Data Subject Rights I: Access, Rectification, Erasure

Chapter three of the GDPR, Articles twelve through twenty-two, gives individuals rights they can exercise directly against organisations, and Domain two tests them heavily. Article 12 is the overarching rule on how you must respond: transparently, in clear and plain language, and free of charge in most cases. The timing matters and is examined: you must respond without undue delay and in any event within one month of receiving the request.

You may extend that by a further two months for complex or numerous requests, but you must tell the person within the first month. In this lecture we cover the three foundational rights, access, rectification, and erasure. Next time we cover the rest.

Article 15 gives the right of access, the most common request you will handle. A data subject can ask whether you are processing their personal data and, if so, receive a copy of it together with a defined set of information: the purposes of processing, the categories of data, the recipients or categories of recipients, the envisaged retention period, the existence of their other rights, the right to complain to a supervisory authority, the source of the data if not collected from them, and whether automated decision-making is involved. The first copy is free.

Watch for the balancing point the exam tests: the right to obtain a copy must not adversely affect the rights and freedoms of others, so you may need to redact third-party data.

Article 16 gives the right to rectification. A data subject can require a controller to correct inaccurate personal data without undue delay, and to have incomplete data completed, including by providing a supplementary statement. This right is the practical expression of the accuracy principle in Article 5.

It is usually less contentious than access or erasure, but do not overlook a linked duty: under Article 19, where you have rectified, erased, or restricted data, you must communicate that to each recipient you disclosed it to, unless that proves impossible or involves disproportionate effort. So a correction is not just an internal edit; it can require you to tell downstream recipients too.

Article 17 gives the right to erasure, popularly the right to be forgotten. A data subject can require deletion of their personal data in specific circumstances: the data is no longer necessary for the purposes it was collected; they withdraw the consent the processing relied on and there is no other basis; they successfully object under Article 21 and there are no overriding legitimate grounds; the data was processed unlawfully; or erasure is required to comply with a legal obligation. The crucial exam point is that this right is not absolute.

It does not apply where processing is necessary for, among other things, freedom of expression and information, compliance with a legal obligation, reasons of public health, archiving or research in the public interest, or the establishment or defence of legal claims.

The right to be forgotten did not start with the GDPR; it was crystallised by the Court of Justice in Google Spain, case C-131/12, in twenty fourteen. A Spanish man asked Google to remove search results linking his name to an old, resolved debt notice. The court held that a search engine is a controller of the personal data in its index, and that individuals can, in certain circumstances, require it to de-list results that are inadequate, irrelevant, or no longer relevant, even where the underlying page stays online.

But the court also said this must be balanced against the public's interest in accessing the information, which is stronger for public figures. The GDPR later codified the right in Article 17. Expect the exam to test both the case name and the balancing it requires.

So here is the first half of data subject rights. Article 12 sets the modalities: respond clearly, free of charge, and within one month, extendable to three for complex requests. Article 15 is access, the right to a copy and to information about the processing.

Article 16 is rectification, correcting inaccurate or incomplete data. Article 17 is erasure, the right to be forgotten, powerful but not absolute, with real exemptions for things like legal claims and freedom of expression. And Google Spain, case C-131/12, is the case that founded it.

Next, we finish the rights, restriction, objection, portability, and the rules on automated decisions and profiling. First, go test yourself on access, rectification, and erasure.