Certified Information Privacy Professional (CIPP): EU - Data Subject Rights, Access, Rectification, Erasure, Restriction, Portability, Objection

CIPP/E – Data Subject Rights (Access, Rectification, Erasure, Restriction, Portability, Objection)

What This Is

Data subject rights are the set of individual?focused powers granted by the GDPR (Arts.?15?22) that let EU?residents control how organisations collect, use, and keep their personal data. They are the “engine” of GDPR compliance – without a solid process for handling these requests, a company risks hefty fines, supervisory?authority investigations, and reputational damage.

Real?world example: A multinational e?commerce platform stores EU customers’ purchase histories in a cloud data?centre in the United States. When a German shopper emails the company asking to see all data the firm holds about her, correct any inaccuracies, and delete the record, the firm must follow the GDPR?prescribed workflow for each right, even though the data physically resides outside the EU.

Key Terms & Provisions

• Right of Access (Art.?15): The data subject may obtain a copy of their personal data, the purposes of processing, and the categories of recipients. Example: A UK employee requests a “subject?access request” (SAR) to see what HR has stored about their performance reviews.
• Right to Rectification (Art.?16): Individuals can demand inaccurate data be corrected without undue delay. Example: A French user notices a misspelled address in a loyalty?program database and asks for it to be fixed.
• Right to Erasure (“Right to be Forgotten”) (Art.?17): The data subject can request deletion of their data where the legal basis no longer applies (e.g., consent withdrawn) or the data is no longer necessary. Example: An Italian citizen asks a social?media site to delete all posts and photos after moving abroad.
• Right to Restriction of Processing (Art.?18): The subject can ask that processing be “paused” (e.g., pending verification of accuracy) while the request is resolved. Example: A Spanish customer disputes the accuracy of a credit?score record and asks the data controller to halt further automated decisions.
• Right to Data Portability (Art.?20): The individual may receive their data in a structured, commonly?used, machine?readable format and transmit it to another controller. Example: A Dutch fintech user exports transaction data to switch to a competitor.
• Right to Object (Art.?21): The data subject can object to processing based on legitimate interests, direct marketing, or scientific research. Example: A Polish citizen objects to a marketing newsletter that relies on a “legitimate interest” justification.
• Verification of Identity: Before any right is exercised, the controller must confirm the requestor’s identity (Recital?64) to prevent unauthorized disclosures.
• One?Month Deadline (Arts.?12?13): Controllers must respond to a request within one calendar month; this may be extended by two further months for complex cases, provided the data subject is informed.
• Exemptions & Limitations: Certain rights are limited when processing is required for legal claims, public interest, or when it would impair the rights of others (e.g., journalistic archives).
• Controller vs. Processor Obligations: The controller is the primary point of contact for data subjects; processors must assist the controller in meeting the rights (Art.?28(3)(g)).
• Record?Keeping Requirement (Art.?30): Controllers must keep a log of all DSARs (Data Subject Access Requests) and the actions taken, to demonstrate compliance during audits.

Step?by?Step / Process Flow

1. Receive the Request – Log the request (email, web?form, postal mail) and assign a unique DSAR ticket number.
2. Verify Identity – Request a government?issued ID, two?factor proof, or other reasonable means; document the verification method.
3. Locate All Relevant Data – Search internal databases, backups, cloud storage, and third?party processors; include metadata and logs.
4. Assess Scope & Exceptions – Determine if any exemptions apply (e.g., legal?claim preservation, freedom of expression). If an exemption exists, prepare a concise justification.
5. Respond Within the Deadline – Provide the requested information (or a refusal) in a clear, concise format; include the legal basis, retention period, and contact details for follow?up.
6. Document & Archive – Record the request, verification steps, data retrieved, decision rationale, and final response in the DSAR log for at least six years.

Common Mistakes

• Mistake: “Treating every request as a simple copy?and?paste of a user profile.”
  Correction: Conduct a full data map, include all processing activities, and verify that no hidden copies (e.g., logs, analytics) are omitted.

• Mistake: “Assuming the one?month deadline is a hard stop and never extending it.”
  Correction: If the request is “complex or numerous,” you may extend by two months, but you must inform the data subject within the original month and give a reason.

• Mistake: “Relying on a processor to answer the request directly.”
  Correction: The controller remains the legal point of contact; it must coordinate with processors and ensure they provide the data promptly.

• Mistake: “Ignoring the right to object to direct?marketing when the user has not opted?in.”
  Correction: Any objection to marketing must be respected immediately; you must cease processing for that purpose and confirm the cessation to the data subject.

• Mistake: “Deleting data without checking for legal holds.”
  Correction: Before erasure, verify whether the data is subject to a legal obligation (e.g., tax records, litigation hold) that overrides the right to be forgotten.

CIPP Exam Insights

1. Article Mapping: Exams love matching rights to their article numbers – remember Art.?15 (Access), Art.?16 (Rectification), Art.?17 (Erasure), Art.?18 (Restriction), Art.?20 (Portability), Art.?21 (Objection).
2. “One?Month + 2?Month Extension” Trap: The default deadline is one month; the extra two months are only for “complex or numerous” requests, not for routine ones.
3. Controller vs. Processor: The controller must receive the request and coordinate the response; processors cannot answer directly, but must assist under Art.?28(3)(g).
4. Exemptions Focus: Be ready to identify when a right is not absolute – e.g., freedom of expression (Art.?15(1)(b)), public?health research, or legal?claim preservation.

Quick Check Questions

1. Scenario: A French citizen emails a US?based SaaS provider asking for a copy of all personal data the provider holds. The provider stores the data in an AWS EU region.
   Answer: The provider must comply within one month because Art.?3(2) GDPR applies to any controller offering goods/services to EU data subjects, regardless of physical location.
   Explanation: Territorial scope is triggered by “targeting” EU residents; the data’s EU storage reinforces the obligation.

2. Scenario: An Italian user requests erasure of their profile, but the company retains the data to comply with a tax?recording obligation that lasts ten years.
   Answer: The company can refuse the erasure request, citing the legal?obligation exemption (Art.?17(3)(b)).
   Explanation: The right to be forgotten is not absolute when a statutory retention duty exists.

3. Scenario: A Polish consumer objects to the processing of their data for direct marketing. The company’s privacy notice states that marketing is based on “legitimate interest.”
   Answer: The company must stop the marketing processing immediately and confirm the cessation to the data subject.
   Explanation: Under Art.?21(2), an objection to direct marketing overrides the legitimate?interest basis.

Last?Minute Cram Sheet (10 One?Liners)

1. Art.?15 = Right of Access – “See what we have on you.”
2. Art.?16 = Right of Rectification – “Fix my wrong data.”
3. Art.?17 = Right to Erasure – “Delete me, unless a law says keep.”
4. Art.?18 = Restriction – “Pause processing while we sort it out.”
5. Art.?20 = Portability – “Give me my data in CSV/JSON.”
6. Art.?21 = Objection – “Stop using my data for marketing or research.”
7. Art.?3(2) – Targeting Rule: GDPR applies to any controller offering goods/services to EU persons, even with no EU office.
8. One?Month Deadline + 2?Month Extension – Must inform the data subject within the first month if you need extra time.
9. Fine Ceiling: Up to €20?million or 4?% of global annual turnover for systematic rights?violation failures.
10. Landmark Case: Google Spain SL v. AEPD (C?131/12) – established the “right to be forgotten” under Art.?17.

Good luck – you’ve got the rights covered!