This chapter covers data subject rights under privacy law, a critical topic for SY0-701 Domain 5.0 Security Program Management (Objective 5.5). You will learn the specific rights granted to individuals under frameworks like GDPR and CCPA, how organizations must implement processes to honor these rights, and the legal and technical implications of non-compliance. Understanding these rights is essential for security professionals tasked with designing privacy-compliant systems and responding to data subject access requests (DSARs).
Jump to a section
Imagine a public library where each patron has a library card that tracks every book borrowed, every search made, and every event attended. The library's privacy policy functions as a data processing agreement. A patron's right to access is like asking for a printout of all their borrowing history and search logs. The right to rectification is correcting a misspelled name or a wrongly attributed late fee. The right to erasure ("right to be forgotten") is like asking the library to shred all records of a patron's past activity, provided no outstanding fines or legal holds exist. The right to restrict processing is temporarily freezing a patron's account while a disputed charge is investigated—no new checkouts, but records are preserved. The right to data portability is requesting a digital file of one's borrowing history in a common format (CSV) to give to another library. The right to object is refusing to have one's reading habits used for marketing new books. The library's automated decision-making, like a system that suggests books based on past checkouts, must be explained and can be challenged. If the library fails to honor these rights, the patron can complain to the library board (supervisory authority). This analogy mirrors GDPR and similar privacy laws: the library is the data controller, the patron is the data subject, and the library's systems are the data processors. Each right has specific procedures, timelines, and exceptions, just as under privacy law.
What Are Data Subject Rights?
Data subject rights are legal entitlements that give individuals control over their personal data processed by organizations. These rights are codified in privacy regulations such as the European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Brazil's Lei Geral de Proteção de Dados (LGPD), and others. For SY0-701, you must know the core rights under GDPR (Articles 12-23) and understand how they map to concepts in other frameworks. The rights include: right to be informed, right of access, right to rectification, right to erasure (right to be forgotten), right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling.
How Do Data Subject Rights Work Mechanically?
When an individual (data subject) submits a request to exercise a right, the organization (data controller) must respond within a statutory timeframe—typically one month under GDPR, extendable by two months for complex requests. The process involves: 1. Identity Verification: The controller must verify the data subject's identity using reasonable means (e.g., two-factor authentication, knowledge-based questions). Overly burdensome verification is prohibited. 2. Request Logging: The request is logged with a timestamp, type of right, and status. Automated systems (e.g., DSAR portals) are common. 3. Data Location and Retrieval: The controller must search all systems where personal data resides—databases, backups, email archives, cloud services, etc. This often requires data mapping and discovery tools. 4. Evaluation of Exceptions: Certain rights have exceptions (e.g., legal obligation, public interest, freedom of expression). The controller determines if an exception applies. 5. Response: If valid, the controller provides the requested action (e.g., copy of data, deletion, correction) in a commonly used electronic format (e.g., CSV, PDF). If denied, the controller must explain the reason and inform the data subject of their right to complain to a supervisory authority. 6. Documentation: All steps must be documented for audit and regulatory compliance.
Key Components and Variants
Right to be Informed: Data subjects must be provided with privacy notices that explain what data is collected, why, how long it's retained, and with whom it's shared. This is typically done at the point of data collection.
Right of Access (DSAR): Individuals can request confirmation of whether their data is being processed and access to that data. Controllers must provide a copy free of charge (unless requests are manifestly unfounded or excessive).
Right to Rectification: Inaccurate or incomplete data must be corrected without undue delay.
Right to Erasure (Right to be Forgotten): Data subjects can request deletion of their data when it is no longer necessary for the original purpose, consent is withdrawn, or processing is unlawful. Exceptions include legal obligations, public health, archiving, and defense of legal claims.
Right to Restrict Processing: Instead of deletion, the data subject can request that processing be limited (e.g., while a dispute is resolved). Data can still be stored but not processed.
