Data Subject Rights

The GDPR establishes a comprehensive set of rights for data subjects in Chapter III (Articles 12-23). These rights empower individuals to maintain control over their personal data and are a cornerstone of the EU's data protection framework. Controllers must facilitate the exercise of these rights and respond to requests without undue delay and in any event within one month.

The core data subject rights include: the right of access (Article 15), to obtain confirmation of whether personal data are being processed and access to that data; the right to rectification (Article 16), to have inaccurate data corrected; the right to erasure or "right to be forgotten" (Article 17), to have personal data deleted under specified circumstances; the right to restriction of processing (Article 18), to limit how data are used; the right to data portability (Article 20), to receive personal data in a structured, commonly used, machine-readable format; and the right to object (Article 21), to object to processing based on legitimate interests or for direct marketing.

Additionally, Article 22 provides rights related to automated individual decision-making and profiling, including the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. This right is particularly relevant in the context of AI systems, where automated decisions may be made about individuals based on algorithmic assessments.

Controllers must provide information about data subject rights in their privacy notices and establish efficient internal processes to handle requests. The right to lodge a complaint with a supervisory authority (Article 77) and the right to an effective judicial remedy (Articles 78-79) serve as enforcement mechanisms. Non-compliance with data subject rights can result in administrative fines of up to EUR 20 million or 4% of annual worldwide turnover.