Nature of Data Subject Rights
The rights of a data subject under the Data Privacy Act are statutory controls over the processing of personal information by persons or entities that determine why and how the information is collected, used, stored, disclosed, retained, or destroyed.
These rights give concrete effect to informational privacy, which concerns a person's ability to know, control, correct, restrict, and obtain redress for the use of information that identifies or can reasonably identify him or her.
The constitutional protection of privacy of communication and correspondence limits unjustified intrusion into private communications, while the Data Privacy Act regulates the broader life cycle of personal information in both public and private processing systems.
The rights operate together with the general privacy principles of transparency, legitimate purpose, and proportionality. Transparency requires meaningful notice; legitimate purpose requires a lawful and declared objective; proportionality requires processing that is adequate, relevant, suitable, necessary, and not excessive.
A data subject need not prove ownership of the physical record or database. The rights attach because the information relates to an identified or identifiable natural person.
Persons and Information Covered
A data subject is the individual whose personal information is processed. Only natural persons are data subjects, although juridical entities may be personal information controllers, processors, recipients, or complainants in related proceedings.
Personal information is information from which the identity of an individual is apparent or can be reasonably and directly ascertained, or which, when placed with other information, would directly and certainly identify an individual.
Sensitive personal information includes data involving matters such as race, ethnic origin, marital status, age, color, religious or political affiliations, health, education, genetic or sexual life, proceedings for offenses, government-issued identifiers, and other information classified by law or regulation as sensitive.
Privileged information is communication protected by law, court rule, or recognized evidentiary privilege. Its processing is more restricted because disclosure may defeat an independent legal protection, such as attorney-client, physician-patient, or similar confidential relations.
Processing is not limited to active use. It includes collection, recording, organization, storage, updating, retrieval, consultation, use, consolidation, blocking, erasure, and destruction.
The personal information controller is the person or organization that controls the collection, holding, processing, or use of personal information, including one who instructs another to process the information on its behalf. The personal information processor acts on behalf of the controller and generally does not decide the purpose or essential means of processing.
The data subject ordinarily asserts rights against the controller, because the controller determines the legal basis, purpose, retention period, disclosures, and response to requests. A processor must still assist the controller and must not hide behind outsourcing when it is effectively deciding processing purposes or independently using the data.
Rights at a Glance
| Right | Essential Content | Practical Effect |
|---|---|---|
| To be informed | Notice that personal information shall be, is being, or has been processed, with material details on purpose, scope, recipients, controller identity, retention, and available rights. | The controller cannot rely on hidden, vague, or shifting processing purposes. |
| To object | Refusal or withdrawal of consent and objection to processing, including direct marketing, automated processing, or profiling. | Processing must stop unless another lawful ground or overriding legal basis permits continuation. |
| To access | Reasonable access, on demand, to the contents, sources, recipients, manner, reasons for disclosure, automated processes, and relevant dates of access or modification. | The data subject can audit what is held, where it came from, who received it, and how it affects him or her. |
| To rectification | Dispute inaccuracy or error and require correction, with appropriate notice to recipients of the corrected information. | Decisions should not rest on false, outdated, or misleading personal data. |
| To erasure or blocking | Require suspension, withdrawal, blocking, removal, or destruction when statutory grounds exist. | Unlawful, unnecessary, unauthorized, or prejudicial processing may be stopped or removed from active use. |
| To damages | Indemnification for damages sustained because of inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information. | The right supplies a civil consequence for privacy injury caused by wrongful processing. |
| To data portability | Obtain a copy of personal data processed by electronic means in a structured, commonly used, and usable electronic format. | The data subject can reuse or transfer his or her data without being locked into one controller's system. |
Right to Be Informed
The right to be informed is the foundation of valid and accountable processing because a person cannot meaningfully consent, object, correct, or seek redress without knowing that processing is occurring.
The data subject has the right to know whether personal information pertaining to him or her shall be, is being, or has been processed.
Before entry of personal information into a processing system, the controller must furnish information that allows the data subject to understand the processing in a real and practical way.
- The notice must identify the description of the personal information to be entered into the system.
- The notice must state the purposes for which the personal information is being or will be processed.
