What rights do data subjects have under the GDPR?

Rights of the data subjects:

The GDPR significantly strengthens the rights of data subjects. These rights are a central part of the regulation and are designed to give individuals more control over their personal data. Here are the most important rights explained in detail:

1. Right to information (Article 15 GDPR):
   • Data subjects have the right to obtain confirmation from the controller as to whether or not personal data concerning them are being processed.
   • If such processing takes place, you have the right to access those data and certain information, including:
     • the processing purposes
     • the categories of personal data being processed
     • the recipients or categories of recipients to whom the data have been or will be disclosed
     • the envisaged period for which the data will be stored, or, if that is not possible, the criteria used to determine that period
     • the existence of a right to rectification or erasure of personal data concerning them or to restriction of processing by the controller or a right to object to such processing
     • the existence of a right of complaint to a supervisory authority
     • if the personal data are not collected from the data subject, all available information as to their origin
     • the existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
2. Right to rectification (Article 16 GDPR):
   • Data subjects have the right to request the immediate rectification of inaccurate personal data concerning them.
   • In addition, you have the right to request that incomplete personal data be completed, including by means of providing a supplementary statement.
3. Right to erasure (right to be forgotten) (Article 17 GDPR):
   • Data subjects have the right to request the controller to erase personal data concerning them without undue delay and the controller is obliged to erase personal data without undue delay where one of the following reasons applies:
     • The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
     • The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and where there is no other legal ground for the processing.
     • The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
     • The personal data were processed unlawfully.
     • The erasure of personal data is necessary to fulfill a legal obligation under Union or Member State law to which the controller is subject.
     • The personal data were collected in relation to the offer of information society services pursuant to Article 8(1).
4. Right to restriction of processing (Article 18 GDPR):
   • Data subjects have the right to request the controller to restrict processing if one of the following conditions applies:
     • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
     • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of the use of the personal data instead;
     • the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them to assert, exercise or defend legal claims;
     • the data subject has objected to processing pursuant to Article 21(1), as long as it has not yet been verified whether the legitimate grounds of the controller override those of the data subject.
5. Right to data portability (Article 20 GDPR):
   • Data subjects have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and they have the right to transmit those data to another controller without hindrance from the controller to which the personal data were provided, provided that:
     • the processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) or on a contract pursuant to Article 6(1)(b) and
     • the processing is carried out using automated procedures.
   • In exercising their right to data portability pursuant to paragraph 1, data subjects shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
6. Right to object (Article 21 GDPR):
   • Data subjects have the right to object at any time to processing of personal data concerning them based on point (e) or (f) of Article 6(1), including profiling based on these provisions, for reasons related to their particular situation. The controller shall no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or the processing serves to assert, exercise or defend legal claims.

Summary:

The rights of data subjects under the GDPR are designed to strengthen data protection and give individuals more control over their personal data. Companies and organizations must respect these rights and take appropriate measures to ensure they comply with the requirements of the regulation. Implementing these rights is an important task that lies at the core of data protection compliance.