The General Data Protection Regulation (GDPR) comes into effect on May 25th 2018 and introduces a list of data subjects’ rights to protect internet users. Learn how data controllers can ensure these rights and avoid severe fines. The infographic was created by the experts from Piwik PRO.

1. Data Subject
Every person is considered
a Data Subject: citizens,
consumers, customers,
business partners,
employees, you and me.
Your company. You are
controlling, reviewing,
comparing and aggregating
data about your customers
(e.g. web analytics data).
Data Controller
Any information
relating to an identified or
identifiable natural person
(in other words: the Data
Subject).
Personal data
Right of access
Right to erasure
The purpose of processing.
Categories of personal data.
Recipients of the data.
A copy of the collected personal data.
Data Controllers have to provide Data Subjects:
Data Subjects can request correction of their data if they see
it is not accurate or truthful.
Data Controllers have to erase or rectify (fix / adjust)
inaccurate or incomplete data.
Why the Data Controller is processing the data.
What categories of data are being processed.
Whether the Data Controller is processing their data.
Will the Controller share their data and with who.
How long the data will be stored.
That they have the right to erasure, rectification, restriction
of processing, and to object to processing.
That they have the right to complain to the Data Protec-
tion Authority (DPA).
If there is automated processing that has a significant
effect on them.
Data Subjects have the right to know:
The data was collected unlawfully.
The time limit for the storage of the data has expired.
The Data Subject objects to their personal data being pro-
cessed.
The data was collected when the Data Subject was a child.
The purpose of collecting and processing data has
changed.
Erasure is necessary to comply with EU or Member State
law.
Personal data has to be removed within ONE MONTH when:
Right to restrict processing
They contest the accuracy of the data.
The processing is unlawful and they request
restriction.
The controller no longer needs the data for their
original purpose, but the data is still required by the
controller to establish, exercise or defend legal
rights.
There is an erasure request and the Data Controller is
verifying it.
Data Subjects can stop Data Controllers from performing specific actions
with their data (the Controller may only hold the data or use it for limited
purposes).
Data Subjects can restrict the processing of their personal data if:
IMPORTANT : The Data Controller has to ensure that all distributed personal data was removed.
Even the data that was processed by 3rd parties!
Right to rectification
The General Data Protection Regulation comes into effect on May 25th 2018 and introduces
a list of Data Subjects’ rights to protect internet users. Learn how Data Controllers can
ensure these rights and avoid severe fines, as high as €20m or 4% of your company’s yearly
turnover.
Resources:
The Final Text of the GDPR Including Recitals https://gdpr-info.eu/
5 GDPR Rights With Serious Technical Consequences https://goo.gl/Jvgz5L
How Will GDPR Affect Your Web Analytics Tracking? https://goo.gl/JCZkKs
Bird & Bird: Guide to the General Data Protection Regulation https://goo.gl/kwwNqH
Chapter 9: Rights of data subjects – Unlocking the EU General Data Protection Regulation https://goo.gl/ud2crx
Right to data portability
Provide the Data Subject’s personal data in a
usable, transferable format for further use.
Such information must be provided free of
charge.
BUT! The Data Controllers can protect
themselves from Data Subjects requesting data
over and over again with no real reason by
imposing an acceptable fee for each particular
request subject.
Right to object to processing
Compelling legitimate grounds for the processing
which override the interests, rights and freedoms
of the Data Subject.
That the processing requires the data for the
establishment, exercise or defense of legal rights.
The right to object to direct marketing is absolute
and the Data Controller must cease such processing.
In other cases the Controllers must cease such
processing unless they can demonstrate:
Processing based on legitimate interests (e.g. public interest).
Processing for purposes of scientific/historical research and statistics.
Direct marketing (including profiling).
Data subjects have the right to object to the processing of personal
data including:
NO