Security compliance Designing security programs GDPR

What are the 8 GDPR rights?

If you’re planning to — or already are — doing business in the EU, it’s essential that you comply with the requirements of the General Data Protection Regulation, or GDPR. Achieving GDPR compliance means you’re taking a strong stance to protect your customers’ data privacy, and without it, you could be faced with hefty fines. 

The first step toward reaching GDPR compliance is to understand the eight rights protected under the GDPR and know who is covered. Read on to learn more. 

Who has rights under the GDPR?

The GDPR protects the privacy and personal data of EU citizens by defining how personal data is processed, stored, and destroyed. Personal data can be obvious customer details such as a person's name and location or other information, such as IP addresses and cookie identifiers. 

The GDPR applies to businesses and organizations within the EU and to companies outside the EU who do business with EU customers. For instance, if your organization in California does business in the EU, you must adhere to the GDPR.

Let's look at the eight rights outlined under the GDPR.

Right 1: The right to information

The right to information allows customers to ask organizations what personal information they are processing and what the purpose of that processing is. Individuals also have a right to know who is processing their personal data and the duration those organizations may hold the information. 

This means that your company must provide the following information when requested:

  • Purpose of data processing
  • Third-party details
  • Controller's information and contact details

Right 2: The right to access

Under the GDPR, customers have the right to access personal data your company holds on them. To make it easy for customers to do this, the GDPR also requires you to have a set method for receiving and fulfilling personal data requests. Your privacy policy must include transparent, well-outlined instructions explaining how information requests can be made.

You must provide the following information when it is requested:

  • Why and how your company processes customer data
  • Categories of personal data you're processing
  • Who your company shares its data with
  • The duration your company intends to process customer information
  • How your customers can exercise their GDPR rights
  • Any information you have about the customer, even if it was indirectly obtained

Right 3: The right to rectification

The right to rectification allows customers to ask that their personal data be changed if they believe the information your organization holds is inaccurate or outdated. The GDPR gives companies a month to respond to customer data edit requests if you confirm that the information is inaccurate. 

Many organizations allow customers to change their personal information directly through profile- or account-management tools. Whether you go that route or accept requests and then make the changes yourself, it's important to develop a clear process your customers can use to update their personal information.

Right 4: The right to erasure

Under the GDPR, individuals have the power to ask organizations to delete their personal information. If they do, the organization is required to stop processing personal data, even if consent was given earlier. 

Customers can request that a company delete their data if one of the following criteria is met:

  • The data is no longer necessary.
  • The company unlawfully processed the data.
  • The customer has withdrawn consent.
  • Erasure is necessary for compliance with legislation.

If a customer asks that their data be deleted, you must also notify any third-party vendors you share data with.

There are a few circumstances outlined in the GDPR in which a company can deny a request to delete a customer’s information:

  • Processing complies with a public interest and legal requirement.
  • Processing affects public health.
  • Processing is for defense in legal claims.

If your data processing meets one of the above guidelines, you can deny the request for data deletion, citing the related GDPR exception.

Right 5: The right to restriction of processing

The right to restrict processing gives individuals the power to limit how companies process their personal data under certain circumstances: 

  • The customer disputes the accuracy of the information.
  • The data isn’t needed for processing but must be maintained due to legal obligations.

This doesn’t mean that you necessarily have to delete the information entirely, but you will need to follow the restrictions laid out in article 18 of the GDPR. This includes establishing a method for receiving and fulfilling requests and including it in your privacy policy.

Right 6: The right to data portability

This right allows your customers to request the transfer of their personal information. Individuals can request that your company give their personal data back or transfer the information to another data controller. When data is requested by a customer, you have to provide the information in a structured, machine-readable format. 

Additionally, your company will need to establish a policy outlining how you will respond to customers' requests for data return or transfer and give customers the ability to select the format in which they prefer to receive their personal data. You'll also need to update your technology to meet the requests efficiently in the approved format.  

Right 7: The right to object

This right empowers customers to object to data processing of their personal information at any time. Notably, customers can exercise this right to object when their personal data is being used for direct marketing purposes. However, your company does not have to comply with a customer’s objection when there are legitimate legal grounds for processing their personal information. These exceptions include when a customer’s personal information is being processed for reasons of public interest or to exercise or defend legal claims.  

Your company will need to establish a policy for handling your customers' written and verbal objection requests. In addition, incorporating this policy into your organizational privacy policy will enable your customers to better understand the process. 

Right 8: The right to avoid automated decision-making

Under the GDPR, customers have the right to reject any decision made on their data based on automated processing. GDPR established this rule to prevent the processing of customer data without human involvement. To exercise this right, a customer may request you review particular data manually if the data processed produce legal effects that they deem significant. 

To comply with this right, it's necessary for your company to provide customers visibility into your decision-making process. However, your company is exempt from complying with this requirement in the following circumstances:

  • There is a contract between you and the customer that states otherwise.
  • The customer’s interests are already protected by a Union or Member State law.
  • The customer provided explicit consent allowing automated decision-making.

Becoming GDPR compliant with Strike Graph

We know that compliance with GDPR can seem like a daunting and expensive task, especially for small and medium-sized organizations. 

Strike Graph offers a flexible platform that allows organizations of all sizes to achieve GDPR compliance easily. Our initial risk assessment right-sizes the compliance process for your unique business context, and our preloaded controls and automated evidence collection minimize the time and resources needed to reach GDPR compliance.

  • copy-link-icon

    Copy URL

  • facebook-icon
  • linkedin-icon

Learn how you can leverage Strike Graph for your cybersecurity needs