GDPR Data Subject Rights: Complete Guide to All 8 Rights
Learn all 8 GDPR data subject rights, including access, erasure, portability, and objection. Covers legal basis, deadlines, and compliance steps.
GDPR data subject rights are the eight individual rights granted to people whose personal data is processed by organisations subject to the General Data Protection Regulation. These rights, codified in Chapter III of the GDPR (Articles 12 through 23), give individuals control over how their personal data is collected, used, stored, and shared. Understanding these data subject rights under the GDPR is essential for any organisation that processes the personal data of people in the European Economic Area.
This guide covers each of the eight rights in detail, including the legal provisions, response deadlines, exceptions, and practical compliance steps. The content here is educational and should not be treated as legal advice. Consult a qualified data protection attorney for guidance specific to your organisation.
Overview of GDPR Data Subject Rights
The GDPR establishes eight distinct rights that apply to any natural person (referred to as a "data subject") whose personal data is being processed. These rights are not absolute. Each one has specific conditions, limitations, and exceptions defined in the regulation. Article 12 sets out the general framework for how organisations must handle data subject requests, including transparency, communication format, and response deadlines.
The eight GDPR data subject rights are:
- The right to be informed (Articles 13 and 14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure, also known as the right to be forgotten (Article 17)
- The right to restrict processing (Article 18)
- The right to data portability (Article 20)
- The right to object (Article 21)
- Rights related to automated decision-making and profiling (Article 22)
Organisations must facilitate the exercise of these rights free of charge in most circumstances. Under Article 12(3), the response deadline is one calendar month from receipt of the request, extendable by two additional months for complex cases.
Right to Be Informed (Articles 13 and 14)
The right to be informed requires organisations to provide clear, transparent information about how they collect and use personal data. This right is primarily fulfilled through privacy notices and privacy policies rather than through individual requests.
Article 13 applies when personal data is collected directly from the data subject. The organisation must provide the following information at the time of collection:
- The identity and contact details of the data controller
- The contact details of the Data Protection Officer, if one is appointed
- The purposes and legal basis for processing
- The legitimate interests pursued, if applicable
- The recipients or categories of recipients of the data
- Details of any international data transfers and the safeguards in place
- The data retention period or the criteria used to determine it
- The existence of each data subject right
- The right to withdraw consent at any time, where consent is the legal basis
- The right to lodge a complaint with a supervisory authority
Article 14 covers situations where personal data is obtained from a source other than the data subject. The same information must be provided, with the additional requirement to disclose the source of the data. The deadline is within one month of obtaining the data, at the time of first communication with the data subject, or before disclosure to a third party, whichever comes first.
A comprehensive privacy policy is the primary tool for satisfying this right. A privacy policy generator can help you create a document that addresses each of the Article 13 and 14 disclosure requirements.
Right of Access (Article 15)
The right of access, often exercised through a data subject access request (DSAR), allows individuals to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with supplementary information.
Under Article 15(1), the data subject is entitled to the following information:
- The purposes of the processing
- The categories of personal data being processed
- The recipients or categories of recipients to whom the data has been or will be disclosed
- The retention period or the criteria used to determine it
- The existence of the rights to rectification, erasure, restriction, and objection
- The right to lodge a complaint with a supervisory authority
- The source of the data, if not collected directly from the data subject
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved
Article 15(3) requires that the organisation provide a copy of the personal data undergoing processing. The first copy must be free of charge. For additional copies, the organisation may charge a reasonable fee based on administrative costs.
Handling Access Requests in Practice
Organisations should establish a documented process for handling DSARs. Key steps include verifying the identity of the requester (to prevent unauthorized disclosure), searching all relevant systems for the data subject's personal data, reviewing the data for third-party information that may need redaction, and compiling the response within the one-month deadline.
The European Data Protection Board (EDPB) has issued Guidelines 01/2022 on data subject rights, clarifying that the right of access is broad and covers all personal data relating to the data subject, including data in emails, logs, CCTV footage, and internal notes.
Right to Rectification (Article 16)
Article 16 gives data subjects the right to have inaccurate personal data corrected without undue delay. The data subject also has the right to have incomplete personal data completed, including by providing a supplementary statement.
This right is straightforward in principle but can be complex in practice. The key considerations are:
- Verification: The organisation must assess whether the data is genuinely inaccurate. Factual errors (wrong date of birth, misspelled name) are clear cases. Subjective assessments or professional opinions may not qualify as "inaccurate" data.
