Data Subject Rights are the specific legal entitlements granted to identifiable individuals, enabling them to exercise control over their personal data held by a data controller. These rights, codified in regulations like the GDPR and CCPA, include the right to access, rectify, and erase information, as well as the right to restrict or object to processing for specific purposes such as automated decision-making.
Glossary
Data Subject Rights

What is Data Subject Rights?
Data Subject Rights are a set of legal entitlements granted to individuals over their personal data, empowering them to control how organizations collect, use, and store their information.
In the context of enterprise AI governance, fulfilling these rights requires robust technical architectures. Organizations must implement automated workflows to locate and isolate an individual's data across disparate training datasets and production systems. This directly intersects with purpose limitation controls, as a valid objection or erasure request legally compels the cessation of processing and the removal of data from active machine learning pipelines.
Core Data Subject Rights Under GDPR
The General Data Protection Regulation (GDPR) grants individuals a powerful set of legal entitlements over their personal data. These rights are the mechanism through which data subjects can control how their information is collected, processed, and stored, directly impacting the design of AI governance and data engineering pipelines.
Right of Access (Article 15)
The data subject's right to obtain confirmation as to whether their personal data is being processed, and if so, to access that data along with specific metadata. This includes the purposes of processing, categories of data, and recipients.
- Requires a copy of the personal data undergoing processing.
- Must be provided in a concise, transparent, and easily accessible form.
- Enables verification of lawfulness, acting as a gateway to other rights.
Right to Rectification (Article 16)
The right to obtain the correction of inaccurate personal data and to have incomplete data completed. This is critical for maintaining data quality in automated decision-making systems.
- Data subjects can provide a supplementary statement to complete records.
- Controllers must communicate rectification to all recipients unless impossible.
- Directly impacts the accuracy principle and fairness in AI model outputs.
Right to Erasure (Article 17)
Also known as the 'Right to be Forgotten,' this allows data subjects to request deletion of their data without undue delay on specific grounds. This poses a significant technical challenge for machine learning models trained on that data.
- Grounds include: data no longer necessary, consent withdrawal, and unlawful processing.
- Does not apply if processing is necessary for archiving in the public interest or legal defense.
- Requires robust data lineage to locate and delete all instances, including backups.
Right to Restriction of Processing (Article 18)
A temporary halt on processing while the accuracy, lawfulness, or necessity of the processing is contested. Data is marked as restricted, and processing is limited to storage.
- Invoked when the accuracy is contested, processing is unlawful, or the controller no longer needs the data.
- Acts as a 'pause button' rather than permanent deletion.
- Requires systems to flag data as restricted and prevent its use in active AI training pipelines.
Right to Data Portability (Article 20)
The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This promotes interoperability and prevents vendor lock-in.
- Applies only to data provided by the subject and processed by consent or contract.
- Formats like JSON or CSV are expected for technical feasibility.
- Does not apply to inferred data or profiles created by the controller's algorithms.
Right to Object (Article 21)
The right to object, at any time, to processing based on legitimate interests or public tasks, including profiling. Processing must cease unless the controller demonstrates compelling legitimate grounds.
- An absolute right when objecting to direct marketing.
- Requires a clear mechanism to be presented at the point of first communication.
- Forces a re-evaluation of the balancing test between the controller's interests and the individual's rights.
Frequently Asked Questions
Clear, technical answers to the most common questions about the legal entitlements individuals hold over their personal data in AI and machine learning pipelines.
The Right to Erasure, also known as the 'right to be forgotten,' is a legal entitlement allowing individuals to request the deletion of their personal data. In the context of machine learning, this right presents a significant technical challenge because data is not simply stored in a database; it is encoded into the weights and parameters of a trained model. Full compliance may require machine unlearning, a process that surgically removes the influence of a specific data point from a model without the prohibitive cost of full retraining. If exact unlearning is computationally infeasible, organizations must demonstrate that they have deleted the source training data and implemented robust data isolation to prevent future linkage. The technical difficulty of unlearning does not negate the legal obligation, making it a critical area of governance for CTOs and privacy engineers.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Technical Implications for AI and Machine Learning
The technical implementation of data subject rights presents fundamental challenges to machine learning architectures, requiring systems to surgically locate, isolate, and modify or delete individual data points embedded within trained model weights and distributed training pipelines.
Fulfilling the right to erasure in machine learning systems is technically distinct from simple database deletion. Because models memorize patterns from training data, true erasure requires machine unlearning—algorithms that reverse or scrub the influence of specific data points from model weights without full, costly retraining. This process is complicated by stochastic gradient descent, where a single data point's contribution is diffused across millions of parameters, making exact removal an open research problem.
The right to access and right to rectification demand robust data lineage and provenance tracking across the entire AI lifecycle. Systems must maintain immutable, queryable audit trails linking training data to its source, consent status, and all downstream transformations. For rectification, pipelines must support data versioning and model rollback to correct poisoned or inaccurate data, while right to restriction requires policy enforcement points to dynamically block specific data from inference or retraining workflows.
Related Terms
Understanding data subject rights requires familiarity with the technical and legal mechanisms that enable their fulfillment in AI-driven processing environments.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us