. This includes systems using algorithms, profiling, and AI.
Examples of when someone might exercise this right include:
- Insurance pricing
- Loan or credit card approval
- Job interviews and offers
- Health insurance eligibility
- Medical treatment pathways
- School admissions or assessment
However, organizations don’t have to uphold this right under the following circumstances:
- If automation is legally required for entering into or performing a contract between the data controller or subject
- If the controller is authorized to use automated decision-making by European Union or Member State law, which also takes measures to safeguard data subjects’ rights
- The user has given explicit consent
For example, if a job candidate gives their explicit consent for their resume to be automatically processed and reviewed, they can’t later challenge an organization’s decision to reject them on the basis of automation.
Best practices for upholding data subject rights under the GDPR
Upholding GDPR data subject rights calls for a long-term, organization-wide effort.
“Think of GDPR compliance and individuals’ rights as an ongoing commitment,” says Peltea. “It’s not just a legal requirement or technical challenge. It’s an opportunity to build trust and long-term engagement.”
Here are some scalable processes you can implement.
| Write clear privacy notices that are easily accessible and up to date | Privacy notices must include what personal data you collect, why and how you process it, and what rights users have and how to exercise them. This must be provided at the time the data is collected, if you are collecting data directly from the data subject (Art. 13 GDPR). Additionally, make it easy to find by linking to it from your cookie banner and/or a permanent footer. As your practices or legal obligations change, use a consent management platform (CMP) like Usercentrics CMP to automatically update your notices. |
| Create internal compliance standard operating procedures (SOPs) and train your staff | “Teams working in siloes can result in inconsistent privacy messaging and poor user experience,” says Peltea. Avoid these silos by documenting the steps to follow when managing data subject rights and sharing these company-wide. Regular training sessions help everyone understand these SOPs to minimize the risk of errors and GDPR violations. |
| Assign responsibility for managing rights requests | Clarify who is responsible for tasks like facilitating access, erasing data, or updating files. Doing so reduces the risk of requests going unnoticed or unaddressed, by unauthorized individuals accessing data, which can lead to violations. In some cases, such as when you handle large-scale data processing or sensitive information, you’re legally required to appoint a Data Protection Officer to oversee your data processing and GDPR compliance strategy. |
| Implement data mapping for better data management processes | Match data points across databases for consistency and to avoid duplication. Data mapping makes it easier to respond to data subject requests because you can quickly identify and locate the files with the user’s information. |
| Maintain logs of requests and run regular audits | Keep a detailed log of every data subject request, how you handled it, and when. This enables you to stay on top of deadlines and demonstrate compliance if challenged. Regular audits help you evaluate how consistently and efficiently your team handles requests so you can catch delays, bottlenecks, and gaps in your processes before they lead to violations. |
| Use specialized consent and privacy compliance management software | Maintaining GDPR compliance manually is virtually impossible due to how complex the rules are and how frequently they change. “Invest in the resources and tools you need to handle privacy compliance in a more secure and timely manner,” advises Peltea. A CMP like Usercentrics’ automatically handles tasks like collecting consent and updating privacy notices to reflect evolving regulations to help your business achieve and maintain privacy compliance over time. |
Respect GDPR data subject rights to achieve legal compliance and foster trust with your audience
Your business needs to have a thorough understanding of the GDPR and data subject rights to respond to requests promptly and accurately and reduce the risk of violations.
But as the number of requests increases year over year, manual processes can’t keep pace. Companies must automate consent and data privacy management to uphold user rights, build trust with their audience, and achieve continuous compliance.
Usercentrics helps streamline GDPR compliance efforts by automating consent collection, preference management, and privacy notice creation. As the GDPR and other data privacy frameworks change, Usercentrics supports continuous updates to keep you aligned with regulatory requirements and user expectations.
Join our growing community of data privacy enthusiasts now. Subscribe to the Usercentrics newsletter and get the latest updates right in your inbox.