Skip to content

What are the 7 rights of GDPR?


What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union (EU) that came into effect on May 25, 2018. It was designed to bring consistency and strengthen data protection for individuals within the EU while also addressing the export of personal data outside the EU. The GDPR applies to organizations that process personal data within the EU as well as to organizations outside the EU that offer goods or services to EU residents or monitor their behavior. It places significant obligations on organizations and grants individuals certain rights with regards to their personal data. The GDPR has seven key rights that individuals can exercise to protect their privacy and control how their personal data is handled. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object. By establishing these rights, the GDPR aims to give individuals more control over their personal data and ensure that organizations handle it responsibly and transparently.

Overview of the 7 rights of GDPR

The General Data Protection Regulation (GDPR) grants individuals a number of rights concerning their personal data. These rights are designed to give individuals more control over their own data and to ensure that their privacy is protected in the digital age.

  1. Right to be informed: Individuals have the right to be informed about how their personal data is being processed. This includes information about the purposes for processing, the retention periods, and any third parties that will have access to the data.
  2. Right to access: Individuals can request access to their personal data and information on how it is being used. This allows them to verify the lawfulness of the processing and to ensure the accuracy of their personal data.
  3. Right to rectification: Individuals have the right to have their personal data corrected if it is inaccurate or incomplete. This ensures that their personal data remains up to date and reliable.
  4. Right to erasure: Also known as the 'right to be forgotten,' individuals can request the deletion or removal of their personal data if there is no compelling reason for its continued processing. This right is not absolute and is subject to certain limitations.
  5. Right to restrict processing: Individuals have the right to restrict the processing of their personal data in certain circumstances. This means that their personal data can be stored, but not used further until the restriction is lifted.

These rights give individuals control over their personal data by allowing them to know what information is being collected, how it is being used, and by whom. Individuals can also request corrections or deletion of their personal data if they deem it necessary. By providing these rights, the GDPR aims to protect the privacy and personal data of individuals in an increasingly digital world.

Right to access

The right to access is one of the fundamental rights under the GDPR. It gives individuals the power to request access to their personal data that is being processed by organizations. This right enables individuals to be aware of and verify the lawfulness of the processing of their data, including how it is being collected, used, stored, and shared. By exercising this right, individuals can gain insight into the types of personal data being processed, the purposes for processing, the recipients of the data, and the retention periods. This right empowers individuals to ensure the accuracy and integrity of their personal data and allows them to take necessary actions if they identify any inaccuracies or misuse. Organizations must respond to access requests promptly and provide individuals with a copy of their personal data, along with any additional information required to ensure transparent and informed processing. Overall, the right to access is crucial in facilitating individuals' control over their personal data and enhancing their privacy rights.

Requesting data access

Under the General Data Protection Regulation (GDPR), individuals have the right to request access to the personal data that is being collected and processed by a data controller. This right to data access allows individuals to be aware of and verify the lawfulness of the processing of their personal data.

When making a data access request, individuals should submit their request in writing to the data controller. The data controller must then respond to the request within 30 days and provide specific information about the personal data held. This includes the purposes of processing, the categories of personal data being processed, details of any transfers to third parties or international organizations, the storage period of the data, the rights that individuals have in relation to their data, the right to lodge a complaint with a supervisory authority, the source of the data if it was not collected directly from the individual, and whether any automated decision-making or profiling is being conducted.

By providing individuals with the ability to request access to their data, GDPR promotes transparency and empowers individuals to take control of their personal information. It ensures that individuals have the means to verify and correct any inaccuracies in their data. Data controllers have a legal obligation to respond to these requests in a timely manner and provide the requested information in a clear and understandable format.

Obligations of data controllers/data processors

GDPR grants individuals the right to restrict the processing of their personal data under certain circumstances. Data controllers and data processors have specific obligations to comply with this right.

Firstly, data controllers and processors must have a clear policy in place to receive and acknowledge requests from individuals to restrict the processing of their personal data. This policy should outline the steps to be taken in response to such requests.

