Chapter III of the GDPR confers on data subjects a set of rights the organisation must guarantee and which the DPO helps to operationalise. Knowing them is the first step to exercising and respecting them.
| Right | Content | Basis |
|---|---|---|
| Information | To receive clear information about the processing of personal data, at the time of collection. | Arts. 13–14 |
| Access | To obtain confirmation of whether data are being processed and to access those data and the related information. | Art. 15 |
| Rectification | To have inaccurate data corrected and incomplete data completed. | Art. 16 |
| Erasure | To obtain the erasure of personal data — the so-called right to be forgotten — where the conditions are met. | Art. 17 |
| Restriction | To obtain the restriction of processing in the cases provided for in the Regulation. | Art. 18 |
| Portability | To receive the data provided in a structured, commonly used and machine-readable format, and to transmit them to another controller. | Art. 20 |
| Objection | To object, on grounds relating to the particular situation, to processing based on legitimate interests or carried out for direct marketing. | Art. 21 |
| Automated Decisions | Not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. | Art. 22 |