The 8 Constituent Rights of GDPR

Print Friendly and PDF Follow

At the very core of the new Global Data Protection Regulation are eight rights that every EU citizen protected by the law can exercise. With the recent focus on transparency of data usage, each right aims to protect a constituent’s personal data. In this article, we’ve broken each of the 8 Fundamental Rights of the GDPR down so you can better understand what each mean to help you better finesse your plans.

1. The Right of Access

Simply stated, a subject’s Right of Access means they have the right to know what information is being held and how it is being used. Upon request, a data controller may be required to provide a constituent with a copy of their processed personal data that is kept on file. For our industry and depending on the individual, this could include data about historical giving, alumni association membership information, school transcripts, and more.

2. The Right to Rectification

When a constituent exercises their Right to Rectification, it simply means that the controller needs to correct any personal data that has been cited as inaccurate. This could be anything from a typo in their phone number, a legal change in name, or documenting a new home mailing address. It’s important to have secure, easy access to the database to update any of this information in a timely fashion.

3. The Right to be Forgotten / Right of Erasure

Article 17 of the GDPR details that a constituent can request to have their personal data removed from a controller’s and processor’s system.

However, it’s not as clear as you may think. A constituent has the Right of Erasure without delay if they meet one of the following criteria:
- The controller no longer needs the data.
- The constituent exercises their right to object to the data processing
- The constituent withdraws consent to processing
- The data must be erased for legal reasons
- The constituent was a child at the time of data collection
- The controller or processor is processing the data unlawfully

It is important to note that there are scenarios in which a controller may not have to erase the data. For example, if there is a reason of public interest (i.e. public health), scientific or historical research for archiving purposes, and even legal compliance such as banks keeping data for 7 years.

4. The Right to Restriction of Processing

When a constituent finds themselves in a position where they cannot require a controller to erase their personal information (see above circumstances), they have the ability to restrict the controller’s ability to process said data.

5. The Right to be Informed

In the spirit of transparency, the Right to be Informed is all about the collection and use of a constituent’s personal data. So when a constituent exercises this right, the controller will need to provide them with details surrounding processing from the moment they opt-in to your communications.

6. The Right to Data Portability

When it comes to the Right to Data Portability, this allows a constituent to obtain a copy of their personal data safely and in a machine-readable format free of charge, so it can be copied or securely transfer to another controller. It is important to note that this right is subject to several conditions: only data provided by and concerning the individual is eligible; processing must be performed using automated procedures; and it must not infringe upon the rights and/or freedoms of others.

7. The Right to Object

The constituent has the right to object the processing of their data for research purposes, direct marketing, and processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority.

8. The Right not to be Subjected to a Decision based on Automated Processing

This Article restricts a controller from making fully automated decisions about its constituents based on profiling.

To learn more about the individual rights of the Global Data Protection Regulation, visit