Skip to content
Step 1 /
hub The essentials

Rule 4 of 4

The last core rule. The data you process is about people, and they have a number of rights that you must facilitate.

group Personal data
  1. check Data minimisation
  2. check Transparency
  3. check Security
  4. 4 Rights of data subjects this module
flag Introduction

Rights of data subjects menu_bookKnowledge Base

Users whose personal data you process, your “data subjects”, have explicit rights. You have the duty to make those rights possible.

target What you will learn in this module
  • check_circle Which rights data subjects have
  • check_circle What object and erasure mean in practice
  • check_circle How to handle requests correctly and on time
menu_book Theory · 1 of 3

The rights in a row

Data subjects have the right to:

  • Right of access Give data subjects free access to the personal data you process about them, on request. Only for repeated or excessive requests may you charge a reasonable administrative fee. Subject access request: what now?arrow_forward : which data do you have about me?
  • Information: a clear explanation in plain language: which data, for what purpose, on which lawful basis, for how long, and who the GDPR controller is. See the transparency rule (module 4).
  • Right to rectification Data subjects may have inaccurate data corrected or incomplete data completed, e.g. a change of address. Right to rectificationarrow_forward : correct inaccurate data.
  • Right to object Where processing relies on 'legitimate interests' (typically direct marketing), the data subject can object and you must stop. Right to objectarrow_forward & Right to restriction The right to temporarily 'pause' processing in certain situations, e.g. while the accuracy of data is being checked. Right to restrictionarrow_forward : stop or restrict a specific process.
  • Right to be forgotten Data subjects can ask for data to be deleted where there is no longer a valid reason to keep it, unless a legal retention obligation prevents it. Right to be forgottenarrow_forward : delete my data.
  • Right to data portability The right to receive their data in a reusable format or have it transferred directly to another party. Right to data portabilityarrow_forward : receive your data or have it transferred to another service.
menu_book Theory · 2 of 3

Spotlight: be careful with Object and Erasure rights

block Object to direct marketing menu_bookKnowledge Base

Where processing relies on legitimate interests, typically newsletters and promotional emails, the data subject can object, and you must stop the processing.

auto_delete Erasure is not absolute menu_bookKnowledge Base

You may refuse an erasure request where a legal retention obligation or an ongoing claim requires it, for example invoices you must keep for tax reasons.

menu_book Theory · 3 of 3

In practice: how to approach it menu_bookKnowledge Base

  • Refer in your privacy notice to the rights of data subjects (Transparency core rule).
  • Make it easy to exercise a right (a request for access, correction, or deletion), e.g. via a form on your website or in your application.
  • Make sure you are ready to respond to each request within 30 days.
  • Keep a register of the requests and their status so that you always know where you stand.
info Remember

Unsure whether you may refuse a request? Always document your decision and the reason; that is part of your accountability obligation.

cases Example · 1 of 2

”Unsubscribe me”

Case 1 Objection to your newsletter

“A customer asks not to receive any more newsletters and promotional emails."

check_circle Stop. Your newsletter relies on legitimate interests; on objection you must stop the processing for direct marketing. Provide a simple opt-out in every email anyway.
cases Example · 2 of 2

"Erase all my data”

Case 2 Erasure request with a retention obligation

“A former customer asks for all their data to be deleted, but you have to keep invoices for tax purposes for years.”

check_circle Partially. You erase what you can, but you may keep invoice data because tax law requires you to retain it. Explain to the data subject what you delete and what you do not, and why.
quiz Practice · question 1 of 2
info Not for points, choose the correct answer to continue
"Within what time frame must you in principle respond to a data subject request?"
Correct: in principle you respond to a request within 30 days. Make it easy for data subjects to exercise their rights too.
quiz Practice · question 2 of 2
"You send a promotional email to your customers. What must definitely be in place?"
Correct: direct marketing requires a reference to your privacy notice and a simple way to unsubscribe (opt-out), so that data subjects can exercise their right to object.
summarize Summary

What you take away from module 6

  • bolt Data subjects have the right to access, information, rectification, object, and erasure, plus restriction and portability.
  • bolt Where legitimate interests apply (e.g. direct marketing), they can object; you then stop the processing.
  • bolt Erasure is not absolute: a legal retention obligation or claim can prevent it.
  • bolt Facilitate the rights via your privacy notice and respond to requests within 30 days.
workspace_premium Module complete

Module 6 complete 🎉

That gives you the four rules of the GDPR: data minimisation, transparency, security, and the rights of data subjects. In module 7 we recap the essentials, and module 8 is the final exam.

lock_open 6 of 8 modules

On your way to your “GDPR essentials for SMEs” certificate

Complete all 8 modules and pass the final exam (at least 70%) to receive a personal certificate in your name, with a verifiable code.

check_circle Modules 1-6 completeradio_button_unchecked Modules 7-8radio_button_unchecked Final exam ≥ 70%
workspace_premium