Back to blog

[Infographic] GDPR Data Subject Rights – What You Need to Know

Data privacy & security GDPR

Written by

Published August 23, 2017 · Updated March 20, 2019

[Infographic] GDPR Data Subject Rights - What You Need to Know

The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018 and introduces a list of data subjects’ rights to protect internet users. From this blog post you’ll learn how data controllers can ensure these rights and avoid severe fines. Download our informative infographic and it will all clear.

First of all it’s up to data processors and data controllers to make sure individuals can freely exercise their rights as data subjects. So it’s the job of processors and controllers to make appropriate changes in their products, or even alter the way they collect, store and organize data.

Once the changes are made and the data subject agrees to the collection and processing of their personal data, you need to assure that you keep respecting their rights – it’s not just a one and done thing. And you should really focus on these 6 rights, as they have the biggest consequences for web analytics and digital marketers:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (also known as: right to be forgotten) (Art. 17)
  • Right to restrict processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object to processing (Art. 21)

Let’s start from the right of access. As the name suggests, data subjects have the right to know:

  • If, why, and for how long the data controller will be processing their data.
  • What categories of data are being processed.
  • If the Controller will share their data with any third parties, and if so, who those third parties are.
  • That they have the right to erasure and rectification, the right to object to and restrict of processing. And that they can complain to the Data Protection Authority (DPA).
  • If there is automated processing that has a significant effect on them.

When it comes to the right to rectification, it allows individuals to correct their data if they see it is inaccurate or untruthful. Data controllers then have to erase or fix inaccurate or incomplete data.

You have to also remember that people can opt-in, but at any time they may reach out to you and say “hey, I didn’t know you’re sharing my data with company X, please stop doing that and make company X remove my data”. The right to erasure forces data controllers to remove the personal data within one month when:

  • The data was collected unlawfully.
  • The time limit for the storage of the data has expired.
  • The data subject objects to their personal data being processed.
  • The data was collected when the data subject was a child.
  • The purpose of collecting and processing data has changed.
  • Erasure is necessary to comply with EU or member state law.

Not only that, you also have to remember to ensure that all distributed personal data was removed–even the data that was processed by 3rd parties!

People will also now be able to stop you from performing specific actions with their data (the controller may only hold the data or use it for limited purposes). This is exactly the point of the right to restrict processing. It applies if:

  • The data subject contests the accuracy of the data.
  • The processing is unlawful and the data subject requests restriction.
  • The controller no longer needs the data for their original purpose, but the data is still required by the controller to establish, exercise or defend legal rights.
  • There is an erasure request and the data controller is verifying it.

Now let’s move on to data portability: you must be able to provide the data subject’s personal data in a structured, commonly used and machine-readable format – for example a CSV file. The GDPR strictly states that such information must be provided free of charge.

Of course to protect you from data subjects exploiting those rights by requesting data very often and recurrently, effectively trolling you, you can impose a reasonable fee for this particular request subject.

Evaluate Your Web Analytics Solution Towards GDPR In 12 Steps

Find out if your analytics solution guarantees data accuracy and privacy, including GDPR compliance:

Download FREE Guide

The last item on this list is the right to object to processing. All data subjects have the right to do so when it comes to direct marketing. In this case data controllers must stop such processing under all circumstances.

But, the data subject can also object to processing based on legitimate interests or for purposes of scientific, historical or statistical research. In those situations, the controllers must stop the processing in question unless they can demonstrate:

  • Compelling, legitimate grounds for processing which override the interests, rights and freedoms of the data subject.
  • That the processing requires the data for the establishment, exercise or defense of legal rights.

And that’s all you need to know regarding data subject rights and how will they influence web analytics and digital marketing. But, we have an additional, extremely helpful download, you might find it mighty interesting.

Check out our infographic on data subject rights under GDPR!

Download the infographic: GDPR Data Subject Rights – What You Need to Know

Download Infographic


Please feel free to share this infographic on your site. If you do, we kindly ask that you attribute Piwik PRO with the embed code below:

<a href="" rel="nofollow">
<img src="" alt="Data-Subject-Rights-Under-GDPR-Piwik-PRO" width='1334' height='7000' border='0' />

If you liked this post, I’m sure you’ll love our other infographic on GDPR. So be sure to check out this blog post and infographic:
How to Collect and Process Data Under GDPR?


Julian Jeliński

See more posts by this author

Core – a new plan for Piwik PRO Analytics Suite

Privacy-compliant analytics, built-in consent management and EU hosting. For free.

Sign up for free