- The notice must describe the scope and method of processing, because broad consent to vague future use is not a meaningful privacy control.
- The notice must identify recipients or classes of recipients to whom the information may be disclosed.
- The notice must identify the controller and provide contact details through which the data subject may exercise rights.
- The notice must state the retention period or criteria for retention when the exact period cannot yet be fixed.
- The notice must inform the data subject of the existence of statutory rights and how they may be exercised.
Notice must be timely, intelligible, and specific to the processing activity. A privacy notice that is buried, abstract, overbroad, or inconsistent with actual processing fails the function of transparency even if it exists in writing.
When processing involves automated decision-making, profiling, scoring, ranking, or similar operations that may significantly affect the data subject, the right to be informed includes meaningful notice that such processing exists and how it may affect the person.
The right to be informed is not satisfied merely by saying that information is collected "for business purposes." The declared purpose must be sufficiently definite to test whether the collection, use, disclosure, and retention are legitimate and proportional.
A controller that later changes the purpose, expands recipients, increases retention, or uses data for materially different processing must provide fresh or supplemental notice and, when required, obtain a valid legal basis for the new processing.
Right to Object
The right to object allows the data subject to withhold consent, withdraw consent already given, or resist processing that is not justified by another lawful basis.
Consent must be freely given, specific, informed, and evidenced by an indication of will. Consent obtained through deception, bundled with unrelated purposes, or presented as unavoidable when processing is not necessary is weak or invalid as a basis for processing.
Withdrawal of consent does not automatically make prior lawful processing illegal, but it prevents continued processing that depends solely on that consent.
When a data subject objects or withdraws consent, the controller must stop processing unless continuation is justified by law, a lawful order, a subpoena, a contractual necessity, an employment relation that legitimately requires the processing, a legal obligation, or another recognized basis that overrides the objection.
The right to object is especially important in direct marketing, behavioral profiling, automated processing, and secondary use, because these forms of processing often rely on data subjects not actively resisting repeated or expanded use of their data.
Objection does not permit a person to defeat lawful record-keeping, regulatory reporting, tax obligations, fraud prevention, public authority functions, or the defense of legal claims where the processing is necessary and proportionate.
A controller that denies an objection should be able to identify the specific legal basis for continued processing and should limit continued processing to what that basis actually requires.
Right of Access
The right of access allows the data subject to look into the controller's processing system as it relates to him or her, subject to lawful limitations protecting other persons, privileged information, investigations, and legally protected interests.
Upon reasonable demand, the data subject may obtain access to the contents of his or her personal information that were processed.
The data subject may also ask for the sources from which the personal information was obtained, because source information is often necessary to correct false data or challenge unlawful collection.
The right includes information on the names and addresses of recipients of the personal information, so the data subject can trace disclosures and require coordinated correction, blocking, or deletion when appropriate.
The data subject may ask about the manner by which the information was processed and the reasons for disclosure to recipients, because disclosure without a lawful purpose is one of the most serious forms of privacy injury.
The data subject may obtain information on automated processes where the data will be or is likely to be made the sole basis for a decision significantly affecting him or her.
The data subject may ask for the date when the personal information was last accessed and modified, because these details help determine whether there was unauthorized access, stale information, or post-dispute alteration.
The data subject may ask for the designation, name or identity, and address of the controller, because rights are meaningful only when there is an accountable person or organization to answer for processing.
Access need not require disclosure of trade secrets, system security details, another person's personal data, privileged communications, or information whose release would prejudice a lawful investigation, but the controller should provide as much responsive information as can lawfully be given.
The controller may impose reasonable procedures to verify identity and prevent unauthorized access, but the procedure must not be so burdensome that it effectively nullifies the right.
Right to Rectification
The right to rectification allows the data subject to dispute inaccuracy or error in personal information and to require correction without undue delay when the dispute is justified.
The right covers false data, outdated data, incomplete data that creates a misleading impression, and inaccurate entries that may affect eligibility, reputation, employment, credit, benefits, access to services, or legal status.
A correction request should identify the disputed data and the requested correction, but the controller must evaluate the substance of the dispute and must not reject a meritorious correction because of minor defects in form.
