OneTrust GDPR Deep Dive Series Chapter 3: Rights of the Data Subject

One of the most important goals of the GDPR is to protect data subjects against unauthorised or unlawful processing and against accidental loss, destruction or damage, which is why Chapter 3 Rights of the Data Subject is organized and divided among five sections.

Prior to GDPR, Directive 95/46/EC was (“the Directive”) intended to:

The GDPR incorporates these intentions, but adds one more thing to this list:

While the objectives of the GDPR and the Directive are closely aligned, the Directive created similar, but not identical, protection laws across the EU. The more “harmonised” approach under the GDPR is intended to create uniformity that would make it easier for organizations to do business with one another, and to do so with greater legal certainty.

The Directive initially decreed that the law would protect a natural person’s data, but wouldn’t specifically exclude the personal data of a deceased person. Under GDPR, the law will not apply to the personal data of the deceased, however, member states can determine their own rules.

Finally, the GDPR has introduced some other new obligations and has stipulated certain types of data processing that are outside its scope:

Chapter 3 Sections, Articles & Descriptions

Section 1 –– Transparency and Modalities
Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject

Section 2 –– Information and Access to Personal Data
Article 13: Information to be provided where personal data are collected from the data subject
Article 14: Information to be provided where personal data have not been obtained from the data subject
Article 15: Right of access by the data subject

Section 3 –– Rectification and Erasure
Article 16: Right to rectification
Article 17: Right to erasure (“right to be forgotten”)
Article 18: Right to restriction of processing
Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20: Right to data portability

Section 4 –– Right to Object and Automated Individual Decision-Making
Article 21: Right to object
Article 22: Automated individual decision-making, including profiling

Section 5 –– Restrictions
Article 23: Restrictions


GDPR will come into effect on May 25, 2018, and OneTrust believes that every global organization should start considering how to best implement efficient and effective data-handling practices that are replicable and consistent. The GDPR Deep Dive Series delves into each chapter of the GDPR to summarize key takeaways of the new governance in an easy-to-digest format. It is intended to help privacy executives with implementation and operationalization of GDPR regulations, and will be published bi-weekly on our blog.