The House of Data Imperiali bulletins are extracts from the articles of the Legal Information Service (SIG) edited by Mr. Rosario Imperiali d’Afflitto.

The SIG is available by subscription only.

For further information, please email:

Privacy rights and legal bases

The European Data Protection Board (EDPB) has released a GDPR compliance guide for small and medium-sized enterprises. In it, the table of the scope of application of privacy rights in relation to the legal bases of personal data processing is worth highlighting for summary clarity. 

The table, shown below, highlights how from the perspective of this report, privacy rights can be grouped into three different categories: 

  • Exercisable rights in full at all times, whatever the legal basis 
  • Not applicable rights for certain legal bases  
  • Partially applicable rights for certain legal bases. 

This summary covers only the interaction between rights and legal bases, as rights may be subject to additional limitations not closely related to legal bases, which are not considered here.

Source: Based, with some changes, on the table produced by the EDPB

Exercisable rights in full at all times

They can be exercised at all times, without restriction, whatever the legal basis referring to the processing:

  • The right to be informed (artt. 13 e 14, GDPR) 
  • The right of access (art. 15, GDPR) 
  • The right to rectification (art. 16, GDPR) 
  • The right to restriction of the processing (art. 18, GDPR).

This list highlights some important aspects in the exercise of the data subject’s power of control.