Right to Data Portability: Individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. This applies only to data processed by automated means based on consent or contract.
Right to Object: Data subjects can object to processing based on legitimate interests, direct marketing, or profiling. Controllers must stop processing unless they demonstrate compelling legitimate grounds.
Rights Related to Automated Decision-Making: Individuals have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects or similarly significant effects. Exceptions include necessity for contract, authorized by law, or explicit consent.
How Organizations Implement These Rights
Organizations must establish a privacy program that includes: - Data Mapping: Documenting what personal data is collected, where it is stored, how it flows, and who has access. - DSAR Procedures: Standard operating procedures for receiving, verifying, and responding to requests. This includes training staff, implementing ticketing systems, and using automated DSAR tools. - Data Retention Policies: Defining retention periods and secure disposal methods. The right to erasure requires knowing what data exists and where. - Privacy Notices: Clear, concise notices that inform data subjects of their rights and how to exercise them. - Data Protection Impact Assessments (DPIAs): Required for high-risk processing activities (e.g., profiling, large-scale sensitive data). - Breach Notification: Obligation to notify supervisory authorities and affected data subjects within 72 hours for GDPR.
Attackers Exploit Weaknesses in DSAR Processes
Attackers may file fraudulent DSARs to obtain personal data of others (social engineering). For example, an attacker impersonates a victim and requests access to the victim's data. If identity verification is weak, the attacker receives sensitive information. Defenders must implement strong verification (e.g., out-of-band confirmation, knowledge-based authentication, or government ID verification). Another attack vector is submitting excessive requests to overwhelm the organization (DSAR flooding) as a denial-of-service tactic, potentially masking other malicious activity. Rate limiting and automated filtering can mitigate this.
Real Command/Tool Examples
Data Discovery Tools: Spirion, Microsoft Purview Information Protection, Varonis can scan file shares and databases to locate personal data.
DSAR Management Platforms: OneTrust, TrustArc, Securiti automate request intake, identity verification, and response generation.
Logging and Monitoring: Splunk or ELK Stack can track DSAR-related activities. Example search in Splunk:
index=main sourcetype=dsar_request status=completed | stats count by request_typeAPI for Portability: Controllers may expose an API to allow data subjects to download their data in JSON format. Example endpoint:
GET /api/v1/data-subject/export
Authorization: Bearer <token>Standards and Frameworks
ISO/IEC 27701: Extension to ISO 27001 for privacy information management.
NIST Privacy Framework: Core functions Identify-Govern-Control-Communicate-Protect.
APEC Privacy Framework: Cross-border privacy rules (CBPR) for Asia-Pacific.
Common Exam Scenarios
SY0-701 tests your ability to apply these rights in a scenario. For instance:
A customer requests deletion of their account data after terminating a service. The company must evaluate if any legal retention obligations exist (e.g., tax records). If yes, they can deny erasure but must restrict processing.
An employee wants a copy of all HR data. The HR department must provide it within one month, in a portable format, and cannot charge a fee unless the request is excessive.
A marketing company uses profiling to send targeted ads. A user objects to this processing. The company must stop using the user's data for profiling unless they can demonstrate compelling legitimate grounds.
Key Terms for the Exam
Data Controller: Entity that determines the purposes and means of processing.
Data Processor: Entity that processes data on behalf of the controller.
Supervisory Authority: Independent public authority that monitors GDPR compliance (e.g., ICO in UK, CNIL in France).
DSAR: Data Subject Access Request.
Legitimate Interest: A lawful basis for processing that can be overridden by the data subject's rights.
Consent: Freely given, specific, informed, and unambiguous indication of agreement.
Profiling: Any form of automated processing to evaluate personal aspects.
Enforcement and Penalties
Non-compliance can result in fines up to €20 million or 4% of global annual turnover (whichever is higher) under GDPR. CCPA fines are up to $7,500 per intentional violation. Security professionals must ensure technical controls (e.g., data classification, access controls, encryption) support privacy rights.