The controller need not grant a request that is vexatious or plainly unreasonable, but the burden of justifying refusal rests on the controller that continues to use the disputed data.
When correction is made, both the new and retracted information should be handled in a way that preserves accountability. The corrected information should be accessible for legitimate purposes, and prior recipients should receive the correction where they previously received the inaccurate information and continued reliance may prejudice the data subject.
Rectification is not the same as erasure. Correction preserves the record in an accurate form, while erasure or blocking removes, suppresses, or destroys information when continued processing is no longer lawful or necessary.
Right to Erasure, Blocking, Removal, or Destruction
The right to erasure or blocking protects the data subject when continued processing itself is defective, excessive, unlawful, unauthorized, or no longer necessary for the declared purpose.
The data subject may require suspension, withdrawal, blocking, removal, or destruction from the controller's filing system upon discovery and substantial proof of a recognized ground.
- Personal information may be blocked or erased when it is incomplete, outdated, false, or unlawfully obtained.
- Personal information may be blocked or erased when it is being used for unauthorized purposes.
- Personal information may be blocked or erased when it is no longer necessary for the purposes for which it was collected.
- Personal information may be blocked or erased when the data subject withdraws consent or objects, and no other lawful ground justifies continued processing.
- Personal information may be blocked or erased when it concerns private information prejudicial to the data subject, unless its processing is justified by freedom of speech, expression, or the press, or is otherwise authorized by law.
- Personal information may be blocked or erased when the processing is unlawful.
- Personal information may be blocked or erased when the controller or processor violated the rights of the data subject.
Blocking generally prevents further use or disclosure while preserving the data for a limited lawful reason, such as audit, dispute resolution, legal claim, or regulatory requirement. Destruction removes the data from use and retention when no lawful reason remains to keep it.
The right does not create an absolute power to destroy public records, erase lawful evidence, frustrate legal retention periods, defeat an investigation, or impair another person's legally protected rights.
A controller that retains data despite an erasure request must identify the surviving lawful purpose and must limit access, use, and retention to that purpose.
Once the lawful purpose expires, retention becomes excessive. A controller cannot keep personal information indefinitely merely because storage is cheap or future use may become convenient.
Right to Damages
The right to damages gives the data subject a remedy when wrongful processing produces legally cognizable injury.
The data subject is entitled to indemnification for damages sustained because of inaccurate, incomplete, outdated, false, unlawfully obtained, or unauthorized use of personal information.
Damage may arise from financial loss, denial of service, reputational injury, identity misuse, emotional distress recognized by law, impairment of rights, or other consequences traceable to wrongful processing.
The remedy focuses on causal connection. The data subject must connect the injury to the controller's or processor's unlawful or negligent handling of personal information.
The right to damages may exist alongside administrative remedies before the privacy regulator and criminal liability for statutory offenses such as unauthorized processing, unauthorized access, improper disposal, malicious disclosure, concealment of security breaches, or related violations.
Indemnification does not require the data subject to surrender the right to correction, blocking, erasure, or complaint. Monetary relief addresses injury already suffered, while other remedies stop or correct ongoing processing.
Right to Data Portability
Data portability allows the data subject to obtain a copy of personal information processed by electronic means in a structured, commonly used, and usable electronic format.
The right is designed to prevent the data subject from being locked into one controller's system and to allow reuse or transfer of the data for legitimate personal, commercial, employment, financial, or service-related purposes.
Portability applies to the data subject's personal data undergoing electronic processing, not necessarily to every internal note, proprietary algorithm, risk model, trade secret, or analytical conclusion generated by the controller.
The controller must provide the data in a form that allows further use by the data subject, subject to reasonable authentication, security, and safeguards against disclosing another person's personal information.
Portability differs from access. Access is broader as an accountability tool, while portability is directed at obtaining a transferable copy of electronically processed data in a useful format.
Exercise Through Representatives, Heirs, and Assigns
The rights are personal but may be exercised through a duly authorized representative when the data subject acts through agency or is legally incapable of acting personally.
