This chapter examines the rights of data subjects under GDPR (and UK GDPR) and the role of the state in supervising data controllers. It examines data subject rights including the subject access right and the right to correct and manage personal data. It deals with the development of the so-called right to be forgotten in the Mario Costeja González case and its application in cases such as NT1 & NT2 v Google. It examines the current supervisory regime including the role of the Information Commissioner’s Office and the enforcement rights of data subjects. Key cases, including Durant v The Financial Services Authority, Edem v IC & Financial Services Authority, Dawson-Damer v Taylor Wessing, and Ittihadieh v 5-11 Cheyne Gardens are discussed, and the chapter concludes by examining the enhanced enforcement rights awarded to the Information Commisioner’s Office by the General Data Protection Regulation in 2018.