Take Action

Exercise your rights or get more information

You, as the person which personal data is about, have certain rights. These data subject rights are absolute rights and may not be compromised buy any organisation.

For a start, you have the right to information. The organisation which processes your personal data has the obligation to be transparent on what they do with your personal data and inform you in a clear manner.

However, you also have rights you can actively claim when you want more information or feel your being wronged by an organisation. In order to do so, you can always contact the organisation. They are required to respond to you within a month.

On this page, we will describe the different rights you have as a data subject.


The GDPR states that a data subject (the person who is the subject of the personal data) has the right to clear information about what is done with his or her personal data.

In addition to the right to clear information, data subjects have other rights under the GDPR:

An organisation must give substance to these rights of the data subjects. That is why it is required that an organisation has set up processes in order to be able to execute these rights.



Processing shall be lawful only if and to the extent that at least one of these basis applies.


For each proces there needs to be a specific lawful basis. A company cannot choose whatever is convenient. There is only one option per processing activity.



A data subject may have the right to inspect whether, and if so, which personal data are processed by an organisation. You, as a data subject, do not have to give a reason for this. You may also ask for a copy of these data.

The following information must be provided by an organisation in connection with the right of access:

  • The purpose of the processing
  • The categories of personal data involved
  • If necessary, to whom the organisation shares on personal data
  • Retention periods and an argumentation as to why this retention period has been chosen
  • Information on the rights of correction, deletion, restriction and objection
  • Information on the right to submit a complaint with the Data Protection Authority
  • The source of the personal data, if you did not give the personal data yourself to the organisation
  • The existence of automated decision making (when the organisation does make use of automated decision making)
  • Transfer of personal data to other countries (when the organisation shares data withother countries). This should include an indication of whether and how this country provides adequate safeguards for the protection of personal data.

This does not only include personal data that the person concerned has consciously andactively shared with the organisation. It also concerns indirect personal data, such as the use of the website by means of cookies. Personal data that the organisation itself has created, for example through data analysis, or that ithas received from other organisations fall under this category.


You have the right to ask an organisation to correct or update the personal data itprocesses about you if these data are incorrect. The GDPR states this must bedone 'without delay'.  


A person may ask an organisation to delete his or her personal data. This is called the right to forget, or the right to erase data. Someone can do this as:

  • The data are no longer needed for the purposes for which they were processed.
  • The data subject has withdrawn his or her consent and there are no other grounds for processing the data.
  • The data subject has objected to the processing of the data.
  • The data has been unlawfully processed.
  • Removal is required by law.
  • It concerns personal data of children under the age of 16, which are processed within our digital society.

A few exceptions apply to this right. For example, the law does not apply as:

  • The right to freedom of expression is more important.
  • There is a legal obligation for processing.
  • The processing is necessary for a task of general interest or for the exercise of public authority.
  • There are reasons of general interest for public health.
  • The deletion of the data threatens to make archiving for general interest, scientific or historical research or statistical purposes impossible. However, technical and organisational measures must be in place to ensure minimum data processing.


In certain situations, a person may be entitled to have less of that person's data processed.

This applies if:

  • If the data subject indicates that the personal data may not be correct. During the period that an organisation investigates whether this is indeed the case, the organisation may not process this data.
  • If the processing is unlawful, but the data subject does not want the data to be deleted. For example, in order to be able to request these data at a later date.
  • The organisation no longer needs the personal data for the purpose for which they were collected, but the data subject does need them for a legal claim.
  • The data subject has objected to the processing of the personal data. The organisation may not proceed with the processing of the data as long as the objection process is on going.

If one of these points is met, but the data subject still gives his or her consent, then the organisation may continue to process the data. If the restriction is terminated, the organisation must inform the data subject.


A data subject may ask an organisation to transfer any personal information they have about him or her, to the data subject himself or to another organisation. This is provided for in the right to data transferability. It states that this must be provided in a common, structured and machine-readable form. A disordered, handwritten file with a lot of jargon is therefore not enough.

 This right only applies if the ground for the processing is 'consent' or 'agreement', and if the processing is carried out by means of automated processes.


Data subjects have the right to object to the processing of their own personal data and to ask an organisation to stop using these data. If personal data are processed under the principles of 'justified interest' or 'general interest', a data subject can always object to this. It must be carefully considered whether the interests of the organisation or the interests of the person concerned are more important in this objection. Please note that the consequence is that the personal data may no longer be processed and must be deleted.

If personal data are used for direct marketing, the person concerned can always object. The organisation must then accept this objection. For example, if someone receives a specific offer, because they have previously looked it up on the internal website.


If an organisation makes an automatic decision when processing personal data, i.e.without human intervention, this is called an 'automated decision' or ‘profiling.’ A data subject shall have the right not to be subject to it if this produces legal effects or otherwise significantly affects them.

This shall not apply if:

  • Someone has given permission to do so.
  • It is necessary for the execution or conclusion of an agreement.
  • It is permitted by a provision of Union law or of a Member State.

If a person objects to a decision made by automated means, he can ask the organisation to make a new decision requiring a person to assess the data.