The GDPR includes existing rights and expands them, while also creating new ones. Thus, it regulates:
The right of the data subject to know whether the controller processes their personal data and, if this is the case, to access this data and obtain information on how they are being processed.
- The right of rectification
The right to rectify inaccurate personal data and to complete incomplete personal data, including by means of an additional declaration.
- The right of erasure (right to be forgotten)
The right to have one's personal data deleted when: they are no longer necessary for the purpose for which they were collected; the consent on which the processing was based has been withdrawn; there is objection to processing; the data have been unlawfully processed; the data have been processed to comply with a legal obligation or have been obtained in relation to the provision of information society services aimed at minors.
When the controller has made the personal data public and they must be erased, the controller must take reasonable steps to provide notification of such erasure to other controllers who are processing the data.
The right to object to the processing of personal data for reasons related to the particular situation of the data subject.
When the data are processed for direct marketing purposes, including profiling related to such marketing, the processing must be stopped immediately.
- The right to restriction of processing
The right to mark stored personal data with the aim of limiting their processing in the future.
The limitation of processing means that, at the request of the data subject, their personal data will no longer be processed.
- The right to data portability
The right to receive personal data provided to a controller in a structured, commonly used and machine-readable format, and to transmit them to another controller, if the following requirements are met:
- The processing it is based on consent or a contract.
- The processing is carried out by automated means.
- The right not to be subject to automated individual decision-making
The right not to be subject to a decision based solely on the automated processing of data, including profiling, which produces legal effects for the data subject or similarly significantly affects him or her. This shall not apply if the decision is necessary for entering into, or performance of, a contract between the data subject and a data controller; it is based on the data subject's explicit consent; or it is authorised by the law of the Union or the Member State concerned.
All these rights must be exercised before the relevant entity responsible for the processing (Generalitat, provincial council, city council, consortium, university, etc.).