GDPR: A Comprehensive Analysis of The 8 Data Rights

GDPR graphic, What is GDPR?, GDPR rights

With the rise of the internet and digital advancements, personal data has gained value, underscoring the importance of individuals having authority over their data. Consequently, GDPR was established to empower EU citizens with more control over their personal information.

This article will delve into the different rights individuals possess under the GDPR concerning their personal data.

What is GDPR?

If you live in the European Union (EU) or the European Economic Area (EEA), or if you interact with any organization that operates in these regions, you may have heard of the General Data Protection Regulation (GDPR). But what is it exactly, and why does it matter?

The GDPR is a legal framework that sets guidelines for the collection and processing of personal data of individuals within the EU and EEA. It aims to protect the privacy and rights of people, and to simplify the rules for international business.

GDPR was adopted by the European Parliament and Council of the European Union on 14 April 2016, and became effective on 25 May 2018.

Personal data is any information that relates to an identified or identifiable living person, such as:

  • Name, email address, phone number, location, health records, online identifiers, etc.

The GDPR applies to any organization that collects, stores, uses, or shares personal data of individuals in the EU or EEA, regardless of where they are based.

This means that even if you are not in Europe, you may still be affected by the GDPR. How? Well, if you interact with any website, app, service, or company that operates in Europe or serves European customers.

The 8 Rights of Individuals Under GDPR

The GDPR gives individuals more control and rights over their personal data, such as:

GDPR rights of individuals infographic

1. The Right to be Informed

In this case, individuals have the right to know who is collecting their data, why it’s being collected, how it’s being used, and who it’s being shared with. This information must be provided in a clear, understandable manner, and it should be easily accessible.

Individuals deserve to have transparency when it comes to how their personal information is being handled. The right to be informed not only empowers people to make informed decisions about sharing their data but also promotes trust between consumers and organizations.

By ensuring that information is presented clearly and concisely, individuals can navigate the digital landscape with confidence, knowing that their privacy is being respected.

This fundamental right sets the foundation for a relationship built on transparency, accountability, and mutual respect.

2. The Right of Access

The second right is the right of access. This right allows individuals to access their personal data and confirm that it’s being processed. They can also request a copy of their data free of charge.

This right helps individuals to understand how and why their information is being used and to verify the lawfulness of the processing.

The right of access is a fundamental aspect of data protection that empowers individuals with knowledge and control over their personal information.

By exercising this right, individuals can gain insights into the handling of their data, ensuring transparency and accountability in data processing practices. It serves as a mechanism for individuals to safeguard their privacy and ensure the accuracy and legality of the data being held about them.

Ultimately, the right of access plays a crucial role in promoting trust and confidence in the handling of personal data within various organizations and institutions.

3. The Right to Rectification

The third right is the right to rectification. If an individual finds that their personal data is inaccurate or incomplete, they have the right to have it rectified. Data controllers are required to rectify the data without undue delay.

This right to rectification is crucial in ensuring that individuals have control over the accuracy of their personal information.

It allows people to update or correct any errors in their data held by organizations. By exercising this right, individuals can ensure that the information being stored about them is up to date and accurate, which is essential in maintaining the integrity of their personal data.

Data controllers play a vital role in promptly making the necessary corrections as soon as inaccuracies are identified, enabling individuals to have confidence in the accuracy of their personal data.

4. The Right to Erasure

The fourth right is the right to erasure, also known as the right to be forgotten. This allows individuals to request the deletion or removal of their personal data when there’s no compelling reason for its continued processing.

However, this right is not absolute, and it only applies in certain circumstances.

The right to erasure, or the right to be forgotten, is an essential aspect of data protection laws. It empowers individuals to have control over their personal information by enabling them to request the deletion or removal of their data.

This right is particularly important when there is no longer a valid reason for storing or using the data. However, it’s crucial to note that this right is not without limitations and can only be exercised under specific circumstances.

Organizations and businesses that collect and process personal data must respect and adhere to this right by promptly addressing valid requests for erasure. By doing so, they not only comply with regulations but also foster trust and transparency with their customers.

The right to erasure plays a significant role in empowering individuals to manage their digital footprint and protect their privacy in an increasingly data-driven world.

5. The Right to Restrict Processing

The fifth right is the right to restrict processing. This right allows individuals to limit the way that an organization uses their data.

It’s an alternative to requesting the erasure of data, and it might be applicable when an individual contests the accuracy of the data or when the data has been unlawfully processed.

Restricting the processing of personal data can be a valuable tool for individuals who want to have more control over how their information is being handled.

By exercising the right to restrict processing, individuals can ensure that their data is not used in ways that they are uncomfortable with or that they believe to be inaccurate.

For example, if you discover that the data a company holds about you is incorrect or incomplete, you can request to restrict its processing until the inaccuracies are corrected. This can help prevent any further dissemination of incorrect information.

Similarly, if you believe that your data has been unlawfully processed or that there is a dispute about its accuracy, exercising this right can provide a temporary solution while the issue is being resolved.

