GDPR Rights: What every data controller and the data subject must know

On May 25, 2018, a new GDPR (General Data Protection Regulation) law came into existence across the EU region. This is Europe’s new privacy law replacing the old 1995 Data Protection Directive. Since it came into action it is being hailed as the biggest change in data protection in 20 years.

Why GDPR was imposed?

Due to the technology evolution digital transformation has become critical for organizations. Every business small or big is taking everything online. Subsequently the amount of data generated, created, and stored began skyrocketing. GDPR is a medium to address the challenges in sharing, storing, and using the data to streamline and bring transparency in the cross-border business. GDPR gives businesses an upper hand in controlling and managing enterprise-wide data. 

Thus, along with new rules to use and guard the data, there came new GDPR rights to handle the data. In this blog, we will be concentrating on the GDPR rights that every organization needs to know beforehand. 

GDPR rights for every data subject and individuals

One of the major achievements in Europe’s General Data Protection Regulation (GDPR) is to ensure complete protection of the subject’s data. GDPR ensures the protection and privacy of the data by giving data subjects certain rights. Using these rights, the data subject can make a specific request to stay assured of the safety and privacy of his/her data. Now data subject before providing any personal or sensitive information can ascertain that his/her data will not be misused for any purpose other than the primary objective for which it is being collected. 

Here are the GDPR rights that everyone must be aware of 

Right of Access

As per Article-15 of the GDPR, data subjects have the right to access – the right to obtain information from the data controller regarding details of the data collected from them. In short, if an organization or an entity collects; personally identifiable information from the data subject, then he/she has the right to ask for access of the same data. 

What is it?

According to Article-15, the data subject if needs can confirm with the data controller if their data is being processed or not. If yes, then the requestor, if intends has the right to know 

  • Precise copy of the personal data being processed 
  • What is the purpose behind processing data subjects personal data 
  • Name of the categories for which the data is processed like Name, Address, Contact Details, etc. 
  • Disclosure mentioning the details of the third-party with whom data subjects personal data is shared – especially if that third party belongs to a different country 
  • Conveying the exact source (third party) from whom the data is collected, if it is not directly from the data subject 
  • For how long the data controller intends to store the data 

What are the requirements?

Under GDPR’s right of access, the entire process to send out a request to grant access to your data is as easy as sending an email to the website owner. The concerned data subject needing access to his/her private data has to send a formal Subject Access Request (SAR) to the concerned data controller. A data subject can submit the SAR through email, fax, or as a written application ensuring it leaves back a document trail. 

Under Article-15, the first copy of the processed personal data is free, for all further requests data controller has the authority to charge a reasonable fee. Furthermore, electronic requests for data copy shall be provided in a commonly used electronic form. Remember .csv and .txt are the most prevalent formats for the electronic requests. 


Right to Rectification

According to Article-16 of GDPR, the data subject has the right to ask the data controller to rectify the inaccurate personal data recorded in their database without undue delay. After considering the purpose of data collection, the data subject has the right to get his/her incomplete or inaccurate data rectified after providing a supplementary statement. 

What is it? 

Under Article-16 of the EU’s data protection laws, a data subject can get his/her inaccurate or incomplete data rectified after appending a supplementary statement. Request for rectification should be done verbally, over a phone call, or in writing. The law also makes it mandatory for data controllers to respond within one calendar month to each rectification request. 

By law, it is in the interest of the data controller to either accept or reject the rectification request and this right of the data controller is closely guarded by the controller’s obligations mentioned under the Accuracy Principle. 

What are the requirements? 

The GDPR law not specified the exact format to submit a valid rectification request. Therefore the data subject can make the request verbally, through email or in writing. Besides, it is okay to send the request without addressing a specific person or without mentioning the subject line. 

If the data controller is in doubt about the identity of the person who has requested the data rectification request, then it is in the interest of the data controller to ask for the additional information validating the identity of the requestor. 

After receiving the rectification request, the data controller must validate the identity of the requestor and ensure reasonable steps are taken to rectify the data.
It is the responsibility of the data controllers to comply with the request without undue delay and at the latest within one calendar month from the receipt of the request. 