Receive and Log the Request
The organization receives a data subject request via email, web form, or phone. The request is logged in a DSAR tracking system with a unique ID, timestamp, and type of right (e.g., access, erasure). The system automatically sends an acknowledgment to the data subject within 48 hours. This step is critical for audit trails. Common mistake: failing to log the request immediately, leading to missed deadlines. Tools like OneTrust can automate this step.
Verify Data Subject Identity
The organization must verify that the requester is who they claim to be. This may involve asking for additional information (e.g., account number, date of birth) or using two-factor authentication. Under GDPR, the controller cannot request excessive information. If identity cannot be verified, the request can be refused. Attackers may attempt to impersonate others; robust verification prevents data breaches. Example: requiring a government-issued ID uploaded via a secure portal.
Locate and Retrieve Personal Data
The organization searches all systems where the data subject's personal data may reside. This includes databases, file shares, email archives, cloud storage, and backups. Data mapping and discovery tools (e.g., Spirion, Microsoft Purview) are used to identify data locations. The search must be comprehensive; missing a system can lead to incomplete response. For erasure requests, data in backups may need to be purged or overwritten during the next backup cycle.
Evaluate Exceptions and Legality
The organization determines if any exceptions apply. For example, a right to erasure can be denied if processing is necessary for compliance with a legal obligation (e.g., tax retention) or for the establishment of legal claims. Similarly, a right to object can be overridden if the controller demonstrates compelling legitimate grounds. The evaluation must be documented. Common trap: assuming all requests must be honored; many have exceptions.
Fulfill or Deny the Request
If the request is valid and no exceptions apply, the organization fulfills it within the statutory timeframe (typically one month). For access requests, this means providing a copy of the data in a commonly used electronic format (e.g., PDF, CSV). For erasure, data is deleted from all systems, including backups where feasible. If denied, the organization sends a written explanation, informs the data subject of the right to complain to a supervisory authority, and provides contact details. All actions are recorded.
Scenario 1: DSAR for Customer Data at a Retail Company
A customer submits a DSAR via email requesting all personal data the company holds. The security analyst reviews the request and logs it in a ticketing system (e.g., ServiceNow). The analyst verifies identity by asking for the customer's account number and last transaction date. Using a data discovery tool (e.g., Varonis), the analyst finds customer data in the CRM (Salesforce), order database (MySQL), and email archives (Office 365). The analyst extracts the data and compiles it into a PDF. The response is sent within 20 days. Common mistake: forgetting to include data from email archives, which often contain customer service correspondence. Correct response: ensure all data sources are mapped and included. Tools: Microsoft Purview eDiscovery for Exchange Online.
Scenario 2: Erasure Request During a Data Breach
A user requests deletion of their account after a data breach exposed their personal data. The security team must act quickly. They verify the user's identity using multi-factor authentication. The team locates the user's data in the production database and deletes the record. However, the data also exists in daily backups that are retained for 30 days. The team must ensure that the next backup cycle overwrites the data or that the backup is deleted if feasible. They also check for any legal holds (e.g., pending litigation) that would prevent deletion. If a legal hold exists, they restrict processing instead. Common mistake: failing to check for legal holds, leading to spoliation of evidence. Correct response: coordinate with legal counsel before deletion.
Scenario 3: Objection to Profiling at a Marketing Firm
A user objects to their data being used for behavioral advertising. The marketing firm uses a Customer Data Platform (CDP) to create profiles. The security analyst must suppress the user's data from all profiling activities. This involves updating the consent management platform (CMP) to mark the user as opted out and configuring the CDP to exclude that user from audience segments. The analyst also ensures that the user's data is not used for model training. Common mistake: only removing the user from active campaigns but not from model training datasets, which still use the data. Correct response: implement a data pipeline that filters out objected users at ingestion.
