Chapter 3: Rights of the data subject
Rights of the data subject
Transparent information, communication and modalities for the exercise of the rights of the data subject
Information must be concise, transparent, intelligible, easily accessible, plain language; respond within one month.
Information to be provided where personal data are collected from the data subject
Privacy notice requirements when collecting directly: identity, purposes, legal basis, recipients, retention, rights.
Information to be provided where personal data have not been obtained from the data subject
Privacy notice requirements when data obtained indirectly, including source of data.
Right of access by the data subject
Right to confirmation of processing and a copy of personal data plus context (purposes, recipients, retention, rights).
Right to rectification
Right to obtain correction of inaccurate personal data without undue delay.
Right to erasure ('right to be forgotten')
Right to deletion when data no longer needed, consent withdrawn, unlawful processing, etc.
Right to restriction of processing
Right to limit processing in defined circumstances (accuracy contested, unlawful, etc.).
Notification obligation regarding rectification or erasure of personal data or restriction of processing
Controller must notify each recipient of any rectification, erasure, or restriction unless impossible/disproportionate.
Right to data portability
Receive personal data in structured, commonly used, machine-readable format and transmit to another controller.
Right to object
Right to object to processing based on legitimate interests, public task, direct marketing, or research.
Automated individual decision-making, including profiling
Right not to be subject to solely automated decisions producing legal/significant effects, with safeguards.
Restrictions
Member States may restrict rights when necessary for national security, defence, public security, etc.