The rights of every man are diminished when the rights of one man are threatened.

— John F. Kennedy

GDPR Recital 1 states: “The protection of natural persons in relation to processing of personal data is a fundamental right.” This statement is the regulation’s anchor and is the main objective to be achieved. With respect to digital rights, GDPR formalizes several preexisting rights and creates new ones for data subjects (or “users”). At the same time, the provisions under Chapter III are not only substantive by laying down rights and liabilities, but are also procedural. It creates a framework for answering the following questions:

1. What rights do the data subjects have?
2. How must it be explained to the users?
3. How can the rights be enforced?
4. What must be considered when enforcing it?
5. Under what circumstances may the Controllers derogate or refuse to enforce this right?

With the proliferation of technology, securing these rights is the primary responsibility of the Controller. GDPR is responsive to recent scandals like Cambridge Analytica and British Airways, combined with EU jurisprudence being formalized. Regardless, ensuring strong compliance will prevent paying fines up to €20 million or 4% of the business’s annual turnover.¹ This chapter seeks to answer these questions and provides a framework for protecting these rights.

6.1 The Controller’s Duty of Transparency

The first aspect of the scheme of rights under Chapter III is the manner of informing ...