Exactly What SY0-701 Tests
SY0-701 Objective 5.5 focuses on 'Explain privacy and data subject rights concepts.' The exam expects you to:
Identify the core data subject rights under GDPR (right to be informed, access, rectification, erasure, restrict processing, data portability, object, and automated decision-making).
Understand the role of the data controller and data processor.
Recognize the legal bases for processing (consent, contract, legal obligation, vital interests, public task, legitimate interests).
Apply these rights in scenario-based questions (e.g., which right applies when a customer wants to correct an error? Answer: rectification).
Know the difference between GDPR and other frameworks like CCPA (e.g., CCPA does not have a right to data portability in the same form, but it has a right to know and right to delete).
Common Wrong Answers and Why
Confusing right to erasure with right to restrict processing: Candidates choose erasure when the scenario involves a legal hold. Reality: if data is needed for legal compliance, the correct response is to restrict processing, not delete.
Assuming DSARs must always be free: GDPR allows charging a reasonable fee if requests are manifestly unfounded or excessive. Candidates often choose 'always free' incorrectly.
Mixing up data controller and processor: In a scenario where a third-party handles data, candidates may incorrectly label the processor as the controller. Remember: the controller decides the 'why and how'; the processor acts on instructions.
Forgetting the one-month timeline: Candidates may think the response time is 72 hours (breach notification) or 30 days. The correct answer is 'without undue delay and at the latest within one month' for GDPR DSARs.
Specific Terms and Acronyms
DSAR: Data Subject Access Request.
GDPR: General Data Protection Regulation.
CCPA: California Consumer Privacy Act (now CPRA).
LGPD: Brazilian data protection law.
DPIA: Data Protection Impact Assessment.
RoPA: Record of Processing Activities.
Supervisory Authority: e.g., ICO, CNIL.
Common Trick Questions
Question: 'A user requests that their data be deleted. The company has a legal obligation to retain the data for 5 years. What should the company do?' Trick: candidates choose 'delete the data anyway' or 'refuse the request without explanation.' Correct: deny erasure but inform the user of the legal obligation and the right to complain.
Question: 'Which right allows a user to receive their data in CSV format to transfer to another service?' Trick: candidates pick 'right of access.' Correct: right to data portability (which explicitly includes the right to receive data in a structured, commonly used, machine-readable format).
Decision Rule for Eliminating Wrong Answers
On scenario questions, first identify the specific right being exercised (access, erasure, portability, etc.). Then check for exceptions (legal obligation, public interest, etc.). If an exception applies, the answer should reflect denial with explanation. If no exception, the answer should reflect fulfillment within one month. Eliminate any answer that suggests immediate deletion without exception checks, or that charges a fee for a first-time request.
Data subject rights under GDPR include: right to be informed, access, rectification, erasure, restrict processing, data portability, object, and automated decision-making rights.
DSARs must be responded to within one month (GDPR) or 45 days (CCPA), with possible extensions for complex requests.
Identity verification is required before fulfilling a DSAR; excessive verification is prohibited.
Right to erasure is not absolute; exceptions include legal obligations and defense of legal claims.
Data portability applies only to data processed by automated means based on consent or contract.
Data controller determines the purposes and means of processing; data processor acts on behalf of the controller.
Non-compliance can result in fines up to €20 million or 4% of global annual turnover (GDPR) or $7,500 per violation (CCPA).
These come up on the exam all the time. Here's how to tell them apart.
Right to Erasure (GDPR)
Applies to all personal data processed under GDPR.
Exceptions include legal obligation, public interest, and defense of legal claims.
No explicit exception for 'business purpose' (CCPA term).
Controller must inform other controllers that the data subject has requested erasure of any links to or copies of the data.
Response time: without undue delay, at latest one month.
Right to Delete (CCPA)
Applies to personal information of California residents.
Exceptions include completing a transaction, detecting security incidents, and complying with legal obligations.