Right to Erasure

Under Article-17 Part-1 of GDPR, the right to erasure states that the data subject is authorized to have their data removed from the specific data controllers database and data processors for obvious reasons like 

  • The original purpose for which the data was collected has been fulfilled and there is no more necessity to store and keep the data in question.
    The data subject is willing to withdraw the consent from processing activities. 
  • The data subject has an objection regarding the data processing pursuant and he/she does not have any overriding legitimate interests. 
  • The data that is being processed has been collected using immoral or unlawful techniques. 
  • The data has to be removed to stay compliant with legal obligations. 
  • The data collected under the offer of information – especially that of the children need to be removed immediately. 


What is it? 

The right to erasure is also called the right to forgetting. Under the right to erasure or the right to be forgotten the data subject has the right to have their data removed or deleted from the database. If the data do not want their data processed or if they find that the data controller has no legitimate reason to keep the data they can ask to erase the data.

Similar to most GDPR rights, the right to erasure is not absolute. Under the GDPR Recital 65, the data subject’s right to erasure and right to rectification are sublime only if their data might infringe the stipulations of the GDPR or another law to which the controller is subject.

The right to erasure or right to be forgotten grants data subjects a possibility to have their data deleted if they don’t want them processed anymore and when there is no legitimate reason for a data controller to keep it. 

What are the requirements?

Whenever a data subject requests to erase his/her data, it is expected that the data must be erased with immediate effect. Maximum one month starting from submitting the data erasure request is the stipulated time frame to react. Additionally, the data controller has to update the data subject about the erasure of his/her data unless it is impossible to remove it or when there is a disproportionate effort. 

However, here are some conditions when the right to erasure does not apply 

  • In the complaisance of the right to freedom and right to expression. 
  • When a situation arises where the data controller is forced to process that data to comply with other laws.
  • In general when the data controller has to process the data in the interest of the public. 
  • In a situation when the data controller has no option but to process the data which is in context of the previously mentioned ‘vested authority’.
  • Considering the scope covered by healthcare, social care, and public health. 
  • To accommodate a broader aspect of public interest, especially the one related to public health spanning every element right from preventive or occupational medicine to diagnosis and social care systems essential to prevent the cross border health and more threats. 
  • Data processing that needs to be done to archive public interest especially for scientific, historical, and research purposes having specific objectives. 
  • Data processing needed to be carried out to establish, practice or exercising defense or legal related rights.

NOTE: Everyone here needs to understand that the right to erasure is not at all an absolute or unconditional right. It is implemented with a lot of exceptions and limitations. Therefore, data controllers while dealing with any data erasure request must consider the context of possibility, proportion, costs and so forth. 


Right to Data Portability

Under Article-20 of GDPR, the data subjects are empowered to receive personal data concerned to them, which they have provided to the controller organization in a structured, commonly used and machine-readable format. 

Under the same Data Portability right the data subject if wants can to handover his/her data to another controller organization wherein the original data was provided to the first controller, where: 

  1. the processing is based on consent under point (a) of Article-6(1) or point (a) of Article-9(2) or a contract under point
  2. of Article-6(1); and (b) the processing is carried out by automated means.

Nevertheless, Article-20 also stipulates that the data subject to exercise his/her right to data portability in compliance with paragraph 1, need to have the right to transmit or transfer his/her personal data directly from one to another data controller wherever technical feasibility persists. 

Remember the right referred to in this description to paragraph 1 of Article-20 shall be without the preconception of Article-17. That right must not be applied to processing for performing any task carried out in the public interest or the exercise of the official authority bestowed on the data controllers shoulder. 

However, the data controller and the data subject together should ensure that the right referred to in Paragraph of this Article must not adversely affect the rights and freedom of others. 

What is it? 

According to the right to data portability, individual data subjects have the right to ask and receive their data from the concerned data authorities. The data which they have provided to the data controller organizations in a structured, controlled and machine-readable format. In addition to that, the data subjects also have the right to transfer that to the third party of the other data controller organization without any objection from the data controller to whom they have presented or submitted it in the first place. The data subject can receive their data and store it on a system carried by the data subject, a hard drive or a cloud app he/she uses. 

Also in this regard, the WP29 guidelines of the data portability are being complementary to the right of access. Having said that, the data subject not only has the right of access but with the right to portability, the data subject can receive his/her data in a way that makes it easily manageable and reusable. 

What are the requirements? 

