Direct obligations to guarantee data subjects’ rights lie with the data controller; however, processors must assist them in meeting these duties. Even negligent breaches of these obligations may result in severe fines (see Art. 83 GDPR).
- Right to access
- Right to rectification
- Right to erasure (“right to be forgotten“)
The right to access allows the data subjects to request access to their personal data from the controllers. The rationale behind this right is to allow the individuals to verify the lawfulness of the processing of their personal data.
The data subjects are entitled to receive:
information confirming that their personal data is processed,
access to this data and
access to other supplementary information mentioned in Art. 15(1) GDPR.
The right to rectification gives the data subjects the right to correct their data in case it is inaccurate or incomplete.
The right to erasure, also called the “right to be forgotten“, enables data subjects to request that their data is removed or deleted. This right, however, cannot be always requested.
It is possible to have one’s data erased in these situations:
- the data is no longer necessary for the initial processing purpose
- withdrawal of data subject’s consent on which the processing was relied upon
- data subject’s objection to the processing (and no prevailing controller’s legitimate interest for further processing exists)
- the data was not lawfully processed
- the erasure is necessary for the controller’s compliance with a legal obligation under EU/MS law
- the data was collected in relation to the offer of information society services to children
The GDPR also specifies numerous exceptions, where the right to be forgotten is not applicable; namely, where the processing of these data is necessary for either:
- exercise of the right to freedom of expression and information
- compliance with a legal obligation or performance of a task in the public interest or in the exercise of official authority
- public health reasons in the public interest
- archiving purposes in the public interest, scientific or historical research or statistical purposes
- establishment, exercise or defense of legal claims
The right to restrict processing enables the data subjects to stop processing of their data. After such a request, an entity is not allowed to continue further processing. It is, however, permitted to store the data that has been already processed. Moreover, it is allowed to keep minimum personal data that would prevent the entity from processing this data subject’s data again.
The GDPR lists three cases, where data subjects are entitled to object to the processing of their personal data. These are:
- particular situation of the data subject
- processing for direct marketing purposes
- processing for research or statistical purposes
Individuals may object to the processing of their personal data at any time, regardless of whether processing has been already been carried out or not. As a consequence, the controller must stop processing the data in question.
In accordance with the right to data portability, data subjects are entitled to ask a data controller to get their data in a “structured, commonly used and machine-readable format and have the right to transmit those data to another controller“ Art. 20 GDPR. This right applies if:
- the data subjects themselves provide their data to the controller
- processing is based on the data subjects’ consent or the necessity for contract performance
- processing is carried out by automated means
The WP29 has prepared the Guidelines on the right to data portability, available at: