Data subject rights are critical under data protection frameworks like the EU & UK GDPR, DPDPA (India), DIFC and CPRA. These rights grant individuals control over their personal data, ensuring that organizations handle it transparently, fairly, and securely. By empowering individuals to manage how their data is collected, processed, and stored, these rights help protect privacy and maintain trust between consumers and businesses.

Key Data Subject Rights

Right to be Informed

The right to be informed ensures that individuals are fully aware of how their personal data is being collected and processed. Organizations must provide clear, concise, and easily accessible information about the purposes, lawful basis, and retention periods of data processing, as well as the individual’s rights regarding their data.

• Example: A mobile app must notify users about the data it collects, how it is used (e.g., for personalized ads), and how long it will be retained, typically in a privacy policy at the time of registration or data collection.

Right to Access

Individuals can request access to the data organizations hold about them, along with information about its processing. This right enables individuals to confirm whether their data is being processed and how it is being used.

• Example: A customer may request a copy of their personal data from a utility company to review how their usage data is being processed for billing purposes.

Right to Rectification

This right allows individuals to request that inaccurate or incomplete data be corrected. Organizations must act on these requests without undue delay.

• Example: If a person’s email address is misspelled on an e-commerce platform, they can request its correction.

Right to Erasure (Right to be Forgotten)

Individuals have the right to request the deletion of their personal data, particularly when it is no longer necessary for the purpose for which it was collected or if consent is withdrawn.

• Example: A person may ask an online retailer to remove their account and personal details after they stop using the platform.

Right to Restrict Processing

The right to restrict processing enables individuals to limit the ways in which their data is processed. Data can still be stored but not actively processed in certain situations, such as during a dispute over data accuracy.

• Example: A customer disputes a charge on their account and requests that their payment details are not processed until the issue is resolved.

Right to Data Portability

This right allows individuals to transfer their personal data between service providers in a structured, commonly used, and machine-readable format. It facilitates consumer choice and helps individuals maintain control over their data.

• Example: A user may want to transfer their email contacts from one service provider to another.

Right to Object

Individuals have the right to object to the processing of their personal data for certain purposes, such as direct marketing or profiling. If an objection is raised, the organization must stop processing unless it has compelling legitimate grounds to continue.

• Example: A user objects to receiving promotional materials from a company and can request that their data is no longer used for marketing.

Rights Related to Automated Decision-Making, Including Profiling

This right prevents individuals from being subjected to decisions made solely based on automated processing, such as profiling, that have legal consequences or significantly affect them.

• Example: An individual may challenge an automated rejection from a loan application that was based entirely on algorithmic processing.

Right to Nomination (DPDPA – India)

Under the Digital Personal Data Protection Act (DPDPA) 2023 in India, individuals have the right to nominate a representative to act on their behalf regarding their data protection rights. This is particularly useful when the individual is unable to exercise these rights due to death, incapacity or other limitations.

• Example: A data subject may nominate another person to exercise their data rights or request data rectification in the event of their death.

Terminology and Global Variations

The EU GDPR and UK GDPR set the standard for data subject rights, but other jurisdictions adopt similar principles with some regional variations.

• DPDPA (India): In addition to the rights above, India’s Digital Personal Data Protection Act (2023) introduces the right to nomination, which allows individuals to appoint someone else to exercise their data rights on their behalf.
• UAE PDPL: The UAE Personal Data Protection Law reflects many of the same data subject rights, such as the right to access, rectification, and erasure, but its application may vary across sectors and specific regulations.
• DIFC Data Protection Law: The DIFC (Dubai International Financial Centre) Data Protection Law recognizes similar rights, including access, rectification, and erasure, to ensure compliance with global privacy standards.

Why Data Subject Rights Matter

1. Empowerment of Individuals: Data subject rights allow individuals to manage and protect their personal information. By exercising these rights, individuals can ensure that organizations use their data responsibly.
2. Building Trust: Organizations that respect data subject rights foster trust with their customers. Transparency about how data is processed and the ability for individuals to exercise control over their data are key to maintaining a positive relationship.
3. Legal Compliance: Upholding data subject rights is a legal obligation under various data protection laws, such as the GDPR and DPDPA. Failing to respect these rights can result in significant penalties and reputational damage.
4. Protection Against Data Misuse: Data subject rights ensure that individuals’ data is not misused. These rights impose limitations on how personal data can be used, ensuring it is processed fairly and for legitimate purposes only.

Real-World Example

Consider an individual who signs up for a fitness tracking app. After several months, they want to know what data the app has collected, especially regarding their health information. They exercise their right to be informed by reviewing the app’s privacy policy, and then use the right to access to request all the data the app holds. Later, they notice an error in their recorded weight data, so they use the right to rectification to correct it. If they decide to stop using the app, they may request the right to erasure, ensuring their data is deleted from the app’s service records.

Data subject rights are essential under global data protection laws, ensuring individuals have control over their personal data. These rights allow individuals to manage how their data is processed and ensure that organizations remain transparent and accountable. By safeguarding these rights, organizations not only comply with legal obligations but also foster trust and protect privacy.

Frequently Answered Questions

What should businesses do if a customer exercises their right to erasure (Right to be Forgotten)?

When a customer exercises their right to erasure, the business must ensure that all personal data related to that individual is deleted, provided that there is no valid reason to retain it (e.g., legal obligations or contracts). If the data has been shared with third parties, those third parties must also be informed to delete the data.

Can businesses refuse to fulfil a data subject request?

Businesses may refuse to fulfil a data subject request in certain circumstances, such as when the request is manifestly unfounded or excessive. However, organizations must justify their refusal and communicate the reasons to the individual. For example, a request for erasure might be refused if the data is still necessary for legal or contractual obligations.

What is the right to nomination (DPDPA India), and how does it affect businesses?

The right to nomination, under the DPDPA allows individuals to nominate someone else to exercise their data protection rights on their behalf, especially in cases of incapacity or death. Businesses must recognize this right and ensure that they allow individuals to nominate a representative, and verify their authority if necessary.

How should businesses handle requests for access to personal data?

When an individual requests access to their personal data, the business must provide a copy of the data held about them along with information on how it is processed. This must be done within the time frame required by law, typically within 30 days under GDPR. Businesses should also ensure that the data is delivered in a clear and accessible format.