Skip main navigation

Rights of data subjects

Read this article to learn more about the rights of data subjects under the GDPR.
Data subject and data controller
© University of Groningen

We have seen that with processing personal data come great responsibilities and obligations for controllers and processors. This includes making sure that data subjects are able to exercise their rights. Chapter III of the GDPR provides data subjects with a number of rights.

The idea is that organisations and companies gather a lot of data from people in order to provide services or to sell products. This data can tell these organisations and companies a lot about a person. Persons thus give up some of their privacy in order to receive the services or purchase the goods. This is why processing personal data needs to be lawful and fair and why the GDPR provides persons with rights. In order to exercise these rights persons need to know what data concerning them are collected, used, consulted or otherwise processed. This is referred to as the principle of transparency, which requires that any information and communication relating to the processing of personal data needs to be easily accessible and easy to understand, i.e. in clear and plain language. A person needs to know who processes the data, what the purpose of processing is, what the risks, rules, safeguards and rights are and how to exercise them.

Acces, rectification, erasure, restriction of processing

Data subjects also have the right of access to personal data which have been collected in order to verify the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records. If the data is inaccurate, the data subject has the right to rectification thereof and in certain cases the right to erasure of the data (also referred to as the right to be forgotten) or the right to restriction of processing. In case of rectification, erasure or restriction, the controller needs to notify any recipient to whom the personal data have been disclosed. For example, if it turns out that some of Anna’s data in her hospital medical record is inaccurate, the hospital needs to notify the parties this data has been shared with, such as her GP.

Data portability

If Anna wants to change physicians, she has the right to receive her data from her current one and transmit it to the new one. This is called the right to data portability. If the legal basis for processing personal data is carried out in the public interest, in exercise of official authority, is necessary for a legitimate interest or if personal data are processed for direct marketing purposes, Anna also has the right to object to the processing. A final interesting right for data subjects is the right not to be subject to automated decision-making, including profiling. Automated means, without the interference of a human being. Profiling is the use of personal characteristics or behaviour patterns to make generalisations about a person, for example the targeted advertisments Anna received were due to tracking her online behaviour patterns. When data brokers have enough patterns about a person, a profile can be made which tells a lot about a person.

If these rights of data subjects are infringed, they have the right to lodge a complaint with a supervisory authority (Article 77) or the right to an effective legal remedy against a controller or processor before a national court (Article 79).

In this step you learned more on the rights of data subjects. Which of these rights do you think help protect a data subject, such as Anna or yourself, best? And why? Please discuss this with other learners on the discussion board.

© University of Groningen
This article is from the free online

Protecting Health Data in the Modern Age: Getting to Grips with the GDPR

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education