GDPR News » GDPR Subject Rights: What are they, and what do they mean for companies outside of the EU

If you are a non-EU company that offers goods or services to people in the EU, or monitors their behaviour, you can be in scope of the GDPR even without a European office. That means GDPR requests (often called data subject requests or DSR for short) can come in through support tickets, sales inbox, social media, your privacy mailbox, or (if you’ve appointed one) your EU GDPR representative.

A defensible workflow does three things at once: it keeps response times on track (respecting the default deadline of one calendar month), prevents over-collection during identity checks (if necessary), and creates an audit trail that shows how you made decisions.

Key obligations

1. Recognise and log requests immediately, then confirm whether the requester is the data subject or an authorised individual.
2. Verify identity proportionately and only where there are reasonable doubts, using a risk-based approach that avoids collecting new data unnecessarily (in line with Article 12, (6) of the GDPR).
3. Identify the type of DSR that is being made (access, erasure, objection, etc.). The next section of this article dives deeper into what are these rights in practice.
4. Search relevant systems using your data map, and document what you searched, when you searched, and what you found.
5. Respond within one month (or validly extend by an additional two months where permitted), using consistent templates and a secure delivery method.
6. Maintain defensible records of timelines, communications, decisions, and data sources to demonstrate accountability.

“Your Representative On The Ground” — EDPO

The core GDPR data subject rights in practice

Below is an operational view of the core GDPR data subject rights you will typically handle:

• Right to be informed (Article 13 and 14 of the GDPR): This stems from one of the key principles of the GDPR: transparency. In short, you should disclose what data you’re processing from individuals, how you’re processing it, and why (what purposes).
• Right of access (Article 15): Provide a copy of personal data and required information about processing, in a usable format.
• Right to rectification (Article 16): Correct inaccurate data and complete incomplete data.
• Right to erasure (or right to be ‘forgotten’) (Article 17): Individuals have a right to have their data deleted. This is not an absolute right, and there may be some limitations (e.g. applicable laws prevent you from deleting the data).
• Right to restriction of processing (Article 18): Restrict certain processing while an issue is resolved (e.g., accuracy dispute, data unlawfully processed).
• Right to data portability (Article 20): Provide personal data to the individual, in a structured, commonly used, machine-readable format, so individuals may reuse their data with a different service provider.
• Right to object (Article 21): In certain circumstances, the GDPR provides data subjects with the right to object (e.g. for direct marketing purposes, or a task carried out in the public interest). In short, you should stop processing if it’s connected to direct marketing immediately; for other objections, a standard balancing/assessment route should be applied (i.e. the processing is based on legitimate grounds that override the interests, rights and freedoms of the individual).
• Rights related to Automated individual decision-making, including profiling (Article 22): Individuals have a right to not be subject to automated decision (not involving a human), including profiling, in cases where these decisions produce legal effects concerning them, or significantly affect them.

How EDPO helps

If your company is not established in the EU, a common forgotten obligation is that of the representative pursuant to Article 27 of the GDPR.

EDPO supports non-EU companies with:

• EU representative services acting as your point of contact for DSRs from individuals located in the EU
• ISO 27001 security for handling sensitive request data and communications
• All-inclusive fees that reduce budgeting surprises when volumes spike
• A multilingual team that can support cross-border communications and documentation needs
• A data breach platform that helps you meet strict deadlines when communicating with the relevant data protection authorities
• A compliance certificate to support due diligence conversations and demonstrate that representative obligations are in place

When you appoint a representative you get  a practical “front door” for GDPR requests from individuals and regulators in the EU.

Stay ahead of data protection rules.

Subscribe for weekly newsletter. • Need a representative fast? Request a quote