Business can deny deletion if the information is necessary for a business purpose (e.g., completing a purchase).
Business must also direct service providers to delete the data.
Response time: 45 days (extendable by another 45 days with notice).
Mistake
Data subject rights only apply to EU citizens under GDPR.
Correct
GDPR applies to any organization processing personal data of individuals in the EU, regardless of the organization's location. Additionally, many other laws (CCPA, LGPD, etc.) grant similar rights to residents of their jurisdictions.
Mistake
The right to erasure (right to be forgotten) is absolute and must always be honored.
Correct
There are numerous exceptions, including compliance with legal obligations, public health, archiving, and defense of legal claims. Controllers can deny erasure if an exception applies.
Mistake
Data portability and right of access are the same thing.
Correct
Right of access allows the data subject to obtain a copy of their data; data portability additionally requires that the data be provided in a structured, commonly used, machine-readable format and that the data subject can transmit it to another controller. Portability is narrower—it only applies to data processed by automated means based on consent or contract.
Mistake
Organizations must respond to all DSARs within 72 hours.
Correct
The 72-hour timeframe applies to breach notification to the supervisory authority, not DSARs. DSARs must be responded to 'without undue delay and at the latest within one month' (GDPR).
Mistake
Data processors are responsible for responding to DSARs.
Correct
The data controller is ultimately responsible for responding to DSARs. The processor must assist the controller by providing the necessary data and tools, but the controller retains accountability.
A DSAR is a request from an individual (data subject) to a data controller asking for confirmation of whether their personal data is being processed, and if so, to access that data. Under GDPR, the controller must provide a copy of the data in a commonly used electronic format, free of charge, within one month. The request can be made verbally or in writing. The controller must verify the identity of the requester before fulfilling the request. DSARs are a key right under privacy laws and a common exam topic.
Generally, no. Under GDPR, the controller must provide the information free of charge. However, if a request is manifestly unfounded or excessive (e.g., repetitive), the controller may charge a reasonable fee based on administrative costs or refuse to act on the request. The controller bears the burden of demonstrating that the request is unfounded or excessive. CCPA allows a fee for excessive requests as well. Exam tip: always look for 'manifestly unfounded or excessive' as the condition for charging.
A data controller determines the purposes and means of processing personal data. For example, a company that collects customer data for marketing decides why and how to process it. A data processor processes data on behalf of the controller, following the controller's instructions. For example, a cloud service provider that stores the data is a processor. Under GDPR, both have obligations, but the controller is primarily responsible for compliance and responding to data subject rights. Exam tip: identify the entity that makes decisions about data use—that's the controller.
The right to object allows a data subject to object to processing of their personal data based on legitimate interests or the performance of a task in the public interest, including profiling. The controller must stop processing unless they demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims. The right to object also applies to direct marketing; in that case, the controller must stop processing for marketing immediately. Exam tip: direct marketing objections are absolute; other objections require balancing.
The organization must respond without undue delay and at the latest within one month of receiving the request. This period can be extended by two months for complex or multiple requests, but the controller must inform the data subject of the extension within the first month. The response can be delayed if the controller needs time to verify identity. Exam tip: remember 'one month' as the default; extensions require justification and notification.
The right to data portability allows data subjects to receive their personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and to transmit that data to another controller without hindrance. This right applies only to data processed by automated means based on consent or contract. It does not apply to data processed for legal obligations or public interest. Exam tip: portability is about moving data between services, not just accessing it.
The right to erasure (right to be forgotten) is not absolute. Exceptions include: exercising the right of freedom of expression and information; compliance with a legal obligation; performance of a task in the public interest; archiving purposes in the public interest, scientific or historical research, or statistical purposes; and establishment, exercise, or defense of legal claims. If an exception applies, the controller can deny the erasure request but must inform the data subject of the reason and their right to complain to a supervisory authority.
You've just covered Data Subject Rights under Privacy Law — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?