GDPR4All
Sign inFree Assessment

Data Subject Rights

All eight data subject rights under the GDPR with timelines and practical guidance

8 min readUpdated 26 February 2026

The GDPR grants individuals a comprehensive set of rights over their personal data. These rights are not theoretical — organisations must have systems and processes in place to receive, verify, and respond to requests within strict timelines. Failing to handle data subject requests properly is one of the most common sources of complaints to supervisory authorities.

Common Timelines

Before examining each right, it helps to know the standard deadlines:

  • One calendar month from receipt of the request is the standard response period for all rights.
  • Two-month extension is permitted where requests are complex or numerous, but you must inform the data subject within the first month, explaining the reason for the delay.
  • Identity verification should be completed promptly. You may request additional information to confirm the requester's identity, but this must not be used as a tactic to delay or discourage requests.

Requests must be handled free of charge in most cases. A reasonable fee may only be charged where requests are manifestly unfounded or excessive (particularly where repetitive), and you bear the burden of demonstrating this.

The Eight Rights

1. Right of Access (Article 15)

The data subject has the right to obtain confirmation of whether their personal data is being processed and, if so, access to that data along with key supplementary information.

What you must provide:

  • The purposes of processing
  • The categories of personal data concerned
  • The recipients or categories of recipients
  • The envisaged retention period
  • Information about their other rights
  • The source of the data (if not collected directly)
  • Whether automated decision-making is used
  • A copy of the personal data itself

Practical notes: The first copy must be provided free of charge. For further copies, you may charge a reasonable fee based on administrative costs. Where the request is made electronically, provide the data in a commonly used electronic format unless the data subject requests otherwise.

2. Right to Rectification (Article 16)

Data subjects have the right to have inaccurate personal data corrected without undue delay. They also have the right to have incomplete data completed, including by providing a supplementary statement.

Practical notes: This is often straightforward — a customer corrects their address, a patient updates their GP details. You should have a process for verifying the correction and propagating it to any third parties you have shared the data with (Article 19 requires you to notify recipients of rectifications).

3. Right to Erasure (Article 17)

Often called the "right to be forgotten," this right allows data subjects to request the deletion of their personal data. However, it is not absolute. Erasure must be carried out when one of six grounds applies:

  1. The data is no longer necessary for its original purpose.
  2. The data subject withdraws consent (and no other basis applies).
  3. The data subject objects under Article 21 and there are no overriding legitimate grounds.
  4. The data has been unlawfully processed.
  5. Erasure is required by EU or member state law.
  6. The data was collected in relation to offering information society services to a child.

Exceptions: You can refuse erasure where processing is necessary for exercising the right of freedom of expression, compliance with a legal obligation, public health purposes, archiving in the public interest, or the establishment, exercise, or defence of legal claims.

Practical notes: If you have made the data public, you must take reasonable steps to inform other controllers processing that data that erasure has been requested (Article 17(2)). Document your reasoning whenever you decline an erasure request.

4. Right to Restriction of Processing (Article 18)

Data subjects can request that you "freeze" their data — keeping it stored but not actively processing it — in four situations:

  1. They contest the accuracy of the data (restriction applies while you verify).
  2. The processing is unlawful but they prefer restriction over erasure.
  3. You no longer need the data but the data subject needs it for legal claims.
  4. They have objected under Article 21 (restriction applies while you assess whether your grounds override theirs).

Practical notes: Restricted data may only be processed (beyond mere storage) with the data subject's consent, for legal claims, to protect another person's rights, or for important public interest reasons. You must inform the data subject before lifting any restriction.

5. Right to Data Portability (Article 20)

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller without hindrance.

Important limitations:

  • Only applies to data processed on the basis of consent or contract.
  • Only covers data processed by automated means (not paper files).
  • Only covers data provided by the data subject (not derived or inferred data).
  • Where technically feasible, the data subject can request direct transmission from one controller to another.

Practical example: A user of a fitness app requests their activity data in JSON or CSV format so they can import it into a competing service.

6. Right to Object (Article 21)

Data subjects can object to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)), including profiling based on those grounds.

When an objection is raised, you must stop processing unless you can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or the processing is necessary for legal claims.

Direct marketing exception: The right to object to processing for direct marketing purposes is absolute. No balancing test applies. When a data subject objects to direct marketing, you must stop immediately and without exception.

Practical notes: You must inform data subjects of this right explicitly at the point of first communication, presented clearly and separately from other information.

7. Rights Related to Automated Decision-Making (Article 22)

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects them.

Examples of decisions caught: Automatic rejection of an online credit application, automated recruitment screening without human review, algorithmic pricing that denies access to services.

Exceptions: Automated decision-making is permitted where it is necessary for a contract, authorised by law, or based on explicit consent. In all cases, you must implement suitable safeguards, including the right to obtain human intervention, express a point of view, and contest the decision.

Practical notes: Where special category data is involved, automated decision-making is only permitted with explicit consent or for substantial public interest, and suitable measures must protect the data subject's rights.

8. Right to Be Informed (Articles 13 and 14)

This is the foundation of transparency. You must provide clear, concise information about your data processing, typically through privacy notices.

When collecting data directly from the individual (Article 13), provide the information at the point of collection. When obtaining data from another source (Article 14), provide the information within a reasonable period and no later than one month.

Key information to provide:

  • Controller identity and contact details
  • DPO contact details (if applicable)
  • Purposes and lawful basis
  • Legitimate interests pursued (if applicable)
  • Recipients or categories of recipients
  • International transfer details and safeguards
  • Retention period or criteria for determining it
  • Data subject rights
  • Right to withdraw consent (if applicable)
  • Right to lodge a complaint with a supervisory authority
  • Whether data provision is a statutory/contractual requirement
  • Information about automated decision-making

Handling Requests in Practice

Building a reliable process for handling data subject requests (DSRs) is essential. Key steps include:

  1. Recognise the request. A DSR does not need to mention the GDPR or use specific legal language. Any clear expression of intent to exercise a right counts, whether sent by email, letter, phone, or in person.
  2. Log and acknowledge. Record the date of receipt immediately — this starts the one-month clock. Send an acknowledgement to the data subject.
  3. Verify identity. Use proportionate measures. Do not request excessive documentation, but do take reasonable steps to ensure you are disclosing data to the right person.
  4. Locate the data. Search all relevant systems, including backups, archives, and processor systems.
  5. Assess and respond. Determine whether any exemptions apply, prepare the response, and deliver it within the deadline.
  6. Document everything. Record what was requested, what you found, what you provided or refused (with reasons), and when you responded.

Summary

Data subject rights are a cornerstone of the GDPR. They place individuals in control of their personal data and impose clear obligations on organisations to respond promptly, transparently, and in good faith. Having a well-documented process and the right tools in place is not merely best practice — it is a legal requirement.

Related Articles

What Is the GDPR?

An overview of the General Data Protection Regulation — who it applies to and key definitions

6 min read· Updated 26 Feb 2026

DSR Management

Handle Data Subject Requests — access, erasure, portability, rectification, and objection

6 min read· Updated 26 Feb 2026·Client AdminCompliance OfficerDPO

Was this article helpful?

Previous

The Six Lawful Bases

Next

Breach Notification Requirements