GDPR: what rights do data subjects have, how do I respect them and what exceptions may apply to research?

The General Data Protection Regulation (GDPR) defines the persons whose personal data are processed as data subjects.

As a researcher, you have to take into account that the data subjects can in accordance with the GDPR exercise different rights with regard to their personal data.

1. Right to information

You are obliged to inform the data subjects in a clear and transparent manner about the personal data that is processed from them and for what purpose this processing takes place. This is in line with the basic principle that the processing of personal data must be transparent.

2. Right to access

A data subject can ask whether personal data is being processed about him/her, which categories of personal data this concerns, why they are processed and with whom they are shared.

3. Right to rectification

If the data are not correct, the data subjects can ask to correct, supplement or erase them.

4. Right to be forgotten

In a number of cases and circumstances the data subjects can have their personal data deleted. Exceptions may be made to this right in the context of scientific research insofar as the exercise of this right threatens to render impossible the achievement of the purposes of that processing or seriously jeopardise it. 

5. Right to limit the processing

If certain criteria are met, the data subjects can ask you to (temporarily) stop processing their personal data.

6. Right to data portability

Data subjects may request that the personal data processed in an automated manner for which they gave their consent or for which they have entered into a contract with the controller be transferred in an easily legible and manageable format.

7. Right to object to certain uses of personal data and to automated decision-making and profiling

Restricting the rights of data subjects

Within a research context, some rights can be restricted to a greater or lesser extent in different circumstances. Namely when the exercise of these rights seriously impedes or threatens to render the research objectives impossible.

If this is the case for your research, it is important to clearly state the need for deviating from one or more of these rights, per right, in the GDPR register.

Since limiting the rights entails more risks for the data subjects, it is important to provide appropriate safeguards and organisational and technical security measures in your research. You must also document this information in the GDPR register.

Exercising rights

It is also important to inform data subjects about who they can contact to exercise their rights. As a researcher you will usually be the first contact person for this.

Below are some guidelines that may be helpful when data subjects seek to exercise their rights:

  • the exercise of these rights naturally only applies to the data subject's own data. You cannot therefore exercise any rights with regard to the personal data of others
  • exercising rights with regard to fully anonymised data (where the original data set has been deleted) will by definition be impossible
  • for requests to exercise rights with regard to pseudonymised data, you can first of all make it clear to the data subject that you can no longer access the data, precisely because you have pseudonymised it for security reasons. If the data subject insists, you will still have to make access/correction, etc. possible using the key.

More information

More tips

Translated tip


Last modified March 30, 2020, 1:35 p.m.