GDPR and CCPA Data Subject Rights

What it is

Depending on where you live, you may have rights to access, correct, delete, or transfer your personal data, or to withdraw consent for how it is used, by contacting One Identity.

Why it matters (compliance & governance perspective)

These rights allow you to take control of your personal data, but they are jurisdiction-dependent, meaning users outside the EU and California may have more limited enforceable rights under this policy.

This document changed recently

Consumer impact (what this means for users)

EU/EEA and UK users have comprehensive GDPR-based rights to access, correct, delete, and port their data, and to withdraw consent or object to processing. California residents have similar rights under CCPA/CPRA. Users in other regions should review applicable local law, as the policy conditions these rights on location.

What you can do

Institutional analysis (Compliance & governance intelligence)

1) REGULATORY LANDSCAPE: This provision directly implements GDPR Articles 15-22 (rights of data subjects) for EU/EEA users and UK GDPR equivalents for UK users. For California residents, it corresponds to CCPA/CPRA rights including the right to know, delete, correct, and opt out of sale or sharing. The enforcement authorities are EU DPAs, the UK ICO, the California Privacy Protection Agency, and the California Attorney General. The policy's framing of rights as location-dependent is consistent with applicable law but may understate rights available to users in additional jurisdictions with comprehensive privacy laws. 2) GOVERNANCE EXPOSURE: Medium. One Identity must maintain processes to respond to data subject access requests (DSARs) within statutory timeframes (30 days under GDPR, extendable to 60 days; 45 days under CCPA, extendable). Failure to respond adequately creates direct regulatory enforcement risk. The policy does not specify response timelines or the verification process for identity confirmation, which may create friction for users attempting to exercise rights. 3) JURISDICTION FLAGS: EU/EEA users have the strongest enforceable rights framework. California users have CPRA rights including correction and opt-out of sharing, which are newer and more expansive than original CCPA. Users in Brazil (LGPD), Canada (PIPEDA/Bill C-27), Japan, and other jurisdictions with comprehensive privacy laws may also have enforceable rights not fully enumerated in the policy. Organizations with global user bases should assess whether One Identity's rights framework covers all relevant jurisdictions. 4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise customers using One Identity as a data processor must ensure their DPA obligates One Identity to assist with DSAR responses under GDPR Article 28(3)(e). If One Identity receives a DSAR relating to data controlled by an enterprise customer, the policy's framework may not clearly delineate how such requests are routed, which creates operational risk for both parties. 5) COMPLIANCE CONSIDERATIONS: Legal teams should verify that One Identity has a documented and operational DSAR intake and response process, including identity verification procedures that balance security with accessibility. The response timeline commitments should be reviewed and compared to statutory requirements in all relevant jurisdictions. If One Identity processes data on behalf of enterprise customers as a processor, DPAs should explicitly address DSAR assistance obligations.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Third-Party Data Sharing for Marketing and Analytics medium
• Data Retention Without Fixed Periods medium
• International Data Transfers via Standard Contractual Clauses medium
• Cookie and Tracking Technology Use low
• Data Collection from Third-Party Sources medium
• Marketing Communications and Opt-Out low