User Rights Under the General Data Protection Regulation


The GDPR explicitly states its commitment to European citizens and data subjects early on in the legislation. Chapter 3 of the GDPR records those rights as the Rights of the Data Subject.

The Right to be Informed

The first of the eight rights lies in Articles 13 and 14 of the GDPR. Article 13 refers to information that organizations must provide when they collect personal data directly from data subjects. Article 14 covers the organization’s responsibilities when they obtain data about the data subject from a third party or indirectly.

The Right of Access

Article 15 outlines the right to access. The right to access allows the data subject to access the personal data belonging to them that organizations process, as well as the following information:

  • Why and how you process the data
  • Categories of personal data involved
  • Who sees the data (including and especially in countries outside the EU)
  • How long you intend to store the data
  • How to exercise their rights
  • Any available information to the source of data when you do not collect the data from the data subject
  • Your use of profiling and automated decision-making

The Right to Rectification

Article 16, the right to rectification, provides European data subjects with the right to change or modify the data they provided organizations when they believe the data is inaccurate or out-of-date. Organizations need to provide this information “without undue delay.”

The Right to be Forgotten

Article 17 describes the user’s right to erasure, which is better known as the right to be forgotten. The article says that the data subject has the right to ask a data controller to erase their data without undue delay in the following circumstances:

  • “The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”
  • “The data subject withdraws consent on which the processing is based…”
  • “The data subject objects to processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing”
  • “The personal data have been unlawfully processed”
  • “The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject”

In some cases, organizations do not need to comply with a request to access the right to erasure. The GDPR outlines these circumstances as follows:

  • When processing involves a right to the freedom of expression and information
  • When processing involves compliance with a legal obligation and the public interest
  • When processing includes reasons of public interest within the realm of public health
  • When processing meets the guidelines published in Article 89(1) (or public interest, historical, scientific purposes, or statistics purposes)
  • When processing is for the “establishment, exercise, or defence of legal claims”

If the organization’s processing falls under one of these categories, then they can deny the request for erasure by citing the necessary reason for the rejection in the notice.

The Right to Restrict Processing

Article 18 outlines the data subject’s right to request the restriction of processing under certain conditions. That means organizations must temporarily stop processing their data as requested as long as their requests meet one of the following:

  • The data subject contests the accuracy of the data
  • The data subject objects to unlawful processing and the data subject prefers you to restrict the processing rather than erasing their data
  • The data controller does not need the data for processing, but they need to keep the data pursuant to the “establishment, exercise, or defence of a legal claim.”

Article 18(3) states that if organizations temporarily stop processing data, then they must inform the data subject before lifting the restriction and resuming the processing if the organizations choose to do so.

The Right to Data Portability

The right to data portability outlined in Article 20 refers to the data subject’s right to receive the personal data held by the data controller in a commonly used format and send the data to another controller or use it for their personal purposes under certain circumstances.

The Right to Object

Article 21 says that data subjects have the right to object to data processing, including profiling, when it is on relevant grounds.

Rights Related to Automated Decision-Making and Profiling

The eighth right offered by the GDPR lies in Article 22: Automated decision-making, including profiling. The right to avoid automated decision-making comes with three exceptions when it cannot be exerted:

  1. When automated decision-making is necessary to enter into or complete a contract
  2. When the controller has authorization from the EU or a Member State and uses safeguards to protect the subject’s interests and freedom
  3. When the profiling or decision-making occurs with the subject’s explicit consent



About Author

Senior IT Risk Analyst, Information Security and Assurance | Fordham University A Certified Information Privacy Professional/United States (CIPP/US) and Privacy Manager (CIPM) privacy professional who is a versatile and creative writer, fusing a background in communications and academics with expertise in business writing to deliver quality, customized material spanning technical, marketing, policy, and social media content. Creative, resourceful, and flexible, able to adapt to changing priorities and maintain a positive attitude, strong work ethic, and humor.

Comments are closed.