Catch Up Now: On Demand Webinar Playback "AI and Privacy: Navigating Data Protection for DPOs in the Age of AI" Register Now!

What are Data Subject Rights?

Human character with filing icons on mobile

    Need world class privacy tools?

    Schedule a Call >

    Data Subjects, i.e. living individuals, have many rights under the data protection acts. The table below summarises these rights along with the relevant data controller obligations. This is a quick reference guide. Further details can be found on PrivacyEngine.

    Data Subject’s RightController ObligationConditionsRight of Appeal
    Confirmation of ProcessingController must confirm details of any processing within 21 days, including source, purpose and other relevant informationResponse in writingData Subject needs to provide proof of processing if Controller denies having data
    Data Subject’s Right of AccessController must respond asap, but within 40 calendar days (60 for uncorrected exam results). Several exemptions are availableRequest must be in writing, max. fee of €6.35, Data Subject must provide verifiable identificationAppeal to DP Commissioner if deadline is not met, or response is considered inadequate
    Prevention of Processing causing damage or distressMust provide a response in writing within 20 daysController may decline where they feel processing is in public interest, fulfils a lawful function, etc.If Controller does not comply, Data Subject can complain to the Commissioner; Compensation only available via civil courts
    Automated Decision MakingController must explain decision-making mechanism within 21 calendar days of receipt of requestCan’t be used solely for evaluation reliability, credit worthiness, performance at work, etc.Data Subject can challenge the decision further in court
    Opt out from Direct MarketingController must respond within 40 days to confirm complianceOption to opt out must be free, clearly offered, easy to use, and unambiguousIf direct marketing continues, Data Subject can complain to the Commissioner
    Rectification, Erasure or BlockingController must confirm correction of data within 40 days or receipt of correct dataData Subject must identify error, provide proof of correct informationController must notify Processors with whom data was shared in past 12 mths – they must also make the changes
    Assistance from Office of the DP CommissionerOn receipt of a valid request, Commissioner’s Office will investigate circumstances. Allow up to 15 working days for initial responseData Subject must provide identification and evidence of processing, as well as any relevant detailsController may appeal against findings of the Commissioner within 21 days of any formal Notice being issued
    CompensationEntitled to compensation for damage or distress if proven; Difficult to prove actual causalityController is exempt if not directly responsible for distress causedNo guideline in DP legislation on the amount payable; Controller can appeal against any award

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    PrivacyEngine Onboarding Screen