GDPR Data Subject Rights: Complete Guide for Organizations
How to handle data subject requests? Right of access, rectification, erasure, portability, and objection.
GDPR grants individuals a range of rights regarding their personal data. Organizations must be ready to fulfill these requests within specified timeframes. Improper handling risks complaints and fines. Here is a complete guide to data subject rights and their implementation.
Right of access (Art. 15)
The person has the right to obtain confirmation of processing, access to data, information about purposes, data categories, recipients, storage period, data source. Response within one month, free of charge (unless requests are manifestly unfounded or excessive). Quick location of all persons data is key.
Right to rectification (Art. 16)
The person may request correction of inaccurate data or completion of incomplete data. Rectification must be propagated to all recipients to whom data was disclosed. Deadline - without undue delay. Documenting changes is crucial for accountability.
Right to erasure - "right to be forgotten" (Art. 17)
The person may request data erasure when: data is no longer necessary, consent withdrawn, objection raised, processing is unlawful, child data collected without consent. Exceptions: freedom of expression, legal obligations, legal claims. Erasure must cover all systems, including backups.
Right to data portability (Art. 20)
The person may receive their data in machine-readable format and transmit it to another controller. Applies to data processed based on consent or contract, in automated manner. Format is usually JSON or CSV. This right supports competition and user control.
Right to object and restriction (Art. 18, 21)
The person may object to processing based on legitimate interest or marketing purposes (marketing - absolute). They may also request processing restriction during verification. Organization must have procedures for handling these requests and systems enabling data "freezing".
**Revelio** and **Detecto** enable quick location of all persons data in the organization - crucial for fulfilling access and erasure rights. **Oblivio** automates data deletion across all systems. Wizards.io accelerates DSAR handling from days to hours.
GDPR data subject rights are not a formality - they are obligations with deadlines and sanctions. Automating data location and deletion is key to effective request handling.