Menu

Data Subject Rights

Make sense of GDPR data subject rights with this guide. Practical tips and a template to guide your processes.

righttobeinformed-cover

Introduction

In the GDPR, the term "data subjects" refers to individuals whose personal data is being processed. This could include customers, citizens, website visitors, or any other individuals whose data your organisation handles.

This is one of the most crucial areas of the regulation, as it concerns the rights of those whose data you process.

This article provides an in-depth review of these rights and explains how your organisation can ensure that the rights of data subjects are respected and upheld.

We will go through each right in detail and examine what they mean for your organisation. If you require a deeper understanding, it is recommended that you read the legal text carefully.

The first half of this article outlines the rights in detail, while the second half contains practical tips on handling data subject rights within your organisation.

Data Subjects' Rights

We will first review the rights of data subjects as defined in the GDPR and simultaneously explain how your organisation can manage them in practice. However, it is important to note that there are certain limitations to data subjects' rights. These limitations are described in Section 22 of the Data Protection Act and may be relevant depending on the specific circumstances and the purpose of the data processing.

Transparent Information (Article 12)

Communication Requirements

The first requirement in Article 12 concerns how you communicate with data subjects whose personal data you process.

The GDPR states that all information provided to data subjects in connection with the processing of their personal data, as required under Articles 13-22 and 34, must be presented "in a concise, transparent, intelligible and easily accessible form, using clear and plain language." The information should be adapted to the recipient's ability to understand it. For instance, information aimed at children should be formulated in a clear and straightforward manner suited to them.

As a general rule, the information should be provided in writing, but it may also be given orally if the data subject requests it.

Articles 13-22 and 34 specify the requirements that an organisation must meet in its communication with data subjects. Article 12 establishes the general format requirements for this communication.

Identity

If you receive a request regarding data subjects' rights but cannot confirm the identity of the requester, you have the right to request additional information. This is essential to prevent personal data from being disclosed to the wrong recipient, which would constitute a data breach.

Deadlines

When you receive a request from a data subject under Articles 15-22, you must process the request within one month. If it is not possible to fulfil the request within this timeframe, the deadline may be extended by up to two months.

If you opt for an extension, you must inform the data subject as soon as possible and no later than one month after receiving the request. At the same time, you must provide a justification for why the request cannot be processed within the original deadline.

Refusal

If you choose not to comply with a data subject's request, you must inform them within one month of receiving the request and provide a reason for the refusal. Additionally, this refusal must include information about the data subject's right to lodge a complaint.

Free of Charge

It must be free for data subjects to exercise their rights.

Only in cases where the data subject is deemed to be abusing their rights can you consider charging a fee for processing the request or alternatively refuse it. In such situations, your organisation bears the responsibility of documenting that the request constitutes an abuse of rights.

Duty to Inform (Articles 13 and 14)

Before you begin processing a data subject's personal data, you are obligated to inform them about this processing. Articles 13 and 14 specify how this information must be provided, and this duty to inform has been thoroughly covered in this article.

Right of Access (Article 15)

A data subject has the right to request access to the processing of their personal data by your organisation. If such a request is received, your organisation must provide a copy of the data being processed about the data subject.

Along with this copy, the data subject must be informed of the following:

  • Purpose of processing: Explain why personal data is being processed.

  • Categories of personal data: Specify the types of data being processed.

  • Disclosure to third parties: Inform about any recipients of personal data or categories of recipients, especially if they are located in third countries or international organisations.

  • Processing timeframe: Indicate how long the personal data is expected to be processed or the criteria that determine when processing ends and data is deleted.

  • Other rights: Inform about the data subject's rights, including the right to rectification, erasure, restriction, and objection to processing.

  • Right to complain: Notify about the right to lodge a complaint with a supervisory authority.

  • Source of data: If the data was not collected directly from the data subject, you must disclose its source.

  • Automated decisions: If the processing involves automated decisions that may have significant consequences for the data subject, explain the logic behind the decisions and their significance and expected consequences.

  • Transfers to third countries or international organisations: If personal data is transferred outside the EU, you must inform about the necessary safeguards that protect the data during the transfer, as outlined in GDPR Article 46.

When sending information to the data subject, it must be clear and easily understandable to comply with the requirements in Article 12.

Right to Rectification (Article 16)

If personal data concerning a data subject is found to be incorrect, the data subject has the right to have it corrected as soon as possible.

It is also one of the seven data protection principles that your organisation must ensure that personal data is accurate and up to date, as set out in Article 5(1)(d).

