The GDPR data subject rights

May 24, 2021

A graphic of a blue and purple gradient background.

The GDPR is one of the most robust global privacy laws in effect today. Created by the European Union (EU) and put into effect in 2018, the GDPR outlines certain obligations organizations must follow, limiting how personal data can be used. A crucial part of the GDPR is the data subject rights it grants an individual regarding personal data usage. Ultimately, the rights give individuals more autonomy over their personal information and how it’s used.

What are the GDPR data subject rights?

The General Data Protection Regulation (GDPR) outlines 8 fundamental data subject rights, plus the right to withdraw consent, which guarantees individual autonomy over both personal data and its processing.  Let’s take a deeper look at each of the GDPR data subject rights:

  • Right to be informed (GDPR Articles 12 to 14): Data subjects have the right to be informed about the collection and use of their personal data.
  • Right to access (GDPR Article 15): Data subjects have the right to view and request copies of their personal data.
  • Right to rectification (GDPR Article 16): Data subjects have the right to request inaccurate or outdated personal information be updated or corrected.
  • Right to be forgotten/Right to erasure (GDPR Article 17): Data subjects have the right to request their personal data be deleted. Note that this is not an absolute right and may be subject to exemptions based on certain laws.
  • Right to data portability (GDPR Article 20): Data subjects have the right to ask for their data to be transferred to another controller or provided to them. The data must be provided in a machine-readable electronic format.
  • Right to restrict processing (Article 18): Data subjects have the right to request the restriction or suppression of their personal data.
  • Right to withdraw consent (GDPR Article 7): Data subjects have the right to withdraw previously given consent to process their personal data.
  • Right to object (GDPR Article 21): Data subjects have the right to object to the processing of their personal data.
  • Right to object to automated processing (GDPR Article 22): Data subjects have the right to object to decisions being made with their data solely based on automated decision making or profiling.

OneTrust launched the first-to-market Data Subject Access Request (DSAR) portal, allowing data subjects to submit requests directly to organizations that process their data. This allows organizations to demonstrate compliance and automate record-keeping by operationalizing the fulfillment of data subject requests. The comprehensive solution helps organizations comply with data subject requests made under the GDPR. Explore the portal and learn more!

You may also like


Responsible AI

Unpacking the EU AI Act

Prepare your business for EU AI Act and other AI regulations with this expert webinar. We explore the Act's key points and requirements, building an AI compliance program, and staying ahead of the rapidly changing AI regulatory landscape.

July 12, 2023

Learn more


Consent & Preferences

Live demo: How to automate consent and preference management with OneTrust

In this webinar, we demonstrate how OneTrust Consent and Preferences helps build stronger customer relationships by providing transparency, giving users control over their data use, and delivering personalized experiences.

June 29, 2023

Learn more


Privacy Management

Unpacking the EU-US DPF

In this webinar, we cover the new EU-US Data Privacy Framework (EU-US DPF) and what privacy program managers need to know for post-Schrems II data transfers.

June 28, 2023

Learn more