{"id":74935,"date":"2019-08-06T05:49:36","date_gmt":"2019-08-06T12:49:36","guid":{"rendered":"https:\/\/www.questionpro.com\/blog\/?p=74935"},"modified":"2023-11-15T06:48:05","modified_gmt":"2023-11-15T06:48:05","slug":"gdpr-rights","status":"publish","type":"post","link":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/","title":{"rendered":"GDPR Rights: What every data controller and the data subject must know"},"content":{"rendered":"<div class=\"tags-wrap\">\n<p>On May 25, 2018, a new <a href=\"https:\/\/www.questionpro.com\/gdpr\/\">GDPR (General Data Protection Regulation)<\/a> law came into existence across the EU region. This is Europe\u2019s new privacy law replacing the old 1995 Data Protection Directive. Since it came into action it is being hailed as the biggest change in data protection in 20 years.<\/p>\n<\/div>\n<h2><b>Why GDPR was imposed?<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">Due to the technology evolution digital transformation has become critical for organizations. Every business small or big is taking everything online. Subsequently the amount of data generated, created, and stored began skyrocketing. GDPR is a medium to address the challenges in sharing, storing, and using the data to streamline and bring transparency in the cross-border business. GDPR gives businesses an upper hand in controlling and managing enterprise-wide data.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Thus, along with new rules to use and guard the data, there came new GDPR rights to handle the data. In this blog, we will be concentrating on the GDPR rights that every organization needs to know beforehand.\u00a0<\/span><\/p>\n<h2><b>GDPR rights for every data subject and individuals<\/b><\/h2>\n<p><span style=\"font-weight: 400;\">One of the major achievements in Europe\u2019s General Data Protection Regulation (GDPR) is to ensure complete protection of the subject&#8217;s data. GDPR ensures the protection and privacy of the data by giving data subjects certain rights. Using these rights, the data subject can make a specific request to stay assured of the safety and privacy of his\/her data. Now data subject before providing any personal or sensitive information can ascertain that his\/her data will not be misused for any purpose other than the primary objective for which it is being collected.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here are the GDPR rights that everyone must be aware of\u00a0<\/span><\/p>\n<h3><b>Right of Access<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">As per Article-15 of the GDPR, data subjects have the right to access &#8211; the right to obtain information from the data controller regarding details of the data collected from them. In short, if an organization or an entity collects; personally identifiable information from the data subject, then he\/she has the right to ask for access of the same data.\u00a0<\/span><\/p>\n<p><b>What is it?<\/b><\/p>\n<p><span style=\"font-weight: 400;\">According to Article-15, the data subject if needs can confirm with the data controller if their data is being processed or not. If yes, then the requestor, if intends has the right to know\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Precise copy of the personal data being processed\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">What is the purpose behind processing data subjects personal data\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Name of the categories for which the data is processed like Name, Address, Contact Details, etc.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Disclosure mentioning the details of the third-party with whom data subjects personal data is shared &#8211; especially if that third party belongs to a different country\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Conveying the exact source (third party) from whom the data is collected, if it is not directly from the data subject\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">For how long the data controller intends to store the data\u00a0<\/span><\/li>\n<\/ul>\n<p><b>What are the requirements?<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Under GDPR\u2019s right of access, the entire process to send out a request to grant access to your data is as easy as sending an email to the website owner. The concerned data subject needing access to his\/her private data has to send a formal Subject Access Request (SAR) to the concerned data controller. A data subject can submit the SAR through email, fax, or as a written application ensuring it leaves back a document trail.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Under Article-15, the first copy of the processed personal data is free, for all further requests data controller has the authority to charge a reasonable fee. Furthermore, electronic requests for data copy shall be provided in a commonly used electronic form. Remember .csv and .txt are the most prevalent formats for the electronic requests.\u00a0<\/span><\/p>\n<h3><b>Right to Rectification<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">According to Article-16 of GDPR, the data subject has the right to ask the data controller to rectify the inaccurate personal data recorded in their database without undue delay. After considering the purpose of data collection, the data subject has the right to get his\/her incomplete or inaccurate data rectified after providing a supplementary statement.\u00a0<\/span><\/p>\n<p><b>What is it?