Below is a follow up on the new EU General Data Protection Regulation (GDPR), and an overview of the new data subject rights. Take time to review and make sure you’re aware of the specific processes and actions that your company needs to take to adhere to your users’ rights.


Data Subject Rights

Breach Notification

  • It will become mandatory to notify users in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of becoming aware of the breach.

Right to Access

  • Subjects have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose.

Right to be Forgotten

  • The right to be forgotten secures the right of the data subject to request the data controller to erase his/her personal data, cease further dissemination of the data, and potentially revoke the right of third parties to continue processing the data.

Data Portability

  • The right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Privacy by Design

  • This directive calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition. More specifically – ‘The controller shall…implement appropriate technical and organisational measures…in an effective way…in order to meet the requirements of this Regulation and protect the rights of data subjects.”


Data Protection Officers

  • Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs).


Conclusion for Data Subject Rights:

  • The user must be informed of a breach and they have the right to know the usage of their personal data, as well as receive personal data that concerns them
  • The user has the right to request their information deleted/halted
  • Companies using others’ personal data will invest in proper technology and organizational assets to meet requirements of the GDPR
  • There is also a more homogeneous control in the European Union regarding personal data privacy


For more information please visit

*The above information is extracted and simplified from Centre O is a business resource centre in Hong Kong and we provide no warranty that the information listed above is accurate, up-to-date or complete and in no circumstance does the information constitute legal advice. You are responsible for independently verifying the information, if you intent to rely upon or use it in any way.

Leave a comment

Your email address will not be published. Required fields are marked *