The EU’s GDPR sets out a strong set of data subjects’ rights, thus giving individuals more control over their personal data. Moreover, the regulation requires businesses to implement effective measures to ensure that data subjects can easily exercise their rights.

Does your company process the personal data of EU citizens and residents? Then, read on to learn more about the eight data subject’s rights set out by the GDPR and your legal obligations in relation to them.

GDPR data subjects rights


1. The right to be informed

EU individuals have a right to be clearly informed about how businesses intend to process their personal data and for what purpose. Accordingly, companies are legally required to provide data subjects with the following information.

What information do companies need to provide depending on the source from which they obtained the personal data?
Information that companies need to provide If the personal data is obtained directly from the data subject If the personal data is obtained from another source
The identity and contact details of the company and its representatives
The contact details of the data protection officer (if the company has appointed a DPO)
The purpose(s) for which the data processing is necessary and the legal basis that applies
The legitimate interest of the data controller (if the legal basis is legitimate interest)
The data subject’s right to withdraw their consent (if the legal basis is consent)
The entities to which the personal data are disclosed
The right of the data subject to file a complaint with a supervisory authority
The retention period for the personal data
The rights that the data subject has in relation to the processing
The existence of automated decision-making, including profiling, and its potential consequences for the individual
Details of transfers of personal data to non-EU countries and the safeguards that are in place for such transfers
Whether the data subject is under a statutory or contractual obligation to provide the personal data
The categories of personal data they intend to process
The sources from which the data was obtained

When do companies need to provide this information?

When companies collect the personal data directly from the data subject, they must provide them with the information at the time of the data collection. On the other hand, when they obtain personal data from a different source than the data subject, they need to provide the information:

  • within a reasonable period of obtaining the personal data, but no later than one month
  • if you use the data to communicate with the data subject, at the latest at the time of the first communication to the data subject
  • if you intend to disclose the data to someone else, at the latest when you disclose the personal data

How should businesses communicate the information?

Businesses must communicate the information in a concise, unambiguous, and intelligible form, using clear and plain language. Furthermore, the information should be easily accessible.

If companies intend to process the personal data for other purposes than the ones initially specified, they must update the information and notify the data subjects of the changes.


2. Right of access

Data subjects have the right to access and get a copy of the personal data that companies hold about them. Accordingly, companies must provide individuals with:

  • a copy of their personal data undergoing processing and
  • information regarding the processing (which is roughly the same as the information described in the table above)

This helps the data subjects understand how and why businesses process their personal data and verify whether the processing is legal.

Organizations should provide the data subject with a copy of the personal data and additional information as soon as possible and no later than one month from the receipt of the request. For complex requests, companies can extend the time limit by two months.

It is important to note that the copy of the personal data and the supplementary information should be provided free of charge and in an accessible format. Moreover, companies should send such information via secure channels (e.g., apps and systems that employ encryption).


3. Right to data portability

Data subjects have the right to obtain the personal data they have provided to a business in an interoperable, structured, commonly used, and machine-readable format. According to the right to data portability, data subjects can also request companies to transmit their personal data to other controllers (e.g., other companies). However, this right only applies when the legal basis for the data processing is consent or fulfilment of a contract.

Companies must comply with the data subject’s request within a month of receiving the request. Moreover, they must ensure that the data is transmitted via secure channels.


4. Right to rectification

Data subjects have the right to have their personal data rectified or completed in the case that the data companies hold about them is inaccurate or incomplete.

If they receive a rectification request, companies need to check the accuracy of the data they hold on the individual and take measures to rectify or complete it. This should be done as soon as possible and no later than one month from receiving the request.