Right to Erasure ("Right to be Forgotten") (Article 17)

In some cases, the data subject has the right to have their personal data deleted, meaning that your organisation may no longer process the data subject's personal information.

The right to erasure applies in the following situations:

  • Purpose no longer relevant: If the purpose of processing has been fulfilled, e.g., when a job applicant's CV is no longer needed after the hiring process is completed.

  • Withdrawal of consent: If processing is based on consent and the data subject withdraws it.

  • Objection: If the data subject objects to the processing of their personal data based on your organisation's legitimate interest or public interest, processing must stop unless you can demonstrate compelling legitimate grounds that outweigh the data subject's interests, rights, and freedoms. In cases of direct marketing, the objection is absolute, meaning that processing must cease immediately.

  • Unlawful processing: If processing has been conducted without a lawful basis.

  • Legal obligation: If the law requires that the data be deleted.

  • Data relating to minors: If personal data about a child has been collected, such as through a streaming service or an educational platform, deletion may be requested if the data is no longer necessary for the original purpose or if the consent that justified processing is withdrawn.

Right to Restriction of Processing (Article 18)

A data subject has the right to request the restriction of the processing of their personal data in certain situations, particularly when a request is under review or requires clarification.

Restriction of processing can be requested in the following cases:

  • Inaccurate data: If the accuracy of the personal data is disputed and verification is required.

  • Unlawful processing: If the processing is unlawful, but the data subject prefers restriction instead of erasure.

  • No longer needed by the organisation: If the data is no longer necessary for the organisation's purposes but is still required by the data subject to establish, exercise, or defend a legal claim.

  • Objection to processing: If the data subject has objected to processing based on the organisation’s legitimate or public interest and is awaiting a decision on whether these interests outweigh their rights.

When processing is restricted, the data may only be stored. Processing can, however, resume if consent is given, it is necessary for legal claims, the protection of others, or for important public interests. The data subject must be informed before the restriction is lifted.

Notification Obligation (Article 19)

If your organisation has disclosed a data subject’s personal data to a third party and then receives a request for rectification, erasure, or restriction of processing, those third parties must be informed.

Your organisation must make this notification unless it is impossible or disproportionately difficult.

If the data subject requests it, your organisation must also inform them of the recipients of their personal data.

Right to Data Portability (Article 20)

A data subject has the right to receive their personal data in a commonly used format, such as a CSV file, and to have the data transferred directly to another organisation if:

  • Processing is based on consent or a contract.

  • Processing is carried out automatically using software.

The right to data portability does not apply if processing is necessary for performing public authority tasks or serving public interests, or if it would infringe on the rights or freedoms of others.

Right to Object (Article 21)

A data subject has the right to object to the processing of their personal data if:

  • Processing is based on the organisation’s legitimate interests or a task in the public interest. However, the organisation may continue processing if it can demonstrate compelling legitimate grounds that override the data subject's rights or if processing is necessary for legal claims.

  • Data is used for direct marketing. In this case, processing must immediately cease.

  • Data is used for research or statistical purposes unless the processing is necessary to serve public interests.

Automated Individual Decision-Making, Including Profiling (Article 22)

A data subject has the right not to be subject to a decision based solely on automated processing if the decision has legal consequences or significantly affects them.

This right does not apply if the automated decision:

  • Is necessary for fulfilling a contract.

  • Is authorised by law, which also includes safeguards to protect the data subject.

  • Is based on the data subject’s explicit consent.

Even in these cases, human intervention must be possible, and the data subject must have the opportunity to express their views and challenge the decision. Automated decisions must not be based on sensitive personal data without additional protective measures.

Handling Data Subject Access Requests (DSARs)

In practice, it can be challenging to distinguish between different rights. For example, if an individual requests access to their data, they may also want to have it erased, rectified, or otherwise amended. Employees handling customer interactions should be trained to identify such requests.

When your organisation receives a subject access request, it is crucial to follow a structured and practical approach to ensure compliance with GDPR.

Identifying Requests

Requests can come in various forms—written, verbal, or digital, such as via email or social media. They do not have to explicitly mention "GDPR" or "subject access right." If the request concerns access to personal data, it must be processed accordingly.

It is advisable to establish a logging system for tracking all requests, including the date received, request details, and the responsible staff member, to ensure traceability and oversight.

Identity Verification

Before processing a request, you must verify the requester’s identity. If there is any doubt, you can request additional documentation, such as a copy of identification.