- Third-party notification: Under Article 19, the organisation must inform each recipient to whom the data was disclosed about the rectification, unless doing so is impossible or involves disproportionate effort. The data subject has the right to be informed about those recipients.
- Record-keeping: Maintain a record of the original data, the correction made, the date, and the basis for the rectification. This audit trail is important for demonstrating compliance.
Right to Erasure (Article 17)
The right to erasure, frequently called the "right to be forgotten," is one of the most well-known GDPR data subject rights. Article 17 requires organisations to delete personal data without undue delay in specific circumstances:
- The data is no longer necessary for the purpose it was originally collected
- The data subject withdraws consent and there is no other legal basis for processing
- The data subject objects to processing under Article 21 and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with an EU or member state legal obligation
- The data was collected in relation to the offer of information society services to a child under Article 8(1)
Exceptions to the Right to Erasure
The right to erasure is not absolute. Article 17(3) lists several exceptions where the organisation may refuse the request:
- Exercising the right to freedom of expression and information
- Compliance with a legal obligation under EU or member state law
- Public health purposes under Article 9(2)(h) and (i)
- Archiving in the public interest, scientific or historical research, or statistical purposes under Article 89(1)
- The establishment, exercise, or defence of legal claims
When personal data has been made public, Article 17(2) requires the controller to take reasonable steps to inform other controllers processing the data that the data subject has requested erasure of any links to, copies of, or replications of the data.
Right to Restrict Processing (Article 18)
Under Article 18, a data subject can request that the organisation limit the processing of their personal data in four situations:
- The data subject contests the accuracy of the data, for the period needed to verify accuracy
- The processing is unlawful, but the data subject opposes erasure and requests restriction instead
- The controller no longer needs the data, but the data subject needs it for legal claims
- The data subject has objected to processing under Article 21, pending verification of whether the controller's legitimate grounds override the data subject's objection
When processing is restricted, the organisation may store the data but must not process it further without the data subject's consent, except for the establishment, exercise, or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest. The data subject must be informed before the restriction is lifted.
Right to Data Portability (Article 20)
The right to data portability allows data subjects to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. This right applies only when two conditions are met:
- The processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or on a contract (Article 6(1)(b))
- The processing is carried out by automated means
Article 20(2) gives the data subject the right to have the data transmitted directly from one controller to another, where technically feasible. The data covered by portability is limited to data provided by the data subject, which the EDPB interprets broadly to include both actively provided data (form submissions) and observed data (usage history, location data).
Data portability does not apply to processing based on legitimate interests, public interest, or legal obligation. It also does not require controllers to adopt or maintain technically compatible processing systems.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowPractical Implementation
Common machine-readable formats include JSON, XML, and CSV. Organisations should build export functionality that generates user data packages on request. The export should include only data relating to the requesting data subject, with third-party data excluded or anonymised.
Right to Object and Automated Decision-Making (Articles 21 and 22)
Right to Object (Article 21)
The right to object allows data subjects to object to the processing of their personal data in specific circumstances. There are three distinct categories:
Objection to processing based on legitimate interests or public interest (Article 21(1)): The data subject can object at any time. The organisation must stop processing unless it demonstrates "compelling legitimate grounds" that override the data subject's interests, or the processing is for establishing, exercising, or defending legal claims.
Objection to direct marketing (Article 21(2) and (3)): This is an absolute right with no exceptions. When a data subject objects to processing for direct marketing purposes, including profiling related to direct marketing, the organisation must stop processing immediately. No balancing test is required.
Objection to processing for research or statistical purposes (Article 21(6)): The data subject can object unless the processing is necessary for a task carried out for reasons of public interest.
Automated Decision-Making and Profiling (Article 22)
Article 22 gives data subjects the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significant effects. This right is particularly relevant for automated credit scoring, algorithmic hiring decisions, and automated insurance risk assessments.
Exceptions exist where the automated decision is necessary for a contract, authorised by EU or member state law, or based on explicit consent. In the consent and contract exceptions, the organisation must implement suitable safeguards, including the right to obtain human intervention, express a point of view, and contest the decision.
How to Comply with GDPR Data Subject Rights
Building compliance into your operations requires both organisational measures and technical infrastructure. Here is a practical framework for handling data subject requests.