\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Under Article-16 of the EU&#8217;s data protection laws, a data subject can get his\/her inaccurate or incomplete data rectified after appending a supplementary statement. Request for rectification should be done verbally, over a phone call, or in writing. The law also makes it mandatory for data controllers to respond within one calendar month to each rectification request.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">By law, it is in the interest of the data controller to either accept or reject the rectification request and this right of the data controller is closely guarded by the controller&#8217;s obligations mentioned under the Accuracy Principle.\u00a0<\/span><\/p>\n<p><b>What are the requirements?<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The GDPR law not specified the exact format to submit a valid rectification request. Therefore the data subject can make the request verbally, through email or in writing. Besides, it is okay to send the request without addressing a specific person or without mentioning the subject line.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">If the data controller is in doubt about the identity of the person who has requested the data rectification request, then it is in the interest of the data controller to ask for the additional information validating the identity of the requestor.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">After receiving the rectification request, the data controller must validate the identity of the requestor and ensure reasonable steps are taken to rectify the data. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">It is the responsibility of the data controllers to comply with the request without undue delay and at the latest within one calendar month from the receipt of the request.\u00a0<\/span><\/p>\n<h3><b>Right to Erasure<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Under Article-17 Part-1 of GDPR, the right to erasure states that the data subject is authorized to have their data removed from the specific data controllers database and data processors for obvious reasons like\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The original purpose for which the data was collected has been fulfilled and there is no more necessity to store and keep the data in question. <\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">The data subject is willing to withdraw the consent from processing activities.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data subject has an objection regarding the data processing pursuant and he\/she does not have any overriding legitimate interests.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data that is being processed has been collected using immoral or unlawful techniques.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data has to be removed to stay compliant with legal obligations.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data collected under the offer of information &#8211; especially that of the children need to be removed immediately.\u00a0<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-74940 size-full\" src=\"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2019\/08\/GDPR-rights.png\" alt=\"right-to-erasure\" width=\"1115\" height=\"720\" \/><\/p>\n<p><b>What is it?\u00a0<\/b><\/p>\n<p><span style=\"font-weight: 400;\">The right to erasure is also called the right to forgetting. Under the right to erasure or the right to be forgotten the data subject has the right to have their data removed or deleted from the database. If the data do not want their data processed or if they find that the data controller has no legitimate reason to keep the data they can ask to erase the data.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Similar to most GDPR rights, the right to erasure is not absolute. Under the GDPR Recital 65, the data subject\u2019s right to erasure and right to rectification are sublime only if their data might infringe the stipulations of the GDPR or another law to which the controller is subject.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The right to erasure or right to be forgotten grants data subjects a possibility to have their data deleted if they don\u2019t want them processed anymore and when there is no legitimate reason for a data controller to keep it.\u00a0<\/span><\/p>\n<p><b>What are the requirements?<\/b><\/p>\n<p><span style=\"font-weight: 400;\">Whenever a data subject requests to erase his\/her data, it is expected that the data must be erased with immediate effect. Maximum one month starting from submitting the data erasure request is the stipulated time frame to react. Additionally, the data controller has to update the data subject about the erasure of his\/her data unless it is impossible to remove it or when there is a disproportionate effort.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, here are some conditions when the right to erasure does not apply\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In the complaisance of the right to freedom and right to expression.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">When a situation arises where the data controller is forced to process that data to comply with other laws.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In general when the data controller has to process the data in the interest of the public.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In a situation when the data controller has no option but to process the data which is in context of the previously mentioned \u2018vested authority\u2019.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Considering the scope covered by healthcare, social care, and public health.