What Are Data Subject Rights? Meaning & Overview 

Digitalization has revolutionized the way data is processed. At the same time, however, it has also created new challenges for the protection of privacy. The European Union’s General Data Protection Regulation (GDPR) addresses this development by significantly strengthening the rights of individuals whose data is processed – the so-called data subjects. These data subject rights form the core of European data protection law, as they ensure that every natural person retains the ability to understand, control, and, where appropriate, restrict what happens to their personal information. 

This introductory article aims to explain these fundamentals in a clear and accessible way. It sheds light on what data subject rights are, where they come from, and the central importance they hold for both individuals and organizations in everyday practice. 

Key points at a glance 

Data subject rights actively safeguard the data sovereignty of the affected individuals. Their foundation is the GDPR. 

• These rights ensure that individuals retain control over their own data. 

• The primary legal bases are found in Articles 12 to 22 of the GDPR.¹ 

• They apply without restriction to all natural persons whose data is processed by third parties. 

• Organizations acting as controllers are required to process corresponding requests from data subjects quickly, transparently, and correctly. 

• Compliance with these rights is the basis of any data protection-compliant communication and process design. 

What are data subject rights? 

Definition in simple terms 

Data subject rights are formal defensive and formative rights that natural persons can assert against the entities that process their personal data. They enable individuals to move from the passive role of being the object of data processing to the active role of a controller, thereby actively steering the processing of their own data. 

Legislation clearly distinguishes between the data subject (the natural person whose data is processed, e.g. customer, employee, or user) and the controller (the entity that determines the purposes and means of processing, e.g. a company, authority, or association). The rights are always directed at the controller, who bears the corresponding obligations for implementation. 

Origins in European law: From fundamental rights to the GDPR 

The fundamental importance of data subject rights is explained by their origin. They are based on the fundamental right to the protection of personal data, which is enshrined in the treaties of the European Union. These rights are therefore not merely statutory provisions, but the concrete implementation of a fundamental civil right. 

Their anchoring as a fundamental right gives data subject rights a high normative authority and makes strict compliance an ethical and legal obligation. The specific design and implementing provisions governing the modalities for exercising these rights are primarily found in Articles 12 to 22 of the GDPR. Article 12 GDPR in particular sets out the requirements for transparency, communication, and the modalities for exercising these rights. This provision signals that compliance failures often begin with the form of communication – i.e. insufficient accessibility or lack of clarity in processes – rather than with the refusal of the right itself. Good process design is therefore the primary obligation arising from Article 12. 

The central objective: Informational self-determination 

The overarching objective of data subject rights is to ensure the informational self-determination of the individual. This concept describes the right of every person to fundamentally decide for themselves on the disclosure and use of their personal data. 

Data subject rights provide the affected person with the necessary tools to understand, control, and, if necessary, stop data processing. This includes the ability to obtain information about processing, have incorrect data corrected, or request the deletion of data once there is no longer a legal basis for storage. 

Distinction: Rights of data subjects versus obligations of controllers 

It is essential to distinguish data subject rights from the general obligations of controllers. General obligations include data security, maintaining records of processing activities, or implementing technical and organizational measures (TOMs). Controllers must fulfill these obligations. 

By contrast, data subject rights trigger an obligation to act on the part of the controller only when they are actively asserted by the data subject, for example through an access request or a request for erasure (with the exception of the information obligations under Articles 13 and 14 GDPR). The assertion of these rights is therefore the lever by which data subjects actively enforce GDPR compliance by the controller. 

Why are data subject rights important? 

Function 1: Protection against misuse of personal data 

The primary function of these rights is effective protection against misuse. They represent a necessary protective barrier that applies even when data was originally collected lawfully, but is later intended to be further processed or repurposed contrary to the expectations of the data subject or without a legal basis. Without these control mechanisms, individuals would have no way to intervene in ongoing, non-transparent processing operations. 

Function 2: Promoting transparency and trust 

The ability to exercise rights, in particular the right of access (Article 15 GDPR), creates the necessary transparency regarding data processing. This transparency is the foundation for trust among customers and employees in a company. Organizations that can demonstrate that they process requests quickly and correctly position themselves as trustworthy market participants. 

In this sense, data subject rights function as the most fundamental form of user control. Companies that handle them properly show that they are willing to respect the sovereignty of their users. This is a decisive advantage, as the principles of the GDPR are increasingly serving as a blueprint for new legal frameworks, for example for transparency obligations arising in the context of the AI Act or the Data Act. 

Dr. Bernd Schmidt of PLANIT // LEGAL has clearly outlined the specific transparency requirements imposed by the AI Act, the Data Act, and data protection law in this article. 

Those who master the basics of GDPR transparency are better prepared for the more complex requirements of new digital laws. 

Relevance in everyday life 

Data subject rights are not abstract, theoretical concepts, but demonstrate their relevance in numerous everyday situations. 

• For individuals (B2C perspective): 
  Perhaps the best-known example is the right to object when unsubscribing from a newsletter. This is a simple, everyday exercise of a data subject right. Another example is requesting information from a credit agency to review one’s own credit assessment and, if necessary, have incorrect entries corrected. 

