Data Subjects’ Rights

On this page: rights of participants, right, withdrawing consent, delete data
Date of last review: 2023-07-11

The GDPR provides data subjects with several rights that gives them a relatively high degree of control over their own personal data. Below, we list these rights and how you can apply them in your research:

  1. Right to be informed
    Data subjects need to be clearly informed about what you are doing with their personal data (a.o. art. 12). This usually happens via an information letter. This right does not apply if your research will be seriously harmed by meeting it and if you haven’t obtained the personal data directly from the data subjects themselves.
  2. Right of access
    Data subjects have the right to access a copy of the personal data you have on them and to know what you are doing with that personal data and why (art. 15).
  3. Right to rectification
    Data subjects have the right to correct and complement the personal data that you have of them (art. 16).
  4. Right to erasure/Right to be forgotten
    Data subjects have the right to have their personal data removed (i.e., equivalent to the right to withdraw consent, art. 17). This right does not need to be granted if:
    • the personal data are published and need to be archived for validation purposes.
    • it would seriously obstruct the research purpose(s).
    • it would hinder complying with a legal obligation or carrying out a task in the public interest.

    If the personal data have already been made public or shared, you need to take reasonable measures to inform other users of the data of the erasure request. A privacy officer can help you with this.

  5. Right to restriction of processing
    Data subjects have the right to have you process less of their personal data (art. 18), for example if their personal data are inaccurate or your processing of it is unlawful or no longer needed.
  6. Right to data portability
    Data subjects have the right to have their personal data transferred to another party in a “structured, commonly used and machine-readable format” (art. 20).
  7. Right to object
    Data subjects have the right to object to what you are doing with their personal data. This right applies when the processing is based on legitimate or public interest (art. 21). In case of objection, you have to stop your processing activities and thus delete any data you have from the particular data subject, unless you can demonstrate concrete grounds for overriding the data subject’s rights (e.g., excluding the data subject would substantially bias your results).

In Dutch scientific research, it is possible to exclude the rights of access (art. 15), rectification (art. 16), and restriction of processing (art. 18), so that data subjects cannot exercise those rights (UAVG art. 44). If you wish to do this, please first consult with your privacy officer.

How can data subjects exercise their rights?

Data subjects need to be informed about their rights and who to contact in order to exercise them, including when you use a legal basis other than informed consent. In research, this is usually done via a privacy notice or information letter, which states a contact person responsible for handling questions and requests.

Incoming requests need to be coordinated with a privacy officer, so that they can be picked up in accordance with the GDPR. Additionally, at Utrecht University, data subjects can always contact (Legal Affairs) for requests or complaints.

What to do when receiving a request concerning data subjects’ rights?

You have to provide a substantive response to the data subject within 30 days, in the same way as you received the request. Depending on the complexity and number of requests, the response period may be extended by 2 months. In that case, you must inform the data subject about this extension (including the motivation) within one month. If needed, you can (and sometimes should) ask for additional information to confirm the data subject’s identity.

For granting requests about data subjects’ rights, there should be a procedure in place, in which you should at least consider:

  • how you are going to retrieve the data (e.g., using a name-number key)
  • who is responsible for granting the request and informing the data subject about it (e.g., a data manager)
  • how the request is going to be granted, for example how they will be sent securely (access, portability), removed (forgotten, object, restriction) or corrected (rectification)

For larger projects, it may be wise to put a Standard Operating Procedure (SOP) in place.

What if the data have already been anonymised?

The principles of data minimisation and storage limitation are considered more important than keeping personal data just for the sake of identification (art. 11). Therefore, when receiving a request about anonymised data, you can make it clear that you cannot retrieve the data subject’s personal data, because they have been anonymised. In this case, the data subject cannot exercise their rights anymore. If you can still retrieve the data subject’s personal data in some way (i.e., when data are pseudonymised), you are obliged to retrieve them. In order to do so, you can (and sometimes should) ask for additional information that can confirm the data subject’s identity.