If you are in the EU, UK, or Switzerland, you have the right to access, correct, delete, or move your personal data held by Okta, and to object to or restrict how it is used.
This analysis describes what Okta's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
These rights give EU, UK, and Swiss residents meaningful control over their personal data held by Okta in its capacity as controller, including the ability to request deletion of marketing profiles or opt out of data processing based on legitimate interests.
EU, UK, and Swiss residents can exercise GDPR rights directly against Okta Ireland Limited for data collected through okta.com and marketing activities; however, these rights do not extend to data processed by Okta on behalf of enterprise customers, which requires separate engagement with the relevant employer or service provider.
How other platforms handle this
If you are located in the European Economic Area or the United Kingdom, you have certain rights under applicable data protection laws, including the right to access, correct, or delete your personal data, the right to object to or restrict processing, and the right to data portability. You may also ...
We use your information for the following purposes: ... In accordance with applicable legal requirements, for advertising and marketing purposes, including to send you information about products or services that may be of interest to you...
If you are located in the EEA or UK, you may have the following rights under applicable data protection law: the right to access your personal data; the right to rectify inaccurate personal data; the right to erasure of your personal data; the right to restrict processing of your personal data; the ...
Monitoring
Okta has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have certain rights under applicable data protection law with respect to personal information that Okta processes as a data controller, including the right to access, correct, update, or request deletion of your personal information, the right to object to processing, the right to restrict processing, and the right to data portability.— Excerpt from Okta's Okta Privacy Policy
REGULATORY LANDSCAPE: This provision directly implements GDPR Chapter III individual rights (Articles 15-22), UK GDPR equivalents, and Swiss FADP rights. The Irish Data Protection Commission is the lead supervisory authority for Okta Ireland Limited for EU matters; the ICO has jurisdiction for UK matters. Okta's limitation of these rights to its controller role (explicitly excluding processor-role data) is consistent with GDPR's framework but requires clear communication to data subjects about the appropriate contact point for different data types. GOVERNANCE EXPOSURE: Low. The rights enumeration is consistent with GDPR requirements. The primary compliance risk is operational: whether Okta's data subject request process correctly identifies and responds to all controller-role data within the required timeframes, and whether data subjects are adequately directed to the correct controller when their request concerns processor-role data. JURISDICTION FLAGS: EU/EEA and UK users have the most direct and enforceable rights under this provision. The right to data portability (Article 20) applies only where processing is based on consent or contract, not legitimate interests; compliance teams should confirm which processing activities qualify. Swiss users' rights under the revised FADP (effective September 2023) should be confirmed as meeting applicable standards. CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers should confirm that their DPA with Okta includes obligations for Okta to assist the customer in responding to data subject requests concerning processor-role data, as required by GDPR Article 28(3)(e). The policy's direction of data subjects to the relevant customer for processor-role data places an operational obligation on enterprise customers to have a functional DSR process. COMPLIANCE CONSIDERATIONS: Compliance teams should test Okta's data subject request response process, confirm response timeframes meet GDPR's one-month requirement, and ensure their internal processes correctly route employee or customer DSRs that concern Okta-processed data to the appropriate contact. Organizations should also verify that Okta's verification process for identity confirmation does not create disproportionate barriers to rights exercise.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
These rights give EU, UK, and Swiss residents meaningful control over their personal data held by Okta in its capacity as controller, including the ability to request deletion of marketing profiles or opt out of data processing based on legitimate interests.
EU, UK, and Swiss residents can exercise GDPR rights directly against Okta Ireland Limited for data collected through okta.com and marketing activities; however, these rights do not extend to data processed by Okta on behalf of enterprise customers, which requires separate engagement with the relevant employer or service provider.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Okta.