Secondly, technical measures must be implemented to ensure the portability of the restricted data. This means that the data should be stored in a format that allows for easy transfer and retrieval.

Additionally, data controllers and processors must provide a method for individuals to communicate their requests to restrict processing. This can include providing a designated contact person or an online portal for submitting requests.

Complying with these obligations is essential to respect the rights of individuals under GDPR and ensure that their personal data is handled appropriately. By establishing clear policies, meeting technological requirements, and providing effective communication channels, data controllers and processors can fulfill their obligations and uphold the right to restrict processing.

Timeframe for responding to requests for access

Under the General Data Protection Regulation (GDPR), data controllers are required to respond to subject access requests (SARs) in a timely manner. Upon receipt of an SAR, data controllers must provide the requested information without delay and within one month.

However, in certain circumstances, this timeframe can be extended by an additional two months. This extension may be necessary if the SAR is complex or if the data controller is dealing with a large volume of requests. If an extension is required, the data controller must inform the individual within one month of receiving the SAR and provide an explanation for the delay.

When responding to an SAR, it is important to provide the requested information in an accessible, concise, and intelligible format. This means that the information should be presented in a way that allows the individual to easily understand it. Additionally, data controllers must ensure that the disclosure of the requested information is done securely to protect the individual's personal data.

Adhering to the timeframe for responding to requests for access is crucial for data controllers in order to meet their obligations under the GDPR and respect individuals' rights to access their personal data.

Right to rectification

The Right to Rectification is one of the fundamental rights granted by the General Data Protection Regulation (GDPR). This right gives individuals the power to request the rectification or correction of their personal data if it is inaccurate or incomplete. Data subjects have the right to ensure that their personal information is kept accurate and up-to-date, and they can request the modification of any errors or gaps in their data. Under the GDPR, data controllers are obliged to respond to such requests without undue delay, and to rectify or complete the data accordingly. In addition to correcting the information, data controllers are also required to inform any third parties with whom the data has been shared, ensuring that the rectified information is accurately reflected across all systems, databases, and platforms. The Right to Rectification is an essential aspect of GDPR, empowering individuals to have greater control over their personal data accuracy, and ensuring their privacy rights are respected in the digital era.

Making changes to personal data held by companies

Making changes to personal data held by companies in compliance with GDPR involves a clear process that protects individuals' privacy rights. GDPR grants individuals the right to access, rectify, and erase their personal data held by companies.

Data controllers, which are the companies or organizations that determine the purposes and means of processing personal data, have the obligation to facilitate these changes. They must respond to requests from individuals within one month and provide the requested information in a readable format.

Data processors, who process personal data on behalf of the data controller, must assist the controller in fulfilling these requests and ensuring GDPR compliance. They must implement the necessary technical and organizational measures to protect personal data and promptly inform the controller of any breaches or changes requested by individuals.

To make changes to personal data, individuals can submit a request to the data controller stating their specific requirements. The controller must verify the individual's identity before processing the request. If the personal data is inaccurate or incomplete, the controller must rectify it promptly. If the individual requests the erasure of their personal data, the controller must comply unless there are legal obligations or legitimate grounds for continued processing.

Obligations of data controllers/data processors

The General Data Protection Regulation (GDPR) outlines several obligations for data controllers and data processors to ensure compliance with data protection laws. Data controllers, which are the companies or organizations that determine the purposes and means of processing personal data, have a legal obligation to adhere to the principles of GDPR and protect individuals' privacy rights.

Data controllers must implement appropriate technical and organizational measures to ensure the security and confidentiality of personal data. They must also provide individuals with clear and transparent information about how their data is processed, including the legal basis for processing, the purposes of processing, and the retention periods for the data.

Data processors, on the other hand, are entities that process personal data on behalf of the data controller. They have a responsibility to assist data controllers in fulfilling their obligations under GDPR. This includes implementing appropriate security measures, promptly notifying the data controller in case of a data breach, and cooperating with supervisory authorities.

