Data subjects rights

Data subjects, i.e. the natural persons whose personal data are processed, have certain rights under the Regulation (EU) 2018/1725. In particular, the following rights are provided to the data subjects (under articles 16 to 24 of the Regulation):

  • Right to be informed of any processing of their personal data, including information on the controller (who is in charge of the processing), the purpose and the legal basis, the types of data being processed, data recipients, time limits for the processing, as well as possible transfers of personal data to third counties;
  • Right of access to one’s personal data, including information on the purpose of the processing of the data, the types of data, data recipients, time limits, as well as possible transfers of personal data to third counties;
  • Right to rectify (correct) one’s personal data when inaccurate or incomplete;
  • Right to have data erased (“right to be forgotten”) under certain circumstances (e.g. when the data is no longer necessary for the purpose for which they were collected);
  • Right to restrict the processing of personal data under certain circumstances (e.g. when the accuracy of the data is contested);
  • Right to object to the processing of personal data under certain circumstances;
  • Right not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her.

ENISA respects the data subjects’ rights and provides information, as well as dedicated contact points per data processing activity, specified via the relevant data protection notices. For further information, please visit ENISA’s central register of data processing activities.


 ENISA’s register of data processing activities


In addition, ENISA’s Data Protection Officer may be contacted at any time.

Data subjects may also have resource and lodge complaints at any time to the European Data Protection Supervisor (EDPS), who is responsible for supervising and enforcing the application of Regulation (EU) 2018/1725.

Restriction of data subjects rights

In certain cases, by virtue of article 25 of Regulation (EU) 2018/1725 and of the Internal Rules laid down under ENISA’s Management Board Decision 10/2019, one or several of the data subjects rights may be restricted for a temporary period of time inter alia, on the grounds of prevention, investigation, detection and prosecution of criminal offences or other applicable grounds (as laid down in the Internal Rules). Any such restriction will be limited in time, proportionate and respect the essence of the above-mentioned rights. It will be lifted as soon as the circumstances justifying the restriction are no longer applicable. Data subjects will receive a more specific data protection notice when this period has passed. As a general rule, data subjects will be informed on the principal reasons for a restriction unless this information would cancel the effect of the restriction as such.

For further information, please also see: EDPS guidance on article 25 of Regulation (EU) 2018/1725 or contact ENISA’s Data Protection Officer.