ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
DPO Challenges

In the information obligation, must all rights of the data subject be listed, or only those that actually apply to the individual?

ANSWER

Based on a literal interpretation of Article 13(2)(c) and (e) GDPR, the controller informs the data subject of: the right of access to personal data, the right to rectification, erasure, restriction of processing, to object to processing, and the right to data portability. In addition, the controller should inform the data subject of the possibility of lodging a complaint with a supervisory authority.

None of the cited provisions makes the provision of information about a specific right conditional on the factual basis for exercising it — unlike Article 6(2)(d) GDPR, which expressly states that information about the right to withdraw consent need be provided only where the legal basis for processing is Article 6(1)(a) GDPR.

This means that the controller should inform data subjects of all rights listed in Article 13(2)(c) and (e) GDPR (and, respectively, Article 14(2)(c) and (e) GDPR).

Show all
PreviousNext

Read also:

12 March 2026

Jak wdrożyć UKSC / NIS2 - poradnik dla firm

12 March 2026

Jak wdrożyć KSC / NIS2 - poradnik dla firm

03 February 2026

Ocena skutków dla ochrony danych (DPIA) – praktyczny przewodnik + wzór formularza

Szkolenia

RODO od podstaw (8h) online

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Privacy notice: list all data subject rights or only applicable ones? | ODO 24 | ODO 24