Both data controllers and data processors must also ensure that individuals' rights under GDPR are respected. This includes responding to subject access requests, rectifying inaccurate or incomplete data, and erasing personal data when requested, unless there are legal obligations or legitimate grounds for continued processing.

By fulfilling these obligations, data controllers and data processors can ensure compliance with GDPR and protect individuals' rights to privacy and data protection.

Right to erasure (‘right to be forgotten’)

The right to erasure, also known as the 'right to be forgotten,' is one of the seven rights granted to individuals under the General Data Protection Regulation (GDPR). This right allows individuals to request the deletion or removal of their personal data when there are no legal obligations or legitimate grounds for the continued processing of the data. Data controllers and processors are responsible for promptly fulfilling these requests, ensuring that personal data is permanently erased from their systems. The right to erasure empowers individuals to regain control over their personal information and protect their privacy rights. It is an important aspect of privacy laws and serves as a safeguard against the unlawful processing of personal data. By exercising this right, individuals can prevent their personal data from being used for direct marketing purposes or any other processing activities that they no longer consent to. Compliance with the right to erasure is crucial for organizations to avoid reputational damage, regulatory penalties, and legal liabilities.

Requesting a company to delete personal data held about you

Requesting a company to delete personal data held about you is an essential step in exercising your privacy rights under the General Data Protection Regulation (GDPR). To initiate this process, individuals need to submit a request for erasure, also known as the right to be forgotten.

To make a successful request, individuals should take the following steps:

  1. Identify the data controller: Determine the organization or individual responsible for the processing of your personal data.
  2. Submit a written request: Prepare a formal request for erasure, stating that you want the company to delete all personal data it holds about you.
  3. Provide essential information: Include relevant details like your full name, contact details, and any unique identifiers you have with the organization.
  4. Specify the data: Clearly identify the categories or specific pieces of personal data you want to be deleted. This will help the company locate and remove the information accurately.
  5. Data controllers have specific obligations when responding to erasure requests. They must:
  6. Acknowledge the request: Confirm receipt of the erasure request within one month and inform you of their actions.
  7. Evaluate the request: Assess the validity of the request and verify whether there are any lawful grounds to refuse the erasure.
  8. Delete the data: If the request is valid, the data controller must delete the specified personal data, as well as any copies or backups, without undue delay.

Data processors, who process personal data on behalf of the data controller, also have obligations. They must assist the data controller in fulfilling the request and ensure the deletion of the data they hold.

Requesting the deletion of personal data is an essential right under the GDPR, providing individuals with more control over their information and safeguarding their privacy.

Obligations of data controllers/data processors

In accordance with Article 18 of the General Data Protection Regulation (GDPR), data controllers and data processors have specific obligations regarding the right to restrict processing of personal data.

Data controllers, who determine the purposes and means of processing personal data, are obligated to handle requests to restrict processing in the following manner. Firstly, upon receiving such a request from an individual, the data controller must promptly acknowledge the receipt of the request and inform the individual of any actions taken or intended to be taken. Secondly, the data controller must evaluate the validity of the request and determine whether there are any lawful grounds to refuse the request. If the request is valid, the data controller is obliged to restrict the processing of the personal data in question.

Data processors, who process personal data on behalf of the data controller, also have obligations when it comes to requests to restrict processing. They must assist the data controller in fulfilling the request and ensure that the processing of the specified personal data is restricted accordingly.

Right to restrict processing

The right to restrict processing is one of the fundamental rights guaranteed under the General Data Protection Regulation (GDPR). This right allows individuals to request the limitation of processing activities related to their personal data. Data controllers, who determine the purposes and means of processing, and data processors, who process personal data on behalf of the data controller, have specific obligations when handling requests to restrict processing. These obligations include acknowledging and responding to the request, evaluating its validity, and adhering to any lawful grounds for refusal. Both data controllers and processors must take reasonable steps to ensure that the processing of personal data is restricted in accordance with the individual's request. By providing individuals with the right to restrict processing, the GDPR aims to empower individuals to have greater control over their personal data and protect their privacy.