Although the right to data portability is for the convenience and safety of the data subject, it is still not absolute and is subjected to restrictions. The other way around the right can be invoked only when a few specific conditions are met. These conditions are covered under the rest of the paragraph of Article-20. 

Here are the conditions under which a data subject can exercise his/her right to data portability

  • The data subject can exercise the right to data portability under the legal prudence as and when, 
    • Consent which forms one of the many legal-based constituted under the GDPR Article-6
    • Explicit consent described under GDPR Article-9 in the context of special categories of personal data or ‘sensitive data’. 
    • Contractual necessity described in GDPR Article-6 
  • The data subject can exercise the right to data portability when apart from consent, explicit consent, contractual necessity forms the base for legal processing. Additionally, the data processing is carried out automatically bringing us back to the IT tools and digital ecosystem of the right to data portability. 

NOTE: Article-20 of the GDPR also states that that right to data portability should/must not adversely affect the right to freedom of other data subjects. Typically it will have consequences on the level of types of personal data received by the data subject while exercising his/her data portability right. 


How GDPR rights will affect your surveys and research?

The new changes in GDPR will impact a lot on the way you used to handle and manage personal or sensitive data. As the GDPR rights provided to the data subjects have been discussed above. Many organizations including us have been overwhelmed to understand the impact on GDPR. Here we would like to explain how the new GDPR and GDPR rights will impact the way you collect, store, process, and share the customer and employee survey data. 

  • The GDPR will not affect all the companies conducting employee and customer surveys especially when the surveys are conducted anonymously without referring to the personal data. 
  • Nevertheless, to run an anonymous survey, you need to prevent survey respondents from being identified. This is possible only if you do not collect personal information such as email, address, phone number of the respondent. 
  • Even if you are surveying employees and you ask them to specify their age, gender, position, duration of employment, then this information can be considered or is enough to identify the employee. 

But when you need to ask personal information to the survey respondents then you must follow all the GDPR guidelines and the survey respondent acting as a data subject has all the right to exercise his/her GDPR rights. 

Providing Consent

  • As per Article-7 of GDPR, survey respondents must provide consent allowing the surveying company to collect, handle and process their data.
    • However, the concerned organizations must communicate the purpose of the survey and how collected data will be used. 
    • It is dependent on the survey respondents to either give consent or withdraw from the survey. 
    • It is a better idea to add a consent question (checkbox question type) at the start of the survey ensuring the checkbox is not selected by default. 
    • At any time respondents reserve the right to revoke the right or exercise their GDPR rights. 

Data minimization

  • Timing does matter while asking for the consent. 
    • Every data subject must give consent to collect his/her data before revealing or submitting any personal data. 
    • It is a better practice to publish all the GDPR information on a separate website containing the GDPR information discussed earlier.
  • According to Article-5 of GDPR, which deals with data minimization, it is better to collect as minimum data as possible.
    • The best way is to collect just the necessary information. 
    • If you are asking the age of the respondent then avoid putting other questions asking the respondent to choose the age range. 

Compliance information

  • Article-5 also refers to the accountability making it mandatory for organizations to provide information regarding steps they have taken to stay GDPR compliant.
    • Organizations collecting personal data from subjects must have a processing register, data protection management system or must conduct a comprehensive examination of data processing activities periodically.

Data Controller

  • Every organization that collects or deals with the personal data need to appoint a data controller or the data protection officer for systematic and regular monitoring of data subjects and their requests on a larger scale. 
    • The appointed data protection must have prior experience in handling and protecting data along with the required technical knowledge. 
    • In most of the cases, the organization is accountable for any kind of GDPR violations However in some cases, Data protection officer can be held accountable. 
    • The data controller must know his rights per the GDPR rights provided to the data subject. 
  • If after following all required measures and after all the efforts to stay GDPR compliant there occurs a data breach, the organization must report the data breach to the appointed supervising authority within 72 hours of its occurrence.

Role of online survey platforms in ensuring GDPR Compliance 

Many organizations would now think it is better to appoint an external company to conduct surveys and comply with GDPR rules. We being an online survey platform provide only tools and features to make your survey creation process smooth and flexible. Although We are GDPR compliant survey creator platform, we provide all the features and guidelines necessary to create GDPR compliant surveys. We ensure to make a processing agreement with all our users. Yet the organization creating and distributing surveys using our online survey platform is technically responsible for all data processing activities.