GDPR and the 8 Fundamental Data Subject Rights

Last updated: 2019-12-20 — GDPR

The internet is filled with so many people and businesses fighting to be remembered that it can be easy to overlook how many users would rather not make a lasting impression. Now that the European Union’s General Data Protection Regulation has taken effect, the rights of privacy-seeking internet users have been strengthened.

The right to erasure, commonly known as the right to be forgotten, is one of eight fundamental rights in the GDPR laid out to protect consumers and their data. These rights are not new rules, per se, and have been part of the national law of most EU members countries before the GDPR came into effect. Consider the GDPR a codification of existing rules—however, for the first time ever accompanied by a high level of fines and penalties (up to 4% of a company’s global revenue or €20 million, whichever is larger).

GDPR has put privacy on the top of the agenda for companies around the world, and now is the time to get acquainted with the full slate of “new” data subject rights and the responsibilities that go along with them.

Along with Article 17, aka the right to be forgotten, GDPR provides for:

  • The right to access (Article 15): Consumers can request information about any personal data that has been collected on them, as well as how that data is being processed
  • The right to rectification (Article 16): Organizations that collect inaccurate personal data about an individual have a responsibility to correct that information
  • The right to restriction of processing (Article 18): With certain exceptions, consumers may request limits to how their data is processed by websites
  • The right to be informed (Article 19): Data controllers have a responsibility to inform consumers how their data is being used and with whom it is being shared
  • The right to data portability (Article 20): Consumers must be able to transfer their data between electronic processing systems, essentially preventing any one organization from taking sole ownership of any individual’s data
  • The right to object (Article 21): Consumers can raise an objection any time they feel data is being used improperly, and the data controller must halt processing until they can prove otherwise
  • The right to individual decision-making (Article 22): Consumers are protected against any automated data-processing that might involve profiling them based on personally identifiable information

How can you protect these data subject rights?

Reading through all of those personal data rights might seem a little daunting—some of them are decidedly on the technical side—but keeping tabs on them is essential for any website doing business with or collecting data from consumers in the EU. So long as a person is within the confines of the European Union, their personal data is protected beneath the GDPR. The regulation also extends to websites owners or administrators overseas. Companies in the United States, for example, are bound by the rules of the GDPR if they collect personal data as part of a service being offered in the European Union. An example could be personal information obtained by a US based website in relation to a delivery address within the European Union.

Of these core eight rights, the right to be forgotten has fueled arguably the most discussion online. It sounds like a simple enough concept on the surface, but it represents a fundamental change in the way most websites handle personal data. Until now, organizations that collect user data were allowed to store that information indefinitely. GDPR specifies that data collectors must erase these materials if they are no longer needed, if they were processed illegally or improperly, or in certain cases if the person whose data has been collected requests their deletion.

This isn’t a situation where companies can forget someone gradually over time, either. Article 17 of the GDPR specifies that data controllers have an “obligation to erase personal data without undue delay.” Essentially, this means that once personal data has served its intended purpose, it needs to be immediately expunged from the collector’s database (within 30 days of receiving the request). And if a consumer requests that you delete all known data about them, you must as a main rule oblige unless the exceptions mention in article 17 are present (other legal basis for processing or if the processing is necessary).

How is "personal data" defined?

So what constitutes personally identifiable information? The simplest definition is “anything that could reveal any facet of a person’s identity.” Generally speaking, that includes, but is not limited to names, email addresses, photos and videos, physical or mailing addresses, IP addresses, and phone numbers—basically all of the information collected by any website that conducts transactions or requires members to sign in.

This probably looks like a gigantic task for site owners. There’s no question that it is a challenge for plenty of companies, but taking an organized, educated approach to data processing can go a long way toward bringing your site into GDPR compliance.This can be a particular challenge for companies that have been online for a long while or have used multiple domains or IP addresses. The larger your online presence, the better the chance that there’s data buried in forgotten corners of the internet. Organizations that fit that profile may wish to invest in an automated tool that can scan all properties affiliated with their websites, as this is a very difficult task to tackle by hand. 


Have you automated your GDPR web compliance process? Siteimprove Data Privacy locates the personal data you handle online so you can pinpoint and remove that data across your websites, minimizing the risk of fines and other legal consequences.

Learn more about Siteimprove GDPR