Clarification and Scope

If the request is unclear or appears excessive, you may contact the data subject to clarify which data or processing activities they seek information about.

While awaiting clarification, the processing deadline may be paused. Ensure that the data subject is informed of this clearly.

Locating Personal Data

Use internal systems to locate relevant data. Data may be stored in customer databases, HR systems, emails, or other sources.

Ensure that the retrieved data pertains solely to the data subject. If third-party data is included, it should be anonymised or removed unless its disclosure is necessary.

Assessing Exemptions and Limitations

Under GDPR and national laws, certain requests may be partially denied. This may occur if data disclosure infringes on another person’s rights or if legal restrictions apply.

If a request is denied, you must clearly explain the reason and inform the data subject of their right to lodge a complaint. The burden of proof lies with your organisation to justify any refusal.

Delivering Data

Data must be provided in an easily understandable format, such as PDF or CSV. Information should be structured to facilitate comprehension. If the request was submitted electronically, the response should also be delivered electronically unless the requester prefers otherwise. Ensure secure transmission to prevent unauthorised access.

Meeting Deadlines

Requests must be handled within one month of receipt. If a request is complex, processing may be extended by up to two months. However, the data subject must be informed of this extension within the initial one-month period.

Documenting the Process

Keep records of the entire request-handling process, from receipt to data delivery. Document the provided data, the delivery date, and the method used. This documentation may be required in case of complaints or regulatory audits.

Template

The Danish Data Protection Authority provides a subject access request template that can be used to respond to access requests.

This template adheres to GDPR’s formatting requirements, so using it correctly ensures compliance.

As the template is in Word format, it can be easily adapted to your organisation’s specific needs. We recommend tailoring it in advance so that it is ready for immediate use within your organisation.

A Workday with Data Subjects' Rights

All employees processing personal data in your organisation should be familiar with data subjects’ rights. This is especially relevant for staff interacting with customers, citizens, and other stakeholders. They are often on the front line when individuals seek to exercise their rights, and it is essential that they recognise these requests so the appropriate steps can be taken.

In organisations with a Data Protection Officer (DPO), the DPO is responsible for ensuring compliance with these rights and for training relevant staff.

Additionally, the DPO will act as the contact person for inquiries regarding data subjects' rights, such as access requests.

In smaller organisations without a DPO, the responsibility may fall on the designated GDPR compliance officer.

Training employees on data subjects’ rights is in everyone’s best interest. Therefore, it is beneficial to develop training materials on this topic or use GDPR awareness training.

Conclusion

Data subjects' rights empower individuals to control their data and impose clear obligations on organisations regarding data processing.

This article has outlined these rights and provided practical advice on how to handle them correctly, ensuring compliance and fostering trust within your organisation.

 

Helper swirl top

GDPR Compliance Software

Are you looking for GDPR compliance software? Or are you curious to learn more about compliance solutions? Explore our series of articles where we dive deep into the topic.
Left blob
Right blob
Helper swirl bottom
Processing activities

.legal compliance platform Start your compliance journey today

Curious to try it yourself? Experience our free compliance platform and kickstart your compliance journey today.
  • No credit card needed
  • Unlimited time on Free plan
  • No commitment
Get started
Book a Demo
+295 large and small companies use .legal
Region Sjælland
Aarhus Universitet
Zwipe
aj_vaccines_logo
Realdania
Right People
IO Gates
PLO
Finans Danmark
geia-food
Vestforbrænding
Evida
Klasselotteriet
NRGI1
BLUE WATER SHIPPING
Karnov
Ingvard Christensen
VP Securities
AH Industries
Energi Viborg
Lægeforeningen
InMobile
AK Nygart
ARP Hansen
DEIF
DMJX
arp-hansen-hotel-group-logo-1
Axel logo
qUINT Logo
KAUFMANN (1)
SMILfonden-logo
Footer topswirl

Info

.legal A/S

hello@dotlegal.com
+45 7027 0127

VAT-no: DK40888888

Support

support@dotlegal.com
+45 7027 0127
Need help?

status page badge

Platform status

Offices

Aarhus

Store Torv 14, 2.
8000 Aarhus C

Copenhagen

Vesterbrogade 26
1620 København V

Products

Let me help you get started

mads-i-blob
Reach out to me on phone
+45 7027 0127 and I'll get you started
arrow-right-white Get a demo

.legal is not a law firm and is therefore not under the supervision of the Bar Council.

Footer bottomswirl