Personal Data Rights Explained: Data Subject Rights in Light of GDPR

With cyberthreats evolving in sophistication and complexity, organisations dealing with personal data are being pushed toward ensuring data privacy is always upheld. This is because any breach of personal data can result in catastrophic repercussions, for both the organisation and its consumers, for example, data exfiltration, damage to company reputation, data theft, hefty fines or even imprisonment. 

Even more starkly, The UK Information Commissioner’s Office (ICO) reported to receive more than 38,514 data protection complaints in the 2019-20 financial year. That said, in a world where business operations are mostly performed online, ensuring proactive personal data protection and keeping users in the loop is critical. This is why almost all countries in the world have enforced Data privacy law on organisations dealing with personal data. 

In this article, we will dive deeper into the rights consumers hold under General Data Protection Regulation (GDPR). 

What is Personal Data

According to Article 4(1) of GDPR, personal data is any information of an identified or identifiable person, who is known as a ‘data subject’ in GDPR. GDPR counts all information that, in combination, can make a person identifiable as personal data. 

Data counted as “subject data “ include: 

• Personal Identifiable Information (PII): Names, email IDs, contact details identification number, etc., are categorised as Personally identifiable information (PII).
  
• Online Identifiers: Device IP, tracking cookies, and other user tracking techniques used to monitor online behaviour of visitors, are mentioned as online identifiers.
  
• Location data: IP addresses, GPS data, mobile location data, geographical location, etc., used to locate a person are called location data.
  
• Biometric data: Irish, fingerprints, age verification data, facial recognition data., etc., are called biometric data
  
• Health data: Health records on both physical and mental condition, diagnosis reports, etc., that makes a patient identifiable are categorised as health data.
  
• Financial data: Data on financial transactions, bank account details, credit/debit card numbers, etc., fall under financial data.
  

What is Data Subjects Rights

The GDPR, applied on organisations dealing with personal data of the citizens of the EU and the DPA 2018, enforced in the UK, have set out stringent data protection rules. Both regulations have extraterritorial effect, meaning they hold good on both activities related to local and international data transfer and processing. It means that any organisation, regardless of its location, falls under the scope of the regulations, if it deals with personal data of the aforementioned areas. 

That said, the data subject’s rights are the same for both GDPR and Data Protection Act (DPA) 2018/UK GDPR. 

In this article, we will discuss personal data rights in light of GDPR. 

Who Do Data Subject Rights Apply to?

As per the GDPR privacy act, citizens of the EU and EEA hold some well-defined rights while organisations (controllers or processors) process their personal data.

Individuals protected by GDPR data subject rights include: 

• EU residents: Citizens of the EU member states whose data is being processed by any EU or non-EU controller or processor.
  
• Non-EU citizens within the EU: Non-EU citizens residing in the EU or EEA member states are covered by GDPR data subject rights if their data is being processed by an organisation.
  
• Residents living outside the EU territory are covered by GDPR if any EU-based organisation (controller or processor) processes their data.
  

Empowering Individuals: Data Subject Rights

1. The Right to be Informed

Delineated in Article 13 of GDPR, The Right to be Informed empowers individuals with the right to be provided with specific information. It includes:

• The identity and control information of data controllers processing their data
  
• The purpose and legality of data collection and processing
  
• The potential data receiver
  
• Information about international data transfer if about to take place
  

This information should be provided through data privacy notice that should also include: 

• The timeframe for data retention
  
• Details of data subjects rights including the right to withdraw consent anytime, and to file a complaint.
  
• The implementation of automated decision-making toolsThe existence of automated decision-making.
  

The controller is mandated to inform data subjects about any further data processing beyond the purpose mentioned at the time of data collection. This obligation is waived if the data subject already possesses this information.

2. The Right of Access

GDPR empowers data subjects with the right to access their personal data held by the controller. The Right to Access is detailed in Art. 15 GDPR and encourages organisations to respond to data subject’s access requests (DSAR) to their personal data within one of receiving it. 