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">To accommodate a broader aspect of public interest, especially the one related to public health spanning every element right from preventive or occupational medicine to diagnosis and social care systems essential to prevent the cross border health and more threats.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Data processing that needs to be done to archive public interest especially for scientific, historical, and research purposes having specific objectives.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Data processing needed to be carried out to establish, practice or exercising defense or legal related rights.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">NOTE: <\/span><i><span style=\"font-weight: 400;\">Everyone here needs to understand that the right to erasure is not at all an absolute or unconditional right. It is implemented with a lot of exceptions and limitations. Therefore, data controllers while dealing with any data erasure request must consider the context of possibility, proportion, costs and so forth.\u00a0<\/span><\/i><\/p>\n<h3><b>Right to Data Portability<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">Under Article-20 of GDPR, the data subjects are empowered to receive personal data concerned to them, which they have provided to the controller organization in a structured, commonly used and machine-readable format.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Under the same Data Portability right the data subject if wants can to handover his\/her data to another controller organization wherein the original data was provided to the first controller, where:\u00a0<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">the processing is based on consent under point (a) of Article-6(1) or point (a) of Article-9(2) or a contract under point<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">of Article-6(1); and (b) the processing is carried out by automated means.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">Nevertheless, Article-20 also stipulates that the data subject to exercise his\/her right to data portability in compliance with paragraph 1, need to have the right to transmit or transfer his\/her personal data directly from one to another data controller wherever technical feasibility persists.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Remember the right referred to in this description to paragraph 1 of Article-20 shall be without the preconception of Article-17. That right must not be applied to processing for performing any task carried out in the public interest or the exercise of the official authority bestowed on the data controllers shoulder.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">However, the data controller and the data subject together should ensure that the right referred to in Paragraph of this Article must not adversely affect the rights and freedom of others.\u00a0<\/span><\/p>\n<p><b>What is it?<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">According to the right to data portability, individual data subjects have the right to ask and receive their data from the concerned data authorities. The data which they have provided to the data controller organizations in a structured, controlled and machine-readable format. In addition to that, the data subjects also have the right to transfer that to the third party of the other data controller organization without any objection from the data controller to whom they have presented or submitted it in the first place. The data subject can receive their data and store it on a system carried by the data subject, a hard drive or a cloud app he\/she uses.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Also in this regard, the WP29 guidelines of the data portability are being complementary to the right of access. Having said that, the data subject not only has the right of access but with the right to portability, the data subject can receive his\/her data in a way that makes it easily manageable and reusable.\u00a0<\/span><\/p>\n<p><b>What are the requirements?<\/b><span style=\"font-weight: 400;\">\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Although the right to data portability is for the convenience and safety of the data subject, it is still not absolute and is subjected to restrictions. The other way around the right can be invoked only when a few specific conditions are met. These conditions are covered under the rest of the paragraph of Article-20.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here are the conditions under which a data subject can exercise his\/her right to data portability<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data subject can exercise the right to data portability under the legal prudence as and when,\u00a0<\/span>\n<ul>\n<li style=\"font-weight: 400;\"><b>Consent<\/b><span style=\"font-weight: 400;\"> which forms one of the many legal-based constituted under the GDPR Article-6<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Explicit consent<\/b><span style=\"font-weight: 400;\"> described under GDPR Article-9 in the context of special categories of personal data or \u2018sensitive data\u2019.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><b>Contractual necessity<\/b><span style=\"font-weight: 400;\"> described in GDPR Article-6\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data subject can exercise the right to data portability when apart from consent, explicit consent, contractual necessity forms the base for legal processing. Additionally, the data processing is carried out automatically bringing us back to the IT tools and digital ecosystem of the right to data portability.