GDPR Jargon Buster - Data subject rights

GDPR Jargon Buster - Data subject rights

GDPR Jargon Buster: Accountability

Data subject rights are the rights individuals (referred to as “data subjects”) have with respect to their personal data. These rights provide individuals with more control over their personal data and how it is used by organisations who act as controllers.

Data subject rights are not necessarily absolute, and certain rights may be balanced against the rights of the organisation using the personal data.

What rights do data subjects have?

To be provided with information about how their personal data is processed

Data subjects must be provided with a range information on how their personal data is used and by whom. This forms part of a data controller’s obligation to ensure personal data is processed in a fair and transparent manner. We see this information being provided most frequently in the form of privacy notices on websites


To access personal data

A data subject has the right to request a copy of all their personal data that a controller processes, and such a request is often referred to as a “data subject access request” or “SAR”. A data subject can also request a controller to confirm whether or not it processes their personal data, and how that personal data is processed.


To have their personal data corrected

A controller must ensure that the personal data it processes is accurate and up to date. A data subject has the right to require a controller to correct any incorrect data, and complete any incomplete data that a controller holds about them.


To have their personal data erased

Often referred to as the "right to be forgotten", a data subject has the right to request that a controller who holds their personal data delete it. In order for such a request to be made, there must be a legitimate reason.


To restrict data processing

A data subject, may, in certain circumstances, restrict a controller’s processing of their personal data. Examples of where this right can be exercised includes where the accuracy of the data is in dispute or the processing is unlawful.


To data portability

Broadly this right allows data subjects to receive their own personal data and to have their personal data transferred from one service provider to another. Unlike a data subject access request, personal data must be provided by the controller in a structured, commonly used and machine-readable format, allowing it to be more easily stored, analysed and shared. This right allows a data subject to obtain and reuse their personal data for their own purposes, across different services.


To object to processing

A data subject may object to the processing of their personal data in certain circumstances, such as where it is used for direct marketing, for scientific or historical research or for statistical purposes. A controller must inform a data subject of their right to object. The right to object to processing for direct marketing is absolute, but in the other cases the right to object is more limited. 


Not to be subject to solely automated decision-making or profiling

Under certain circumstances, data subjects have the right not to be subject to automated decision-making processes which do not have any aspect of human intervention, where that decision will produce an adverse legal effect or significantly affects the data subject. This would therefore cover for example recruitment decisions based on automated criteria. Such decisions may be based on profiling that has been conducted, ie collecting and analysing data on a person’s preferences and other behaviour.


For more information or advice, please contact Beverley Flynn or another member of the commercial team.

Contact our experts for further advice

Search our site