4 min

GDPR: New rights that we will all enjoy


The General Data Protection Regulation (GDPR) is the new legal framework for the European Union that will be effective as of 25 May of this year, repealing the last Data Protection Directive.

This regulation has been designed to protect the personal data of data subjects in the European Union. It gives individuals control over how companies and public institutions can use information linked to them, providing them with seven specific rights.

In this post, we define these rights among which we find old and new ones that this important Regulation is introducing for the first time.

This post is also available in Spanish.

     Table of contents


GDPR: What rights will data subjects have?

In addition to the traditional ARCO rights (Access, Rectification, Cancellation and Opposition) included in the current Spanish legislation, as of 25 May, new rights will be added that will improve data subjects' capacity for decision-making and control regarding their own personal data.

Thus, the new European Data Protection Regulation will improve some characteristics of the ARCO rights and will also include some new ones:

  • Right to transparency of information (article 12)
  • Right of access by the data subject (article 15)
  • Right to rectification (article 16)
  • Right to erasure (known as the right to be forgotten - article 17)
  • Right to restriction of processing (article 18)
  • Right to data portability (article 20)
  • Right to object (article 21)


Let's analyse them in more detail:


Information must be provided to data subjects in a concise, transparent, intelligible and easily accessible form, using plain language, particularly when the information is addressed to minors.

We recommend respecting the following practical tips:

  • Forms that are especially cumbersome and that include references to legal texts should be avoided.
  • Informative clauses must clearly explain the content to the data subjects, regardless of their knowledge on the subject.
  • The information must be unified, written physically or electronically, and there is even the option of complementing it with formalised icons, which the European Commission is already working to design.
  • When the requests of a data subject are manifestly unfounded or excessive, in particular due to their repetitive nature, the controller may charge a reasonable fee, taking into account the administrative expenses derived from providing the information; or the controller may refuse to respond to the request.



Regulated in art. 15 of the GDPR, this broadens the information to which the data subject must consent to with respect to the previous Directive.

Data subjects within the European Union have the right to be informed, among other aspects, of the following:
  • The purposes of the data processing, personal data categories that are processed and the possibilities of data communications and their recipients.
  • Expected conservation period.
  • About your right to rectify or delete the data, limit processing, or oppose it.
  • The right to file a claim with the Control Authority.
  • If an international data transfer occurs, receive information on the appropriate guarantees.


The data subject shall have the right to request that the controller rectify any inaccurate personal data concerning him or her. In view of this request, the controller must satisfy this right without undue delay. 


The new GDPR sets out that any person shall have the right to obtain the erasure of their personal information, when he or she so desires, by Internet service providers, as long as the person who owns this data does not have legitimate reasons to retain them.

It also obliges any controller who has disseminated the information to third parties to inform them of the obligation to delete any link to the published data, as well as to eliminate any copy or replication of said data.

The aim of this right is to eliminate any trace of the data of any person who wants to be permanently "forgotten" from the network and search engines.



In certain circumstances, data subjects may request the data controller to restrict the processing of their data, when the following scenarios occur:

  • Inaccuracy

    When the data subject has requested that the controller update inaccurate personal data related to him or her.

    This restriction of processing will be carried out by the controller during the period necessary for him or her to verify the accuracy thereof.

  • Unlawfulness 

    When the data subject needs the controller to continue processing their data in order to formulate, exercise or defend claims, even though the controller no longer needs to process the data subject's personal data for the purpose for which they were collected.

  • Claims 

    When the data subject needs the controller to continue processing their data in order to formulate, exercise or defend claims, even though the controller no longer needs to process the data subject's personal data for the purpose for which they were collected.

  • Opposition 

    When the data subject requests it, as a provisional measure, in the case of having exercised the right of opposition.

    Restriction of processing will operate during the time that the controller uses to determine if the arguments that the data subject uses to oppose the processing of his or her data are relevant.
Restriction of processing consists in the controller reserving the data and only use them in the following cases:

  • The establishment, exercise or defence of legal claims
  • The protection of the rights of another natural or legal person
  • For reasons of important public interest of the E.U. or the Member State.



The new GDPR provides that the data subject has the right for his or her data be directly transmitted from one controller to another, when technically possible.

A typical example is when a private individual wants to change his or her telecommunications operator or electricity company: portability allows the individual's personal data to be transferred directly to the new chosen company, in an agile and straightforward way for the end user.

In addition to incorporating these new rights, the GDPR also requires that visible, accessible and simple language procedures be created to aid data subjects in the exercise of their rights.

This will also need to be possible through electronic means as indicated in Recital 59.

(...)The controller should also provide means for requests to be made electronically, especially where personal data are processed
by electronic means. 

                                                                             Recital 59


Through this right, data subjects may oppose the processing of personal data when:

  • For reasons related to their personal situation, data processing must stop, unless a legitimate interest is proven.
  • The processing is aimed at direct marketing.

More information: GDPR: What must be done to make consent demonstrable?



Exercising these rights will be free for the citizen except when manifestly unfounded or when excessive requests are made. In any case, if there is a cost, this cannot be an additional income for the controller, since it would only compensate the exact cost of processing the request.

Lastly, in light of the Facebook incident, Jan Philipp Albrecht, member of the German Green Party and the European Parliament, highlighted how this incident underscored that users needed more control over their data.

In a press release, Albrecht said the following about the upcoming Regulation: "The informed and explicit agreement for all those affected by data processing should be a guiding principle." There will be very few exceptions, if any."

A whole declaration of intentions of how the European Union cares about this issue and how we all should if we do not want to face significant sanctions or loss of reputation.

This post is also available in Spanish.

New Call-to-action