Personal data has been defined as the world’s “new oil” as it’s likely the most valuable asset for businesses in the digital age. And like anything of value, it deserves protection – especially if you think that, after all, data is nothing but people and their personal information.

Under the General Data Protection Regulation (GDPR), people have a series of rights in relation to their personal data and its processing – and the effectiveness of these rights needs to be ensured and facilitated by data controllers and processors.

If your company collects and processes personal data, this article will give you a clearer idea of what is expected of you and how to meet your GDPR obligations towards your customers.

What are the data subjects rights set out by the GDPR?
How can these rights be exercised?
What happens after an individual requests to exercise one of these rights?
How do I submit a request to Penneo to exercise my rights?


What are the data subjects rights set out by the GDPR?

The eight data subjects rights under the GDPR are:


1. Right to be informed

Individuals must be provided with information about the personal data that is collected and processed, the purposes and period of processing, the rights they have. Besides, they need to be informed about their right to withdraw consent at any time and to complain to a supervisory authority.

All this information should be provided in a transparent way, free of charge, and in a timely manner.
Additionally, people must be informed if data has been leaked and disclosed to unauthorized recipients (or made temporarily unavailable or altered) with a proper notification in the case a data breach poses a risk to their rights.


2. Right of access

People must be able to ask companies whether or not their personal data is being processed. Where that is the case, they also have the right to access the personal data and receive a copy of it free of charge and in an accessible format.


3. Right to data portability

Besides receiving a copy of the personal data concerning them (in a structured, commonly used and machine-readable format), people can also request their data to be transmitted to another location or entity (where technically feasible).


4. Right to rectification

If an individual believes that the personal data a company holds about them is incorrect, incomplete, or inaccurate, they can ask for its correction.


5. Right to restriction of processing

People can ask entities to stop or limit the data processing in case they:

  • objected to processing
  • contested the accuracy of the personal data or the lawfulness of processing
  • believe that the controller no longer needs the personal data

If a person exercises their right to restrict the data processing, then the data can only be further processed after specific consent, or in the case of legal claims, or for vital, public, or legitimate interest.


6. Right to erasure (also known as the “right to be forgotten”)

Individuals can ask that their data be deleted when the data processing has become unnecessary or unlawful, or after withdrawing their consent to it.

However, there are some exceptions. The erasure of personal data cannot be asked if the data processing is necessary:

  • for the right of freedom of expression and information;
  • for compliance with a legal obligation or for the performance of a task carried out in the public interest;
  • for archiving historical research purposes or statistical purposes;
  • for the establishment, exercise, or defence of legal claims.


7. Right not to be profiled

Profiling occurs when personal aspects (such as age, sex, height) are evaluated to make predictions or classify a person in a category – even if no decision is taken. Profiling often happens, for example, during online recruitment or credit ratings.

Where the purpose of data processing is direct marketing, and the data processing includes profiling, the person affected can object to it at any time. This right must be explicitly brought to the data subject’s attention and presented clearly and separately from any other information.


8. Right to object to automated decision-making

Automated decision-making happens when decisions are taken about a person by technological means and without any human involvement. Individuals can object to decisions based solely on automated means if the decision produces legal effects concerning them. This type of decision-making may exceptionally be allowed if:

  • the use of algorithms is allowed by law and suitable safeguards are provided, or
  • there is no other way to achieve the same goal to enter or perform a contract, or
  • explicit consent has been given.
GDPR data subjects rights


How can the data subjects rights be exercised?

The individual who wants to exercise one of these rights needs to get in contact with the person or organization that collected or processes their personal data.

Under the GDPR, data controllers and data processors are required to provide modalities for facilitating the exercise of the data subject’s rights – for example, by providing means for the requests to be made electronically, especially where personal data are processed by electronic means.


What happens after a person requests to exercise one of these rights?

After a request has been made, the data controller cannot refuse to act on the request and must provide information on the actions taken on the request without undue delay. The requester should receive an answer, at the latest, within one month.

This also applies to the case in which the data controller does not intend to comply with such a request, as they must still answer within a reasonable amount of time and provide reasons for the rejection of the request. Moreover, in such a case, the requested should be informed of their possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.


How do I submit a request to Penneo to exercise my rights?

At Penneo, protecting the privacy of our customers and their business is a crucial factor in our mission.

You can contact our DPO directly who will then perform the necessary actions to satisfy the request. The request is usually fulfilled within a week, and you will get notified about the results of the process.

For all other inquiries, please do not hesitate to contact us or to submit a ticket to our Support Team.


Need assistance ensuring GDPR compliance in your business?

The enactment of GDPR has forced businesses worldwide to adjust their procedures by setting up more careful data protection processes and updating privacy policies and security practices.

Does your business have adequate measures in place to facilitate the exercise of data subjects’ rights and ensure their effectiveness? Penneo can help you with that, and more.



If you're looking to learn more, we have a few suggestions for you


FTN: Sign Digitally with Bank eIDs & Mobiilivarmenne

Norwegian Transparency Act

The Norwegian Transparency Act (Åpenhetsloven)

itsme® Sign

itsme®: Sign Documents Digitally in Belgium