CIPP/E Domain 2: Data Subject Rights Under GDPR

In today’s digital economy, personal data is power, and the GDPR restores that power to individuals. The GDPR establishes a robust framework of rights that ensures transparency, fairness, and accountability in data processing.

Within the updated CIPP/E framework, understanding data subject rights is not just foundational; it is heavily emphasized, particularly with reference to European Data Protection Board (EDPB) guidelines and opinions that clarify how these rights must be applied in practice.

Organizations must not only recognize these rights but also operationalize them effectively within their governance, compliance, and technical systems.

What is a Data Subject?

A data subject is a living individual who can be identified, either directly or indirectly, and whose personal data is being collected, used, or otherwise processed. The GDPR applies only to living individuals, not legal entities like companies or deceased persons, though member states may regulate the latter separately.

What are the Data Subject Rights?

1. Right of Access

Data subjects have the right to know if their personal data is being processed and to receive a copy along with detailed information, including:

• Purpose of processing
• Categories of data processed
• Recipients (especially third countries/international organizations)
• Retention period
• Rights to rectification, erasure, restriction, or objection
• Right to lodge a complaint
• Source of data (if not collected directly)
• Use of automated decision-making, including profiling

EDPB Guidelines 1/2024 reinforce strict transparency obligations and clarify:

• The right of access includes meaningful information about processing logic, not vague summaries.
• Controllers must provide complete data sets, not filtered or partial disclosures.
• Identity verification must be proportionate and not create unnecessary barriers.
• The “manifestly unfounded or excessive” exception must be narrowly interpreted.

2. Right to Rectification

Data subjects can request updates or corrections to their data when it is inaccurate, incomplete, or outdated. Organizations must ensure updates are made throughout linked systems. While operationally demanding, accuracy is essential for lawful processing.

3. Right to Erasure / Right to Be Forgotten (RTBF)

Data subjects can request data deletion if:

• It is no longer needed
• Consent is withdrawn
• They object, and there are no overriding interests
• It was unlawfully processed
• Law requires erasure

Earlier Guidelines 5/2019 (notably on search engines) remain relevant, but newer guidance reinforces:

• Controllers must assess competing rights carefully (e.g., freedom of expression).
• Article 17(2) requires reasonable steps to inform third parties when data has been made public.
• Erasure does not apply where exemptions exist (legal claims, public interest, regulatory obligations).

4. Right to Restriction of Processing 

Instead of deletion, processing may be restricted when:

• Data accuracy is contested
• Processing is unlawful, but data is still needed
• Data is no longer needed, but is required for legal claims
• Objection is pending a decision

Technically, this may involve flagging or isolating data without using it (e.g., via access control or system segregation).

5. Right to Object

Applies primarily where processing is based on:

• Legitimate interests
• Public interest tasks
• Direct marketing (including profiling)

For direct marketing activities, individuals’ right to object cannot be overridden.

Controllers must demonstrate “compelling legitimate grounds” to override objections outside marketing contexts.

Recent EDPB discussions reinforce:

• Legitimate interest balancing tests must be documented.
• Objections require individualized assessments—not generic refusals.

6. Consent and Right to Withdraw

When consent is the basis for processing, it must be:

• Freely given
• Specific
• Informed
• Unambiguous

Data subjects have the right to withdraw consent at any time, and the process should be as easy as providing it. Once withdrawn, processing based on that consent must stop.

Recent enforcement trends show regulators scrutinizing:

• Dark patterns in consent interfaces
• Bundled consent practices
• Imbalanced power dynamics

7. Rights Related to Automated Decision-Making & Profiling 

Applies where decisions:

• Are made solely by automated means
• Produce legal or similarly significant effects

Data subjects have the right to:

• Obtain human intervention
• Express their viewpoint
• Contest the decision

With the growing integration of AI systems, regulators expect:

• Transparency about algorithmic logic
• Clear safeguards
• Meaningful human oversight

Exceptions apply when:

• Necessary for the contract
• Authorized by law
• Based on explicit consent (with safeguards)

8. Right to Data Portability

Data subjects have the right to receive their personal data when they have provided it directly in an organized, commonly used, and digitally accessible (machine-readable) format. They can also transfer that data to another controller. This right applies only when the processing is done by automated systems and is based on either consent or a contractual agreement.

Portability promotes competition and user control but imposes technical burdens on controllers.

In Conclusion

Data subject rights are not administrative formalities; they are the enforcement backbone of the GDPR. Organizations that operate these rights effectively build trust, reduce regulatory risk, and demonstrate accountability.

For privacy professionals preparing for CIPP/E, mastering these rights, alongside EDPB interpretative guidance, is essential for both exam success and real-world compliance leadership.

CIPP/E Certification Training with InfosecTrain

Develop a deeper understanding of data subject rights under the GDPR and learn how organizations must implement these rights in practice. InfosecTrain’s CIPP/E European Privacy Training equips privacy professionals with the knowledge needed to navigate key GDPR requirements such as the right of access, rectification, erasure, objection, data portability, and safeguards around automated decision-making.

Aligned with the latest CIPP/E Body of Knowledge and EDPB guidance, the training provides practical insights into how transparency obligations, privacy notices, and data subject rights operate in real-world compliance programs.

TRAINING CALENDAR of Upcoming Batches For CIPP European Privacy Online Training

Start Date	End Date	Start - End Time	Batch Type	Training Mode	Batch Status
13-Jul-2026	28-Jul-2026	20:00 - 22:00 IST	Weekday	Online	[ Close ]
08-Aug-2026	29-Aug-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
07-Sep-2026	22-Sep-2026	20:00 - 22:00 IST	Weekday	Online	[ Open ]	Enroll Now
10-Oct-2026	25-Oct-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now
16-Nov-2026	01-Dec-2026	20:00 - 22:00 IST	Weekday	Online	[ Open ]	Enroll Now
05-Dec-2026	20-Dec-2026	09:00 - 13:00 IST	Weekend	Online	[ Open ]	Enroll Now