Background - the rights and their Articles
European data protection law has always given individuals enforceable rights, but the GDPR is far more extensive than the old Data Protection Directive. The data subject rights live in Articles 12 to 23 of the GDPR, and bolstering these rights was a main ambition of the European Commission. These rights can limit lawful processing and even reshape a controller's business model.
The GDPR is considerably more complex and far-reaching than the Directive on data subject rights. The rights sit in and can limit a controller's ability to process data lawfully, affecting core business processes and even the business model.
| Article | Right |
|---|---|
| Arts 12–14 | Transparent communication and information |
| Article 15 | Right of access |
| Article 16 | Right to rectification |
| Article 17 | Right to erasure ('right to be forgotten') |
| Article 18 | Right to restriction of processing |
| Article 19 | Obligation to notify recipients |
| Article 20 | Right to data portability |
| Article 21 | Right to object |
| Article 22 | Right not to be subject to solely automated decision-making (incl. profiling) |
Examiners love asking 'which Article?'. Lock in: 15 access, 16 rectification, 17 erasure, 18 restriction, 20 portability, 21 object, 22 automated decisions.