The General Data Protection Regulation (GDPR) grants EU citizens certain data rights—creating options for controlling personal data and offering recourse if data is processed unlawfully.
Right to be informed
Users have the right to know when and where their data is being collected, how it will be used, whether it will be shared with third parties, and how long it will be stored. Organizations must provide this information openly and in plain language.
Right of access
Data subjects have the right to request access to any personal data that an organization may hold. Once the request is received, organizations must respond within 30 days.
Right to rectification
Data subjects can request corrections to their personal data if they discover it's inaccurate or incomplete.
Right to be forgotten
EU citizens may request that an organization delete their personal data, which is why the right to be forgotten is sometimes referred to as the right to erasure. Data controllers may refuse erasure requests, but only if there’s a legitimate reason to keep the data, such as an open line of credit.
Right to restrict processes
Data subjects can request limitations or changes to the way their personal data is processed by an organization.
Right to data portability
EU citizens must be able to easily move personal data between services, which means data controllers must be able to give users their data in an easily transmittable format.
Right to object
Users can challenge an organization’s purpose of processing, in which case the organization must make a good case for why their purposes are legitimate.
Rights in relation to automated decision-making
Data subjects can ask for a review of decisions made through automated processes.