data subject rights

Data subject rights are the legal rights that an identifiable individual (the data subject) has over their personal data when it is collected, stored, or processed by an organization. These rights are defined in data protection laws such as the EU General Data Protection Regulation (GDPR) and similar regulations in other regions.

Core meaning

Under GDPR and comparable laws, data subject rights commonly include:

• Right of access: To obtain confirmation that personal data is being processed and to receive a copy of that data, often including information about purposes, categories, recipients, and retention periods.
• Right to rectification: To have inaccurate or incomplete personal data corrected.
• Right to erasure (often called the “right to be forgotten”): To request deletion of personal data under specific legal conditions, such as when it is no longer needed for the purpose it was collected.
• Right to restriction of processing: To limit how personal data is processed while accuracy, necessity, or objections are being assessed.
• Right to data portability: To receive certain personal data in a structured, commonly used, machine-readable format and to transmit it to another controller where technically feasible.
• Right to object: To object to specific types of processing, such as direct marketing or certain processing based on legitimate interests.
• Rights related to automated decision-making and profiling: To request human review and to contest decisions that are made solely by automated means and produce legal or similarly significant effects.

These rights apply to personal data, not to fully anonymized data. In industrial and manufacturing environments, they typically relate to data about employees, contractors, visitors, and sometimes customers, rather than machine or process data.

Operational context in industrial and manufacturing environments

In regulated industrial operations, honoring data subject rights usually requires:

• Knowing where personal data resides across OT and IT systems such as HR systems, MES, ERP, access control, quality systems, and incident logs.
• Having documented procedures to receive, authenticate, record, and respond to data subject requests within required timeframes.
• Ensuring that data retention rules, backups, and audit trails are compatible with rights like access, rectification, and erasure, while still meeting regulatory and quality record-keeping requirements.
• Coordinating with information security and governance teams so that security controls (for example those following ISO 27001) support, but do not replace, data protection obligations.

Information security standards may help protect personal data, but they do not themselves define or grant data subject rights. Those rights arise from applicable privacy or data protection laws and regulations.

Common confusion

• Data subject rights vs. information security controls: Data subject rights focus on individuals’ control and transparency over their personal data. Security controls focus on confidentiality, integrity, and availability of information. Both are related but not interchangeable.
• Data subject rights vs. consumer rights: Data subject rights attach to personal data regardless of whether the individual is a customer, employee, or other party. Consumer rights laws may cover broader topics such as product quality or contract terms.
• Data subject rights vs. user permissions: Rights are legal entitlements defined by law. Permissions are technical access privileges configured in systems. Implementing permissions correctly can support, but does not define, the legal rights.

Link to the GDPR context

Under GDPR, data subject rights are central obligations for any controller or processor handling personal data of individuals in the EU or EEA. In industrial settings, this includes handling requests from employees whose personal data may appear in training records, access logs, equipment usage logs, or deviations and CAPA records. ISO 27001 and similar frameworks can support secure handling of this data, but do not replace the need to manage and document responses to data subject rights requests.