5. Right to restrict processing

Under the EU’s GDPR, data subjects have the right to request the restriction of the processing of their personal data in the following cases:

  • the data subject contests the accuracy of their personal data, and the company is checking the accuracy of the data
  • the data processing was unlawful, and the data subject is opposing the erasure of the personal data and requests restriction of processing instead
  • the data is no longer necessary, but the data subject needs the company to hold it in order to establish, exercise, or defend a legal claim
  • the data subject objected to the data processing, and the company is determining whether its legitimate interest overrides those of the data subject

When data subjects exercise their right to restrict processing, companies are still allowed to store their personal data. they are prohibited from performing any other operation on the data.

Timewise, companies have one month to respond to restriction of processing requests.


6. Right to erasure (right to be forgotten)

The EU’s GDPR gives individuals the right to erasure, also known as the right to be forgotten. Therefore, if an individual asks the company to erase all the personal data it holds about them, the company has to comply with the request within one month of receiving it.

However, there are a few exceptions. These include cases where the data processing is necessary:

  • to exercise the right of freedom of expression and information
  • to meet a legal obligation
  • to carry out a task in the public interest
  • for archiving purposes, where erasure will make it impossible to achieve the objectives of that processing
  • for the establishment, exercise, or defence of legal claims

For example, anti-money laundering laws require obliged entities to store KYC documents for a specific period of time after the end of the business relationship. In such cases, the right to erasure cannot be exercised until the retention period required by the law has expired.


7. Right to not be subject to a decision based solely on automated processing, including profiling, that has legal or similarly significant effects on them

Data subjects have the right not to be subject to decisions made solely by automated means (including profiling) that have legal or similarly significant effects on them. An example could be the automatic rejection of an online loan application (without any human intervention).

However, there are a few exceptions. A company can carry out solely automated decision-making with legal or similarly significant effects in the following cases:

  • if the decision is necessary for entering into or fulfilling a contract between the company and the data subject
  • if the decision is legally authorized (for example, to prevent fraud or money laundering)
  • if the data subject gave their consent

In such cases, companies must also implement appropriate measures to protect the individual’s rights and freedoms and legitimate interests, such as:

  • the right to obtain human intervention
  • the right to express their point of view
  • the right to challenge the decision
  • the right to obtain a clear explanation of the decision
  • the right to receive specific information about the decision-making process and its potential consequences for the individual

Additionally, companies must also:

  • use appropriate mathematical or statistical procedures
  • implement measures to minimize the risk of errors
  • ensure the security of the personal data
  • prevent discriminatory effects


8. Right to object

Data subjects have the right to object to personal data processing for direct marketing purposes, including profiling in connection to direct marketing. Once the company receives the request, it must stop processing the person’s data within one month.

Furthermore, data subjects can also object to the processing when the legal basis for the data processing is one of the following:

  • the performance of a task carried out in the public interest
  • the exercise of official authority
  • legitimate interest

In such situations, the data subjects must explain why they disagree with the data processing. Companies can, however, deny the request if they can demonstrate that:

  • their legitimate interest overrides the interests of the data subjects
  • the data processing is necessary for the establishment, exercise, or defense of legal claims


How can the data subjects exercise their rights?

Data subjects should submit a request to the company that is processing their personal data. The request can be either verbal or in writing.


What if the data controller doesn’t intend to comply with a request?

If the data controller doesn’t intend to comply with a request, they must provide reasons for the rejection of the request. Moreover, they must inform the data subject who made the request of the possibility of filing a complaint with a supervisory authority.


How do I submit a request to Penneo to exercise my rights?

Penneo customers can submit requests by contacting our Data Protection Officer (DPO). The DPO will perform the necessary actions to comply with the request. Penneo will usually fulfill the request within a week and notify the customer as soon as the request is resolved.

If you're looking to learn more, we have a few suggestions for you

Signing engagement letters digitally

Signing Engagement Letters Digitally

PEP Management Best Practices & Preparing for EBA's New Guidelines

AML Sweden: PEP Management Best Practices & Preparing for EBA’s Directive on AML Organization

AML risk assessment

Performing a Business-Wide AML Risk Assessment