Asking a company not To use your personal information in certain ways

The General Data Protection Regulation (GDPR) grants individuals several rights to ensure the protection of their personal data. One of these rights is the right to restrict processing. This right allows individuals to ask a company not to use their personal information in certain ways.

There are several circumstances in which individuals can exercise their right to restrict processing. Firstly, if they believe that the processing of their personal data is unlawful, they have the right to request the company to stop using their information. Additionally, if the personal data is inaccurate, individuals can request the restriction of processing until the data is corrected.

Furthermore, individuals can make this request if the processing is no longer necessary for the purpose it was collected for. In such cases, individuals can ask the company to restrict the processing of their personal data.

Lastly, if individuals have objected to the processing of their personal data, they can also request the restriction of processing. This objection can be based on legitimate grounds or if the processing is carried out for direct marketing purposes.

By exercising their right to restrict processing, individuals can have control over how their personal information is used by companies. This right provides them with further protection under the GDPR and ensures that their personal data is handled in a lawful and responsible manner.

Obligations of data controllers/data processors

Under the General Data Protection Regulation (GDPR), data controllers and data processors have certain obligations in relation to the right to restrict processing of personal data.

Data controllers, who determine the purposes and means of processing, are responsible for ensuring that individuals' requests to restrict processing are handled appropriately. They must promptly respond to such requests and provide information on actions taken. Data processors, on the other hand, are required to assist data controllers in fulfilling their obligations.

To comply with this right, data controllers and processors must act within certain requirements. They should verify the identity of the individual making the request and assess the validity of the grounds for restriction. If the request is legitimate, the processing of the individual's personal data should be restricted from further use.

Responding to such requests must be done without undue delay and preferably within one month. In complex cases, this timeframe can be extended by an additional two months. However, data controllers must inform the individual about the reasons for the extension within one month of receiving the request.

To ensure compliance, data controllers and processors should establish clear internal procedures for handling requests to restrict processing. They should educate staff on the right to restrict processing and train them on appropriate response procedures. Additionally, data controllers should maintain clear records of requests received and actions taken to demonstrate compliance.

By fulfilling their obligations, data controllers and processors can respect the right to restrict processing and protect individuals' privacy rights under the GDPR.

General thought leadership and news

Configuring your 6clicks dashboard: Transform insights with Power BI

Configuring your 6clicks dashboard: Transform insights with Power BI

Governance, risk, and compliance (GRC) thrive on data. With today’s businesses running on digital ecosystems, visualization and interaction with data...

Explore the power of the 6clicks dashboard: A widget showcase

Explore the power of the 6clicks dashboard: A widget showcase

Dashboards are more than just data displays—they’re hubs for insight, action, and collaboration. We have recently released our configurable...

Introducing personalized dashboards for a smarter GRC experience

Introducing personalized dashboards for a smarter GRC experience

Hello everyone! We’re excited to announce a powerful new feature: configurable dashboards designed to enhance how you manage your GRC data on the...

The NIST Cybersecurity Framework: Best practices

The NIST Cybersecurity Framework: Best practices

When it comes to security compliance, the NIST Cybersecurity Framework (NIST CSF) has built a reputation for effectively guiding organizations toward...

6clicks receives ISO 42001 certification for its AI Management System

6clicks receives ISO 42001 certification for its AI Management System

Melbourne, Australia – 18 November 2024. 6clicks, pioneer of the first AI-powered GRC (Governance, Risk, and Compliance) software, is proud to...

Hailey’s newest updates: Risk & issue generation + compliance mapping

Hailey’s newest updates: Risk & issue generation + compliance mapping

At 6clicks, we’re continually evolving our AI capabilities to make the process of risk management and compliance faster, smarter, and more intuitive....