\u00a0<\/span><\/li>\n<\/ul>\n<p><b>NOTE:<\/b><span style=\"font-weight: 400;\"><em> Article-20 of the GDPR also states that that right to data portability should\/must not adversely affect the right to freedom of other data subjects. Typically it will have consequences on the level of types of personal data received by the data subject while exercising his\/her data portability right.<\/em>\u00a0<\/span><\/p>\n<h3><b>How GDPR rights will affect your surveys and research?<\/b><\/h3>\n<p><span style=\"font-weight: 400;\">The new changes in GDPR will impact a lot on the way you used to handle and manage personal or sensitive data. As the GDPR rights provided to the data subjects have been discussed above. Many organizations including us have been overwhelmed to understand the impact on GDPR. Here we would like to explain how the new GDPR and GDPR rights will impact the way you collect, store, process, and share the customer and employee survey data.\u00a0<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The GDPR will not affect all the companies conducting employee and customer surveys especially when the surveys are conducted anonymously without referring to the personal data.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Nevertheless, to run an anonymous survey, you need to prevent survey respondents from being identified. This is possible only if you do not collect personal information such as email, address, phone number of the respondent.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Even if you are surveying employees and you ask them to specify their age, gender, position, duration of employment, then this information can be considered or is enough to identify the employee.\u00a0<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">But when you need to ask personal information to the survey respondents then you must follow all the GDPR guidelines and the survey respondent acting as a data subject has all the right to exercise his\/her GDPR rights.\u00a0<\/span><\/p>\n<p><strong>Providing Consent<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">As per Article-7 of GDPR, survey respondents must provide consent allowing the surveying company to collect, handle and process their data. <\/span>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">However, the concerned organizations must communicate the purpose of the survey and how collected data will be used.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">It is dependent on the survey respondents to either give consent or withdraw from the <a href=\"https:\/\/www.questionpro.com\/blog\/gdpr-customer-surveys\/\">GDPR\u00a0survey<\/a>.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">It is a better idea to add a consent question (checkbox question type) at the start of the survey ensuring the checkbox is not selected by default.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">At any time respondents reserve the right to revoke the right or exercise their GDPR rights.\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Data minimization<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Timing does matter while asking for the consent.\u00a0<\/span>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Every data subject must give consent to collect his\/her data before revealing or submitting any personal data.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">It is a better practice to publish all the GDPR information on a separate website containing the GDPR information discussed earlier.<br \/>\n<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">According to Article-5 of GDPR, which deals with data minimization, it is better to collect as minimum data as possible. <\/span>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The best way is to collect just the necessary information.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">If you are asking the age of the respondent then avoid putting other questions asking the respondent to choose the age range.\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Compliance information<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Article-5 also refers to the accountability making it mandatory for organizations to provide information regarding steps they have taken to stay GDPR compliant. <\/span>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Organizations collecting personal data from subjects must have a processing register, data protection management system or must conduct a comprehensive examination of data processing activities periodically.<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong>Data Controller<\/strong><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Every organization that collects or deals with the personal data need to appoint a data controller or the data protection officer for systematic and regular monitoring of data subjects and their requests on a larger scale.\u00a0<\/span>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The appointed data protection must have prior experience in handling and protecting data along with the required technical knowledge.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">In most of the cases, the organization is accountable for any kind of GDPR violations However in some cases, Data protection officer can be held accountable.\u00a0<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">The data controller must know his rights per the GDPR rights provided to the data subject.\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">If after following all required measures and after all the efforts to stay GDPR compliant there occurs a <a href=\"https:\/\/www.questionpro.com\/blog\/a-brief-teach-on-data-breach\/\">data breach<\/a>, the organization must report the data breach to the appointed supervising authority within 72 hours of its occurrence.