Definition · Plain-language
Data subject rights
Data subject rights are the set of rights GDPR grants individuals over their own personal data, giving them control over how it is used.
The step most authors miss
Doing CRediT right? Don’t stop at the statement.
A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.
Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.
The core rights
GDPR sets out several rights. The right of access lets people obtain a copy of their data and learn how it is used. Rectification allows correction of inaccurate data, and erasure — the “right to be forgotten” — allows deletion in defined circumstances. Restriction lets a person limit processing while a dispute is resolved, the right to object lets them challenge certain uses, and data portability lets them receive and reuse their data across services. Further rights address solely automated decisions and profiling.
Rights are not absolute
These rights are qualified rather than unconditional. Each applies in particular circumstances and is subject to exemptions — for example, where data must be retained to meet a legal obligation, or where erasure would undermine freedom of expression or scientific research. Research often benefits from specific provisions that adjust how some rights apply, reflecting a balance between individual control and the public value of well-governed data. The practical effect of a right therefore depends on the context and the lawful basis for processing.
Why they matter for research data
Data subject rights shape how research data about people can be collected, corrected and shared. Clear consent processes, accurate records and transparent information notices all help researchers honour these rights. Where data is fully anonymised, individuals can no longer be identified, so most of these rights no longer apply — another reason anonymisation and de-identification are central to responsible, FAIR-aligned data sharing.
Key facts
At a glance
- Definition: GDPR rights of individuals over their personal data
- Source: GDPR Chapter III (Articles 12–23)
- Core rights: access, rectification, erasure, portability, restriction, objection
- Right to be forgotten: the erasure right, applied in defined cases
- Qualified: rights are subject to conditions and exemptions
- Anonymised data: most rights no longer apply once truly anonymised
Common misconceptions
What people often get wrong
Often heard: The right to erasure means anyone can demand their data be deleted at any time.
Actually: Erasure applies in defined circumstances and is subject to exemptions — for example where data is needed for legal obligations, public interest or scientific research — so it is not an unconditional delete-on-demand right.
Often heard: Data subject rights apply to anonymised research data too.
Actually: Once data is genuinely anonymised, individuals can no longer be identified, so most data subject rights no longer apply because there is no longer identifiable personal data.
Often heard: Data portability lets a person take any data an organisation holds about them.
Actually: Portability applies to personal data the person provided, processed by automated means under consent or a contract — not to every record or to derived analytics about them.
Going deeper