By understanding and utilizing the right to restrict processing, individuals can actively participate in safeguarding their personal data and ensuring that it is handled in a manner that aligns with their expectations and rights.

6. The Right to Data Portability

The sixth right is the right to data portability. This allows individuals to obtain and reuse their personal data for their own purposes across different services.

It enables them to move, copy or transfer their data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

Data portability is an essential aspect of data protection that empowers individuals to have control over their personal information.

By having the ability to access and transfer their data across various platforms, individuals can make informed decisions about how their data is used and shared.

This right promotes transparency and accountability, ensuring that individuals are not tied down to specific services and have the freedom to switch providers without losing their valuable information.

Ultimately, the right to data portability enhances user autonomy and fosters a more competitive and innovative digital ecosystem.

7. The Right to Object

The seventh right is the right to object. Individuals have the right to object to the processing of their personal data in certain circumstances, including for direct marketing purposes.

If an individual objects, the organization must stop processing their data unless it can demonstrate compelling legitimate grounds for the processing.

The right to object is a crucial aspect of data protection that empowers individuals to have control over how their personal information is used. This right allows individuals to voice their concerns and preferences, particularly when it comes to direct marketing activities.

By having the ability to object to the processing of their data, individuals can ensure that their information is not being used in ways that they are uncomfortable with. It also provides a mechanism for individuals to protect their privacy and prevent unwanted solicitations.

Organizations are obligated to respect and uphold this right by promptly ceasing the processing of an individual’s data upon receiving an objection.

The burden then falls on the organization to justify why they should continue processing the data, requiring them to have legitimate reasons that outweigh the individual’s objections.

Ultimately, the right to object serves as a safeguard that promotes transparency, accountability, and respect for individuals’ privacy rights in the ever-evolving digital landscape of data processing.

8. The Right Not to be Subject to Automated Decision-making

The final right is the right not to be subject to automated decision-making. This includes profiling, which should be carried out only with the individual’s explicit consent.

This right ensures that individuals are not subject to a decision based solely on automated processing that produces legal effects concerning them or similarly significantly affects them.

It is crucial to safeguard the right not to be subject to automated decision-making in order to protect individuals from potential harm or discrimination that may arise from solely algorithmic determinations.

By requiring explicit consent for profiling activities, this right empowers individuals to maintain control over decisions that have a substantial impact on their lives.

This protection ensures that people are not unfairly affected by decisions made through automated processes, thereby promoting fairness, accountability, and respect for individual autonomy.

What are the penalties for GDPR violations?

The GDPR also sets out severe penalties for organizations that violate its provisions.

Depending on the type and severity of the infringement, organizations can face fines up to €20 million or 4% of their global annual turnover of the preceding financial year, whichever is higher. This is the maximum fine for serious violations such as:

  • Processing personal data without a valid lawful basis or consent
  • Violating the core principles of data processing
  • Infringing on individuals’ rights
  • Transferring personal data outside the EU or EEA without adequate safeguards

For less serious violations such as:

  • Failing to notify authorities or individuals about a data breach
  • Failing to appoint a data protection officer
  • Failing to keep records of processing activities
  • Failing to cooperate with supervisory authorities
Data privacy, GDPR

The maximum fine is €10 million or 2% of their global annual turnover of the preceding financial year, whichever is higher.

The fines are determined by the relevant supervisory authority in each member state, taking into account various factors such as:

  • The nature, gravity, and duration of the infringement
  • The intentional or negligent character of the infringement
  • The actions taken to mitigate the damage suffered by individuals
  • The degree of cooperation with the supervisory authority
  • The previous infringements by the organization
  • The categories of personal data affected by the infringement
  • The manner in which the infringement became known to the supervisory authority
  • The adherence to approved codes of conduct or certification mechanisms
  • Any other aggravating or mitigating factors

The GDPR also allows individuals to seek compensation from organizations for any material or non-material damage suffered as a result of a GDPR violation.

Individuals can also lodge complaints with the supervisory authority in their member state or take legal action against the organization or the supervisory authority.


In summary, the GDPR empowers individuals to control their personal data significantly. It is crucial for both individuals and organizations to comprehend these rights to ensure responsible handling of personal data in accordance with the law.

  • Individuals have the right to access, correct, and in certain cases, delete their personal data. Understanding these rights enables individuals to safeguard their privacy and influence the usage of their information.
  • Organizations have a vital role in upholding these rights by implementing policies that prioritize data protection. Adhering to GDPR guidelines helps businesses establish trust with customers and showcase a dedication to data privacy.
  • The GDPR stands as a pivotal regulation aimed at safeguarding personal data in today’s digital era. Upholding these principles contributes to creating a more secure and transparent data environment for all parties involved.

Discover more from Biztech Lens

Subscribe to get the latest posts to your email.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Enjoy this blog? Please spread the word :)

Discover more from Biztech Lens

Subscribe now to keep reading and get access to the full archive.

Continue reading