<\/span><\/li>\n<\/ul>\n<h4><b>Role of online survey platforms in ensuring GDPR Compliance\u00a0<\/b><\/h4>\n<p><span style=\"font-weight: 400;\">Many organizations would now think it is better to appoint an external company to conduct surveys and comply with GDPR rules. We being an online survey platform provide only tools and features to make your survey creation process smooth and flexible. Although We are <\/span><a href=\"https:\/\/www.questionpro.com\/blog\/questionpro-gdpr-commitment\/\"><span style=\"font-weight: 400;\">GDPR compliant survey creator platform<\/span><\/a><span style=\"font-weight: 400;\">, we provide all the features and guidelines necessary to <\/span><span style=\"font-weight: 400;\">create GDPR compliant surveys<\/span><span style=\"font-weight: 400;\">. We ensure to make a processing agreement with all our users. Yet the organization creating and distributing surveys using our online survey platform is technically responsible for all data processing activities. <\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>On May 25, 2018, a new GDPR (General Data Protection Regulation) law came into existence across the EU region. This [&hellip;]<\/p>\n","protected":false},"author":86,"featured_media":74948,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[187],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>GDPR Rights | GDPR rights of the data subject | QuestionPro<\/title>\n<meta name=\"description\" content=\"Explore the GDPR rights of a data subject and the role of data controller. Look at how these GDPR rights impact your GDPR compliance and data collection.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"GDPR Rights | GDPR rights of the data subject | QuestionPro\" \/>\n<meta property=\"og:description\" content=\"Explore the GDPR rights of a data subject and the role of data controller. Look at how these GDPR rights impact your GDPR compliance and data collection.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\" \/>\n<meta property=\"og:site_name\" content=\"QuestionPro\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/questionpro\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-06T12:49:36+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-11-15T06:48:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2019\/08\/blog-15.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"992\" \/>\n\t<meta property=\"og:image:height\" content=\"594\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Adi Bhat\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@questionpro\" \/>\n<meta name=\"twitter:site\" content=\"@questionpro\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adi Bhat\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\"},\"author\":{\"name\":\"Adi Bhat\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/#\/schema\/person\/6240dce6e1901b1a6c7f3dbd3e22567f\"},\"headline\":\"GDPR Rights: What every data controller and the data subject must know\",\"datePublished\":\"2019-08-06T12:49:36+00:00\",\"dateModified\":\"2023-11-15T06:48:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\"},\"wordCount\":2861,\"publisher\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/#organization\"},\"articleSection\":[\"Surveys\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\",\"url\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\",\"name\":\"GDPR Rights | GDPR rights of the data subject | QuestionPro\",\"isPartOf\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/#website\"},\"datePublished\":\"2019-08-06T12:49:36+00:00\",\"dateModified\":\"2023-11-15T06:48:05+00:00\",\"description\":\"Explore the GDPR rights of a data subject and the role of data controller. Look at how these GDPR rights impact your GDPR compliance and data collection.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.questionpro.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Surveys\",\"item\":\"https:\/\/www.questionpro.com\/blog\/category\/survey-software\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"GDPR Rights: What every data controller and the data subject must know\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/#website\",\"url\":\"https:\/\/www.questionpro.com\/blog\/\",\"name\":\"QuestionPro\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.questionpro.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/#organization\",\"name\":\"QuestionPro\",\"url\":\"https:\/\/www.questionpro.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2022\/10\/questionpro-logo.svg\",\"contentUrl\":\"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2022\/10\/questionpro-logo.svg\",\"caption\":\"QuestionPro\"},\"image\":{\"@id\":\"https:\/\/www.questionpro.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/questionpro\",\"https:\/\/twitter.com\/questionpro\",\"https:\/\/www.linkedin.com\/company\/questionpro\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/#\/schema\/person\/6240dce6e1901b1a6c7f3dbd3e22567f\",\"name\":\"Adi Bhat\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.questionpro.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/33be79da19de28bbea9b5a059532a027?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/33be79da19de28bbea9b5a059532a027?s=96&d=mm&r=g\",\"caption\":\"Adi Bhat\"},\"description\":\"Aditya Bhat, a.k.a. \u2018Adi\u2019, is a thought leader in market strategy and business development. He leads QuestionPro's sales teams to partner with companies, government organizations, and nonprofit institution.