Rights of the data subject

It is essential for organisations to be aware of the individual’s rights under the GDPR. The controller owns a responsibility to make individuals aware of their rights and ensure that sufficient mechanisms are in place to act on these.


  1. The right to be informed (Article 13 & 14 of the GDPR)
  2. The right of access (Article 15 of the GDPR)
  3. The right to rectification (Articles 16 & 19 of the GDPR)
  4. The right to erasure (Articles 17 & 19 of the GDPR)
  5. The right to restrict processing (Article 18 of the GDPR)
  6. The right to data portability (Article 20 of the GDPR)
  7. The right to object (Article 21 of the GDPR)
  8. Rights in relation to automated decision making and profiling (Article 22 of the GDPR).

In most of the cases, the controller will have up to one month to process individual rights requests, and unlike previous Data Protection legislation, these requests can be made verbally and at no cost to the individual.

Click here to access Chapter 3 GDPR.


What privacy information should we provide to individuals (Right to be informed)?

The ICO offers the table below, which summarises the information a controller must provide to individuals.

What you need to tell people differs slightly depending on whether you collect personal data from the individual it relates to or you obtain it from another source.

What information do we need to provide? Personal data collected from individuals Personal data obtained from other sources
The name and contact details of your organisation
The name and contact details of your representative
The contact details of your data protection officer
The purposes of the processing ✓ 
The lawful basis for the processing
The legitimate interests for the processing
The categories of personal data obtained
The recipients or categories of recipients of the personal data ✓ 
The details of transfers of the personal data to any third countries or international organisations ✓  ✓ 
The retention periods for the personal data ✓ 
The rights available to individuals in respect of the processing ✓ 
The right to withdraw consent
The right to complain with a supervisory authority ✓ 
The source of the personal data
The details of whether individuals are under a statutory or contractual obligation to provide the personal data
The details of the existence of automated decision-making, including profiling

What is the right of access?

The right of access (SAR), gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check the organisations are doing it lawfully.

Individuals have the right to obtain the following from the organisation:

  • confirmation that the organisation is processing their personal data;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that the organisations should provide in their privacy notice.

In addition to a copy of their personal data, organisations also have to provide individuals with the following information:

the purposes of  processing;
the categories of personal data concerned;
the recipients or categories of recipient the organisation discloses the personal data to;
the organisation retention period for storing the personal data or, where this is not possible, the criteria for determining how long the organisation will store it;
the existence of their right to request rectification, erasure or restriction or to object to such processing;
the right to lodge a complaint with the ICO or another supervisory authority;
information about the source of the data, where it was not obtained directly from the individual;
the existence of automated decision-making (including profiling); and
the safeguards they provide if transfer personal data to a third country or international organisation.

What Privacy professionals should do:

  • Ensure fundamental understanding of what data you process.
  • Establish a process to intake requests (One that is easy on the individual and staff. A request may come in from many routes and the person receiving that request needs to understand that a request under the GDPR is being made. Individuals typically won’t understand or use the exact verbiage in the law).
  • Once the request is received, have a process to review it, evaluate the data referenced, the reasons for processing the data, retention periods and assess any exceptions.
  • Have a response process.
  • Have an appeals process that goes beyond the individual whose request was denied.
  • Retain documentation throughout the process.

Should we provide a specially designed form for individuals to make a subject access request?

Recital 59 of the GDPR recommends that organisations ‘provide means for requests to be made electronically, especially where personal data are processed by electronic means’.

Leave a Comment

Your email address will not be published.