Rights of Data Subjects

Data subject’s rights are laid out in the GDPR, in particular in Art. 15 – 23. These rights are:

  • Of compensation. The controller shall compensate any damage caused by the processing of data in violation of the provisions of the Act on Processing of Personal Data unless it is established that such damage could not have been averted through the diligence and care required in connection with the processing of data.
  • Right to be informed, including about the processing of their personal data, relating to the purposes of the processing, the categories of processed personal data and the recipients or categories of recipients to whom the data are disclosed; if applicable, information relating to the transfers of personal data intended towards a State that is not a member State of the European Union;
  • Right to access to their personal data being processed;
  • Right to rectification of data;
  • Right to erasure (‘Right to be forgotten’);
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object to direct marketing. The data subject may at any time object in relation to the controller to the processing of data relating to him. If a consumer objects, a company may not disclose data relating to that person to a third company for the purposes of marketing or use the data on behalf of a third company for such purposes;
  • Right to not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Please visit: https://gdpr-info.eu/chapter-3/


In Greece, the data controller can refuse the right to access when the data relates to national security; public defence; crime prevention; important economic or financial interests; establishment, exercise, or defence of legal claims; and the protection of the data subject or the rights and freedoms of others. The data controller must inform the data subjects about the restriction, must be able to prove the necessity of the restriction, and must take all the required measures for the protection of data subjects (Art 10 and 11 Greek Law).