\",\"sameAs\":[\"https:\/\/www.questionpro.com\/\"],\"url\":\"https:\/\/www.questionpro.com\/blog\/author\/adityabhat\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"GDPR Rights | GDPR rights of the data subject | QuestionPro","description":"Explore the GDPR rights of a data subject and the role of data controller. Look at how these GDPR rights impact your GDPR compliance and data collection.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/","og_locale":"en_US","og_type":"article","og_title":"GDPR Rights | GDPR rights of the data subject | QuestionPro","og_description":"Explore the GDPR rights of a data subject and the role of data controller. Look at how these GDPR rights impact your GDPR compliance and data collection.","og_url":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/","og_site_name":"QuestionPro","article_publisher":"https:\/\/www.facebook.com\/questionpro","article_published_time":"2019-08-06T12:49:36+00:00","article_modified_time":"2023-11-15T06:48:05+00:00","og_image":[{"width":992,"height":594,"url":"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2019\/08\/blog-15.jpg","type":"image\/jpeg"}],"author":"Adi Bhat","twitter_card":"summary_large_image","twitter_creator":"@questionpro","twitter_site":"@questionpro","twitter_misc":{"Written by":"Adi Bhat","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/#article","isPartOf":{"@id":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/"},"author":{"name":"Adi Bhat","@id":"https:\/\/www.questionpro.com\/blog\/#\/schema\/person\/6240dce6e1901b1a6c7f3dbd3e22567f"},"headline":"GDPR Rights: What every data controller and the data subject must know","datePublished":"2019-08-06T12:49:36+00:00","dateModified":"2023-11-15T06:48:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/"},"wordCount":2861,"publisher":{"@id":"https:\/\/www.questionpro.com\/blog\/#organization"},"articleSection":["Surveys"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/","url":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/","name":"GDPR Rights | GDPR rights of the data subject | QuestionPro","isPartOf":{"@id":"https:\/\/www.questionpro.com\/blog\/#website"},"datePublished":"2019-08-06T12:49:36+00:00","dateModified":"2023-11-15T06:48:05+00:00","description":"Explore the GDPR rights of a data subject and the role of data controller. Look at how these GDPR rights impact your GDPR compliance and data collection.","breadcrumb":{"@id":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.questionpro.com\/blog\/gdpr-rights\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.questionpro.com\/blog\/gdpr-rights\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.questionpro.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Surveys","item":"https:\/\/www.questionpro.com\/blog\/category\/survey-software\/"},{"@type":"ListItem","position":3,"name":"GDPR Rights: What every data controller and the data subject must know"}]},{"@type":"WebSite","@id":"https:\/\/www.questionpro.com\/blog\/#website","url":"https:\/\/www.questionpro.com\/blog\/","name":"QuestionPro","description":"","publisher":{"@id":"https:\/\/www.questionpro.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.questionpro.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.questionpro.com\/blog\/#organization","name":"QuestionPro","url":"https:\/\/www.questionpro.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.questionpro.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2022\/10\/questionpro-logo.svg","contentUrl":"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2022\/10\/questionpro-logo.svg","caption":"QuestionPro"},"image":{"@id":"https:\/\/www.questionpro.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/questionpro","https:\/\/twitter.com\/questionpro","https:\/\/www.linkedin.com\/company\/questionpro\/"]},{"@type":"Person","@id":"https:\/\/www.questionpro.com\/blog\/#\/schema\/person\/6240dce6e1901b1a6c7f3dbd3e22567f","name":"Adi Bhat","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.questionpro.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/33be79da19de28bbea9b5a059532a027?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/33be79da19de28bbea9b5a059532a027?s=96&d=mm&r=g","caption":"Adi Bhat"},"description":"Aditya Bhat, a.k.a. \u2018Adi\u2019, is a thought leader in market strategy and business development. He leads QuestionPro's sales teams to partner with companies, government organizations, and nonprofit institution.","sameAs":["https:\/\/www.questionpro.com\/"],"url":"https:\/\/www.questionpro.com\/blog\/author\/adityabhat\/"}]}},"featured_image_src":"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2019\/08\/blog-15.jpg","featured_image_src_square":"https:\/\/www.questionpro.com\/blog\/wp-content\/uploads\/2019\/08\/blog-15.jpg","author_info":{"display_name":"Adi Bhat","author_link":"https:\/\/www.questionpro.com\/blog\/author\/adityabhat\/"},"_links":{"self":[{"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/posts\/74935"}],"collection":[{"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/users\/86"}],"replies":[{"embeddable":true,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/comments?post=74935"}],"version-history":[{"count":2,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/posts\/74935\/revisions"}],"predecessor-version":[{"id":822744,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/posts\/74935\/revisions\/822744"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/media\/74948"}],"wp:attachment":[{"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/media?parent=74935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/categories?post=74935"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.questionpro.com\/blog\/wp-json\/wp\/v2\/tags?post=74935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}