Skip to content

What are the rights of the data subject?

The data subject can exercise many rights. The rights of the data subject are proportionate to the obligations of the controller.

Article 5 paragraph 1.a GDPR: “Personal data must be processed in a manner that is lawful, fair and transparent in relation to the data subject (“lawfulness, fairness and transparency”);”

Article 12 paragraph 1 GDPR: “The controller take appropriate measures to ensure that the data subject receives the information referred to in Articles 13 and 14 and the communication referred to in Articles 15 to 22 and Article 34 (Data breach) in connection with the processing in a concise, transparent, intelligible and easily accessible form and in clear and plain language, especially when the information is specifically intended for a child.

The controller facilitates and guarantees the rights of the data subject.

Recital 39 GDPR: “Any processing of personal data must be done properly and lawfully. It must be transparent for natural persons that personal data concerning them is collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. In accordance with the principle of transparency, information and communication related to the processing of those personal data should be easily accessible and understandable, and clear and plain language should be used.”

Overview of the rights of the data subject

Information and access to personal data

  • Article 13 GDPR: Information to be provided when personal data is collected from the data subject
  • Article 14 GDPR: Information to be provided when the personal data has not been obtained from the data subject
  • Article 15 GDPR: Right of access of the data subject

Rectification and erasure of data

  • Article 16 GDPR: Right to rectification
  • Article 17 GDPR: Right to erasure (“right to be forgotten”)
  • Article 18 GDPR: Right to restriction of processing
  • Article 19 GDPR: Notification obligation regarding rectification or erasure of personal data or restriction of processing
  • Article 20 GDPR: Right to data portability

Right of objection and automated individual decision-making

  • Article 21 GDPR: Right of objection
  • Article 22 GDPR: Automated individual decision-making, including profiling


  • Article 23 GDPR: Restrictions