After the death of the data subject, or when the data subject is incapacitated or legally incapable of exercising rights, lawful heirs and assigns may invoke the rights of the data subject.
Representative exercise must be supported by proof of authority because the controller has a separate duty to avoid disclosing personal information to an unauthorized requester.
When a representative invokes rights, the controller should verify both the identity of the requester and the authority to act, while still observing reasonable periods and procedures for responding.
Limits on the Rights
Data subject rights are strong but not absolute. They yield to lawful processing that is necessary, proportionate, and grounded in law, contract, public authority, legal obligation, protection of life and health, legitimate interest where allowed, or other recognized bases.
The rights generally do not apply in the same way to information used only for scientific or statistical research when no decisions are made regarding the data subject, the information is held under strict confidentiality, and it is used only for the declared purpose.
The rights may also be restricted for personal information gathered for investigations in relation to criminal, administrative, or tax liabilities, because premature access, correction, erasure, or portability may frustrate lawful inquiry.
The Data Privacy Act also recognizes exclusions for certain public information, government functions, journalistic, artistic, literary, research, law enforcement, regulatory, and financial compliance contexts. An exclusion does not create a license for arbitrary disclosure; it means the privacy analysis must account for the specific statutory purpose of the exclusion.
Rights must be harmonized with freedom of speech, freedom of the press, due process, public records law, discovery rules, evidentiary privileges, corporate compliance duties, and the State's power to investigate and prosecute offenses.
A controller should not use a statutory limitation as a blanket refusal. Even where full access or erasure is unavailable, partial access, redaction, confirmation of processing, correction of non-sensitive errors, or explanation of the legal basis may still be required when consistent with law.
Controller Duties When Rights Are Invoked
The controller must establish a rights request process that is accessible, secure, and capable of producing an accountable response.
The controller may require identity verification, but verification must be proportionate to the sensitivity of the data and the risk of unauthorized disclosure.
The controller should record the request, the date received, the data involved, the action taken, the legal basis for any refusal, and the date of response, because accountability is a continuing obligation.
When the requested action affects data already disclosed to recipients, the controller should take reasonable steps to notify those recipients when correction, blocking, erasure, or restriction is necessary to protect the data subject.
Outsourcing does not defeat accountability. A controller remains answerable for rights requests even when storage, customer support, analytics, payroll, cloud hosting, or other processing functions are performed by a processor.
Security obligations support the exercise of rights. If access logs, audit trails, retention schedules, and disclosure records do not exist, the controller may be unable to comply with access, correction, erasure, or accountability obligations.
Relation to Breach Notification and Complaints
A personal data breach may trigger notification to the regulator and affected data subjects when the breach involves sensitive personal information or information that may enable identity fraud and there is a real risk of serious harm.
Breach notification is connected to the right to be informed because affected persons must know enough to protect themselves, change credentials, monitor accounts, contest misuse, or demand appropriate corrective action.
Notification after a breach does not cure an unlawful collection, excessive retention, weak security measure, unauthorized disclosure, or failure to honor a rights request.
A data subject may file a complaint with the privacy regulator for violation of rights, unlawful processing, unauthorized disclosure, failure to act on requests, or other violations of the Data Privacy Act and its implementing rules.
Administrative action may result in compliance orders, temporary or permanent bans on processing, orders to block or destroy data, recommendations for prosecution, administrative fines where authorized, and other corrective measures appropriate to the violation.
Operational Meaning of Each Right
The right to be informed answers the question: What data about me is being processed, why, by whom, for how long, and with whom will it be shared?
The right to object answers the question: Can I refuse or stop this processing when it depends on consent or lacks an overriding lawful basis?
The right of access answers the question: What exactly is in the controller's files about me, where did it come from, who received it, and how has it been used?
The right to rectification answers the question: Can false, outdated, incomplete, or misleading data be corrected so that future decisions are not based on error?
The right to erasure or blocking answers the question: Must the controller stop using or remove data that is unlawful, unnecessary, unauthorized, prejudicial, or no longer supported by a lawful basis?
The right to damages answers the question: What remedy is available when wrongful processing causes injury?
The right to data portability answers the question: Can I obtain my electronically processed personal data in a usable format for my own further use?