Data Subject Rights are legally enforceable individual entitlements that allow natural persons (data subjects) to understand, access, correct, delete, restrict, move, and object to the processing of their personal data by organizations acting as data controllers or processors. Codified most comprehensively in GDPR Articles 12–22, parallel frameworks appear in CCPA/CPRA (California), Brazil's LGPD, Canada's PIPEDA, India's DPDP Act 2023, and China's PIPL. The seven core rights are: (1) Right of Access (Article 15) — obtain a copy of personal data held; (2) Right to Rectification (Article 16) — correct inaccurate or incomplete data; (3) Right to Erasure (Article 17, 'right to be forgotten') — request deletion under specified conditions; (4) Right to Restriction of Processing (Article 18) — limit how data is used during a dispute; (5) Right to Data Portability (Article 20) — receive data in a machine-readable format; (6) Right to Object (Article 21) — contest processing based on legitimate interest or direct marketing; (7) Right Not to Be Subject to Solely Automated Decision-Making (Article 22) — including profiling with significant effects, and the right to a meaningful explanation of algorithmic decisions. From a governance perspective, data subject rights are organizational obligations requiring people, process, and technology: intake procedures, identity verification, cross-system data discovery, processor coordination, legal hold adjudication, and documented response timelines.
Where it stops · what it isn't
- —Data subject rights apply to NATURAL PERSONS (living individuals) — they do not apply to legal entities, corporations, or anonymized data that cannot be re-identified by any reasonable means.
- —Rights are NOT absolute: statutory exceptions exist for data retained for legal compliance, public interest, fraud investigation, and litigation holds. Erasure cannot override a statutory retention requirement.
- —Rights management is NOT a purely technical function — it is a governance capability requiring legal interpretation, cross-functional coordination, executive accountability, and trained staff.
- —GDPR Articles 12–22 are the global benchmark but do not apply uniformly worldwide; the US, India, Brazil, and Canada have materially different timelines, exceptions, and enforcement mechanisms.
- —The Right to Explanation under GDPR Article 22 applies to SOLELY AUTOMATED decisions with significant effects — it does not mandate full algorithmic disclosure or require organizations to expose ML model weights or training data.
- —Data portability (Article 20) applies only to data processed by consent or contract and provided by the data subject — it does not extend to inferred or derived data in most jurisdictions.
- —Rights requests must be fulfilled free of charge under GDPR; fees are permitted only in narrow, documented circumstances (manifestly unfounded or excessive requests).
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFPrivacy Governance Framework (ISACA CDPSE Domain 1)
REQUIRESData Inventory and Records of Processing Activities (RoPA)Data Subject Identity Verification ProcessData Processing Agreements (DPAs) with Third-Party Processors
ENABLESRegulatory Compliance (GDPR, CCPA/CPRA, LGPD, DPDP Act)Consumer Trust and Brand Differentiation
RELATED TOPrivacy by Design and Data Minimization (GDPR Articles 5, 25)Consent Management and Lawful Basis Determination
CONSTRAINSData Retention and Archival PoliciesAI/ML Model Development and Automated Decision-Making Systems