OneTrust GDPR Deep Dive Series Chapter 3: Rights of the Data Subject

One of the most important goals of the GDPR is to protect data subjects against unauthorised or unlawful processing and against accidental loss, destruction or damage, which is why Chapter 3 Rights of the Data Subject is organized and divided among five sections.

Prior to GDPR, Directive 95/46/EC was (“the Directive”) intended to:

  • Protect data subjects’ fundamental rights and freedoms;
  • Enable the free movement of personal data within the EU;
  • Contribute to economic and social progress and trade; and
  • Address the processing of personal data in the light of technological progress

The GDPR incorporates these intentions, but adds one more thing to this list:

  • Harmonise data protection laws across the EU.

While the objectives of the GDPR and the Directive are closely aligned, the Directive created similar, but not identical, protection laws across the EU. The more “harmonised” approach under the GDPR is intended to create uniformity that would make it easier for organizations to do business with one another, and to do so with greater legal certainty.

The Directive initially decreed that the law would protect a natural person’s data, but wouldn’t specifically exclude the personal data of a deceased person. Under GDPR, the law will not apply to the personal data of the deceased, however, member states can determine their own rules.

Finally, the GDPR has introduced some other new obligations and has stipulated certain types of data processing that are outside its scope:

  • Any activity outside the scope of EU law (e.g., activities of a Member State in relation to national criminal law);
  • Any activity performed by Member States when carrying out activities in relation to the common foreign and security policy of the EU;
  • Any activity performed by a natural person in the course of a purely personal or household activity;
  • Any processing by the EU itself;
  • Any activities performed by national authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security; or
  • performance of judicial functions.

Chapter 3 Sections, Articles & Descriptions

Section 1 –– Transparency and Modalities
Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

Section 2 –– Information and Access to Personal Data
Article 13: Information to be provided where personal data are collected from the data subject
Article 14: Information to be provided where personal data have not been obtained from the data subject
Article 15: Right of access by the data subject

Section 3 –– Rectification and Erasure
Article 16: Right to rectification
Article 17: Right to erasure (“right to be forgotten”)
Article 18: Right to restriction of processing
Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20: Right to data portability

Section 4 –– Right to Object and Automated Individual Decision-Making
Article 21: Right to object
Article 22: Automated individual decision-making, including profiling

Section 5 –– Restrictions
Article 23: Restrictions


GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.