Data Subject Rights
What are the eight GDPR data subject rights and how do they apply?
GDPR grants individuals eight distinct rights over their personal data. The AIGP exam tests whether you can identify the correct right for a described situation and recognize when exceptions apply.
Why this matters for the AIGP exam
Data subject rights questions appear throughout the AIGP exam in two forms: identifying which right applies to a described request, and determining whether an exception or limitation applies in a given situation. Both require understanding the specific scope and conditions of each right, not just a general awareness that rights exist.
The common error is assuming rights are absolute. Every right in GDPR has conditions, limitations, or exceptions. Exam questions often test whether you recognize that an organization can legitimately decline or limit a rights request in specific circumstances.
The eight rights
1. Right to be informed (Articles 13 and 14)
Data subjects must receive certain information about how their data is processed. This is delivered through privacy notices. The information required differs slightly depending on whether data was collected directly from the data subject or obtained from a third party. This right is proactive: it must be provided at the time of collection, not on request.
2. Right of access (Article 15)
Data subjects can request confirmation of whether their data is being processed and, if so, access to that data along with specific information about the processing. The controller must respond within one month. The right is not unlimited: requests that are manifestly unfounded or excessive can be refused or charged for.
3. Right to rectification (Article 16)
Data subjects can request correction of inaccurate personal data and completion of incomplete data. Controllers must comply without undue delay. Rectification does not apply to data that is accurate but that the data subject disagrees with on substantive grounds.
4. Right to erasure (Article 17)
Also called the right to be forgotten. Data subjects can request deletion of their data in specific circumstances, including when the data is no longer necessary, consent has been withdrawn, or there is no overriding legitimate ground. Article 17(3) provides exceptions where processing must continue for legal compliance, public interest, or legal claims.
5. Right to restriction of processing (Article 18)
Data subjects can request that processing be limited in specific situations, such as when accuracy is contested, processing is unlawful but the data subject does not want erasure, or the controller no longer needs the data but the data subject needs it for legal claims. During restriction, data may be stored but not otherwise processed without consent.
6. Right to data portability (Article 20)
Data subjects can receive their personal data in a structured, commonly used, machine-readable format and transmit it to another controller. This right applies only where processing is based on consent or contract and is carried out by automated means. It does not apply to processing necessary for a public task or legitimate interest.
7. Right to object (Article 21)
Data subjects can object to processing based on legitimate interest or a public task. The controller must stop processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests. There is also an absolute right to object to direct marketing, which requires no justification.
8. Rights related to automated decision-making (Article 22)
Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Exceptions apply where the decision is necessary for a contract, authorized by law, or based on explicit consent. Where an exception applies, the data subject retains the right to obtain human review, express their point of view, and contest the decision.
Scenario example
A data subject submits a request saying "please delete all the data you have about me." The organization finds that some of the data is held for a tax compliance obligation requiring seven-year retention.
The correct response is not to delete all data immediately, and not to refuse the entire request. The organization must evaluate each category of data. Data that is not required for the compliance obligation should be deleted. Data required for the legal compliance purpose falls under the Article 17(3)(b) exception and may be retained, but the data subject should be informed of this exception and which data is affected.
Common confusion and exam trap
The most common trap is confusing the right to erasure with an absolute right. It is not. A data subject's request to be forgotten does not override a legal obligation to retain data. Exam questions frequently test this by presenting an erasure request alongside a legitimate retention requirement.
A second trap involves the scope of the portability right. Portability applies only to data the data subject provided, only where processing is based on consent or contract, and only for automated processing. Data processed under legitimate interest is not portable.
A third trap is the timeline. Controllers generally have one month to respond to rights requests, with a possible two-month extension for complex or numerous requests, provided the data subject is informed of the extension within the first month.
Practice this concept in context
AIGP Decision Lab includes scenario questions on this topic with full rationale breakdowns. One time purchase. $39.99.
Join early accessIndependent AIGP prep tool. Not affiliated with IAPP.