• For companies (B2B perspective): 
  Practical relevance arises, for example, when a former employee asserts their right to erasure and the company is obliged to delete that person’s personal data from all operational systems, archives, and backups within the required timeframe. Processing such requests requires internal processes and clear role assignments. 

The business relevance for companies 

Compliance with data subject rights is a central risk mitigation strategy. Incorrect, incomplete, or delayed handling of data subject requests can result in significant fines and almost inevitably lead to reputational damage. 

The proactive and correct implementation of data subject rights should therefore not be viewed merely as a cost factor, but as a direct driver of customer loyalty and a quality seal for responsible data handling. 

Which data subject rights exist under the GDPR? 

The GDPR equips data subjects with seven central rights that provide a comprehensive range of control mechanisms over data processing (Articles 15 to 22 GDPR). These rights transform the passive obligations of controllers into active rights of action for data subjects and represent the central shift of power initiated by the GDPR. The data subject becomes a data actor rather than merely a data subject. 

Overview of data subject rights 

1. Right of access (Article 15 GDPR): Data subjects have the right to know whether and which of their personal data is being processed and may request a copy of this data. This right serves transparency and enables data subjects to verify the lawfulness of processing. 

2. Right to rectification (Article 16 GDPR): Data subjects have the right to the immediate correction of inaccurate personal data. If a dataset is incomplete, its completion may also be requested. This right ensures data quality and accuracy. 

3. Right to erasure (Article 17 GDPR) – “Right to be forgotten”: Under certain conditions (e.g. if the data is no longer necessary for the original purpose or consent has been withdrawn), data subjects may request the immediate deletion of their personal data. Our colleagues at PLANIT // LEGAL have prepared an overview on implementing the right to erasure. 

4. Right to restriction of processing (Article 18 GDPR): In certain situations (e.g. while verifying the accuracy of data or whether grounds for erasure exist), data subjects may request that data is only stored but not further processed. This provides temporary protection for the data. 

5. Right to data portability (Article 20 GDPR): Data subjects have the right to receive the data they have provided in a structured, commonly used, and machine-readable format and to transmit it to another controller. 

6. Right to object (Article 21 GDPR): Data subjects may object at any time to the processing of their personal data on grounds relating to their particular situation. This applies in particular to direct marketing. 

7. Rights related to automated decision-making (Article 22 GDPR): The GDPR protects data subjects from decisions based solely on automated processing (including profiling) that produce legal effects concerning them or similarly significantly affect them. This includes, for example, the automated rejection of a credit application without human involvement. The purpose is to protect against exclusively automated, far-reaching decisions and to ensure human oversight and fairness. 

You can learn more about data subject rights in our blog post providing an overview of data subject rights. 

Who is affected – and who must implement data subject rights? 

While data subject rights strengthen the position of natural persons, they simultaneously define strict operational obligations for organizations. The clear allocation of roles remains: the rights apply to data subjects; the obligations to comply with and fulfill these rights rest with the controller (companies, authorities, associations). 

Practical significance: Facilitating the exercise of rights 

Pursuant to Article 12(2) GDPR, the controller is obliged to facilitate the exercise of rights by the data subject. This means that the processes for asserting rights must be designed to be simple, easily accessible, and transparent. 

The practical challenge for companies is to ensure that requests, once received, can be processed quickly and correctly. This requires the implementation of clear internal procedures. 

The process: Deadlines and documentation obligations 

Handling data subject requests often becomes an operational pain point for companies. The GDPR sets tight deadlines, non-compliance with which can directly lead to fines. 

1. Compliance with the one-month deadline 

The decisive operational obligation is compliance with the standard one-month deadline for responding to a request under Articles 15 to 22 GDPR. This deadline begins as soon as the request is received by the controller. This implies the need for fast internal processes to identify and retrieve data. 

2. Extension of deadlines and obligation to respond 

The controller may extend the deadline by up to two additional months where necessary, taking into account the complexity and number of requests. The data subject must be informed of the extension and the reasons for it. 

3. The necessity of documentation 

The controller must implement processes that ensure timely and correct handling of requests. In addition, compliance with deadlines and the correctness of responses must be documented. The risk of fines exists not only in the event of refusal of rights, but also in cases of missing or incomplete documentation. Documentation serves as the ultimate safeguard, as the controller must be able to prove compliance with its obligations in the event of a dispute. 

Conclusion: Why data subject rights form the foundation of data protection 

In practice, data subject rights ensure that transparency, self-determination, and fairness are upheld. They form the foundation on which any data protection-compliant organization must be built. 

Understanding the basics of these rights is only the first step toward compliance. The real challenge – and the decisive competitive advantage – lies in operational implementation. This includes implementing easily accessible reporting channels, training employees, and being able to respond correctly to even complex requests within tight deadlines. Only through proactive and efficient management of these rights can trust be built with customers and employees while simultaneously minimizing the risk of significant sanctions. 

The consequences of incorrect action are severe, which is why establishing robust processes for managing data subject rights is of strategic importance. 

You can learn more about the practical implementation of data subject rights in our further articles, which address templates, practical cases, and detailed questions regarding GDPR implementation. 

If you would now like to learn more about implementing data subject rights, you can find further information here on implementing data subject rights in practice.