Upon getting a DSAR, the controller must provide data subjects with:

• The Confirmation of data processing
  
• A copy of their personal data the controller holds
  
• Details of the categories of personal data collected and processed, the purpose of processing, information of data sharing, etc.
  

3. The Right to Rectification

According to Art. 16 GDPR, data subjects hold the right to ask organisations dealing with their personal data to rectify it in case an error is found. GDPR obligates organisations to rectify data immediately after receiving the request and ensure the rectified data is accurate, consistent and complete. The Right to Rectification ensures only accurate and updated data is processed.

4. The Right to Erasure (or The Right to be Forgotten)

The Right to Erasure, detailed in Art. 17 GDPR, allows data subjects to request organisations to delete their personal data if:

• The purpose of collecting and processing that data is met.
  
• The data subject withdraws their consent to data processing and further processing is illegal
  
• The data subject disagrees on further processing of their personal data and there is no legal basis for continuing the processing activities.
  
• The processing activities violate the Regulation and hence considered unlawful
  
• Deleting data is critical to comply with the Regulation.
  

Please note that in certain conditions, for example to defend legal claims, organisations are allowed to retain personal data they hold. 

5. The Right to Restrict Processing

Under Article 18, GDPR, data subjects hold the right to limit the processing of their personal data. The Right to Restrict Processing allows organisations to store data but further processing of it is not permissible unless some specific conditions are met.  

Individuals hold the right to restrict the processing of their personal data if any of the following applies:

• The accuracy of personal data is challenged by the data subject
  
• The processing activities are marked as illegal but the data subject doesn’t want it to be erased
  
• The purpose of the processing is met but the data subject needs it for a legal claim
  
• The processing activities have been objected to by the data subject. 
  

6. The Right to Data Portability

Delineated in Article 20, GDPR, The Right to Portability empowers Individuals with the right to get their personal data transmitted from the controller holding it to another controller without any hindrance. With this right, GDPR aims to give data subjects more control over their data, allowing free movement of data among controllers (service providers).

The right to data portability holds good when: 

• There is a consent/agreement signed between the controller and data subject regarding processing activities
  
• Automated data processing is involved.
  

Controllers are obligated to provide the request data for transmission in a structured, usable and machine-readable format.  

7. The Right to Object

According to Article 21 GDPR, data subjects hold the right to object to data processing at any time.

The right holds good when the processing is intended to direct marketing or profiling is done to the extent related to direct marketing.

8. Rights Related to Automated Decision-making and Profiling

According to Art. 22 GDPR, data subjects can object to data processing where decisions are taken based on automated means, including profiling. This right holds good if the decision has legal impacts on the data subject. 

It means that with this right, individuals get the right to ask controllers for human intervention and contest automated processing.

GDPR aims to ensure personal data of data subjects are always protected and any breach of the aforementioned rights is hence considered an act of non-compliance. GDPR holds controllers and processors (if applicable) accountable for upholding these rights and for any violation of the provisions of the Regulation, two tiers of fines are levied on them based on the degree of non-compliance:

• tier 1: Up to 2% of annual revenue or €10 million, whichever is greater
• tier 2: Up to 4% of annual revenue or €20 million, whichever is greater

• Author
• Recent Posts

Thomas Lambert

Senior Data Protection Consultant at PDTN

Thomas Lambert is a seasoned expert and thought leader in the field of personal data protection, serving as the lead writer at PDTN. With a rich background in cybersecurity and data privacy law, Thomas brings a wealth of knowledge and a unique perspective to the complex and ever-evolving world of data protection.

Latest posts by Thomas Lambert (see all)

• Real-Time Fracture Monitoring: Using Fiber Optic DAS to Improve Stimulation Efficiency - January 30, 2026
• Smart Factory Production Networks: Connected Manufacturing Today - November 22, 2025
• IVR Testing Best Practices for Enhanced Voice Automation Quality - October 19, 2025