GDPR: Seven questions about data subject rights

Data SubjectsWhile the General Data Protection Regulation will bring many changes, more consistent, comprehensive protection of personal data rights is key to these reforms. Under existing laws, ‘data subjects’ (your customers) have:

  • The right to object to processing for direct marketing
  • Right to be forgotten (e.g. Google’s online search results)
  • The right to make Subject Access Requests (SARs)

However, under GDPR legislation, customers will be able to still be object to processing for direct marketing, but also adds:

  • A right to object to automated processing (profiling) for legitimate interests
  • The right to be forgotten becomes ‘the right to erasure’, which enables data customers to request personal data to be erased ‘without undue delay’
  • Subject Access Requests must now be free of charge

To better understand their responsibilities, here are seven questions marketers should ask about GDPR, data subject rights and SARs:

1. What are the guidelines relating to policies and transparency?

As a 'data controller', your policy relating to the processing of personal data needs to be transparent and easily accessible, presented using clear and plain language. The policy also needs to include information about how a customer can exercise their individual rights.

2. What information needs to be provided within the policy? 

You must supply a customer with at least the following information:

  • The identity and contact details of the data controllers
  • The purpose of processing the personal data and your intentions for it
  • How long the personal data will be stored for
  • The rights to request personal data, erase it or object to its collection
  • The contact details for a regulatory authority in the event of a complaint
  • Who the recipients of the personal data are
  • If there are intentions to transfer your personal details to countries outside the EU and what level of data protection safeguards are offered
  • Whether supplying personal data is obligatory or voluntary, along with any consequences for failing to provide it
  • If the personal data is not collected from the customers themselves, then you must state where it originates from

3. What are the regulations relating to data subject access requests?

Anyone whose data you collect has the right to make a data subject access request (SAR) and you are required to facilitate these requests.

Currently, you are obliged to provide the information within 40 days. Under the new regulations, a SAR needs to be processed within a month of the request, although this deadline can be extended another month in instances where there have been a large volume of requests.

The information needs to be supplied in writing, or in electronic form when the request has been made electronically (unless requested in writing)

4. Can an organization charge for a SAR?

Currently the fee is £10 to process a SAR (£50 for health records). Under new rules, access to their personal data is to be provided free of charge. However, when requests are ‘manifestly excessive’, you may charge a fee for providing the action or taking the action requested.

Read more about GDPR

5. What information needs to be included within an access request?

Along with the purposes of the processing, and the categories of personal data that have been collected, you must also supply the following information:

  • The recipients of the personal data, including those outside the EU
  • How long the data will be stored
  • The right to request rectification or erasure of personal data
  • The right to object to processing
  • The ability to complain to the supervisory authority
  • Knowledge of personal data still undergoing processing, along with its significance and consequences

6. What rights do individuals have over their personal data?

Customers have the right to make changes to the personal data that you have collected about them in the following ways:

  • The right to rectification: to correct personal data about them that is inaccurate, and request the completion of incomplete data
  • The right 'not to be subject to a decision' when:
    • it is based on automated processing, and;
    • it produces a legal effect (or similarly significant effect) on them
  • The right to be forgotten and erasure: for personal data to be removed when:
    • The data is no longer necessary (in relation to the purpose they were collected or processed).
    • The data was collected unlawfully or other does not comply to the Regulations
    • The storage period for holding the data has expired
    • The customer objects to the personal data being processed
    • The data was collected when the customer was a child 
  • The right to data portability: this is a new addition to the regulations and critics fear that it could lead to disproportionate compliance costs. It requires organizations to hand over personal data to a customer in a usable, transferable format for further use by the data subject. For example, if an individual wishes to switch between service providers..

7. Are there instances when personal data does not have to be amended or erased?

There are a few exceptions that can justify the retention of personal data, such as:

  • Exercising the right of freedom of expression (the processing of personal data carried out for journalistic purposes or the purpose of artistic or literary expression)
  • Reasons of public interest in the area of public health (such as cross-border health threats)
  • For historical, statistical and scientific research purposes
  • For compliance with a legal obligation to a Union or Member State law

Rather than erasure, you can restrict processing of personal data where:

  • The data’s accuracy is contested by the customer until you can verify it
  • The personal data needs to be retained for purposes of proof
  • When the customer requests restriction rather than erasure
  • When the customer requests to transmit the personal data into another automated processing system

GDPRAre you prepared for GDPR? BlueVenn GDPR Assessments

What stage are you at with your preparations for GDPR? Our compliance specialists can help assess the condition of your database and offer assistance with issues relating to contracts, policies and other marketing practices.

To find out more, please click the link below or email us at 

GDPR Assessment

Topics: GDPR Article