Organisational Steps
- Designate a responsible team or individual to receive and process requests. This may be your Data Protection Officer if one is required under Article 37.
- Create a request intake process with a standard form or email address. Accept requests through any channel, as the GDPR does not restrict submission methods.
- Establish identity verification procedures to confirm the requester is the data subject or an authorised representative.
- Build a response workflow with internal deadlines that allow time to meet the one-month external deadline, including review, redaction, and approval.
- Maintain a request log documenting each request, the type of right exercised, the actions taken, and the outcome.
Technical Infrastructure
Your systems need to support the practical exercise of these rights. Key capabilities include:
- Data discovery: Search across all systems (databases, email, backups, third-party services) for a specific data subject's personal data
- Data export: Generate data packages in portable formats (JSON, CSV) for access and portability requests
- Data deletion: Delete personal data from active systems, backups, and third-party processors, with verification of completion
- Processing restriction: Flag records as restricted, preventing further processing while retaining the data
- Consent management: Record, manage, and withdraw consent with timestamps and audit trails
For websites, a compliance scanner can identify what personal data your site collects through cookies, trackers, and third-party scripts. TermsBox provides an automated website scanner that maps data collection practices, which helps you respond accurately to data subject access requests by knowing exactly what data you hold.
Privacy Policy Requirements
Your privacy policy must clearly describe each of the eight data subject rights under the GDPR and explain how individuals can exercise them. Article 13(2)(b) and Article 14(2)(c) specifically require this information to be included in the privacy notice. A privacy policy generator can create a document that covers all required disclosures, including the full list of data subject rights and your contact details for submitting requests.
Penalties for Violating GDPR Data Subject Rights
Violations of data subject rights fall under the higher penalty tier in Article 83(5), which allows supervisory authorities to impose administrative fines of up to 20 million EUR or 4% of the organisation's total worldwide annual turnover, whichever is greater.
Notable enforcement examples include:
- Google LLC (2019): The French supervisory authority (CNIL) imposed a 50 million EUR fine for lack of transparency and inadequate information provided to data subjects under Articles 13 and 14
- H&M (2020): The Hamburg Commissioner for Data Protection fined H&M 35.3 million EUR for excessive monitoring of employees, violating their rights under the GDPR
- Meta Platforms Ireland (2023): The Irish Data Protection Commission fined Meta 1.2 billion EUR for unlawful international data transfers, which directly affected data subjects' rights regarding how their data was processed
Beyond administrative fines, data subjects have several legal remedies. Article 77 gives them the right to lodge a complaint with any supervisory authority. Article 79 provides the right to an effective judicial remedy against a controller or processor. Article 82 establishes the right to compensation for both material and non-material damage resulting from GDPR violations.
Frequently Asked Questions
How many data subject rights does the GDPR provide?
The GDPR provides eight individual rights to data subjects: the right to be informed (Articles 13 and 14), the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restrict processing (Article 18), the right to data portability (Article 20), the right to object (Article 21), and rights related to automated decision-making and profiling (Article 22). Each right has specific conditions and exceptions defined in the regulation.
How long does an organisation have to respond to a data subject request under the GDPR?
Under Article 12(3) of the GDPR, organisations must respond to a data subject request without undue delay and within one calendar month of receiving the request. This deadline can be extended by two additional months for complex or numerous requests, but the organisation must inform the data subject of the extension and the reasons for the delay within the initial one-month period. If the organisation refuses a request, it must inform the data subject of the refusal, the reasons, and the right to lodge a complaint with a supervisory authority.
Can an organisation charge a fee for responding to a data subject access request?
In most cases, no. Article 12(5) of the GDPR states that information and actions taken under Articles 15 to 22 must be provided free of charge. However, organisations may charge a reasonable fee based on administrative costs when requests are manifestly unfounded or excessive, particularly if they are repetitive. The organisation may also refuse to act on such requests entirely, but bears the burden of demonstrating that the request is manifestly unfounded or excessive.
What happens if a company violates GDPR data subject rights?
Violations of data subject rights under the GDPR fall under the higher penalty tier defined in Article 83(5). Supervisory authorities can impose fines of up to 20 million EUR or 4% of the organisation's total worldwide annual turnover from the preceding financial year, whichever is greater. Beyond fines, data subjects have the right to lodge complaints with supervisory authorities under Article 77 and the right to an effective judicial remedy under Article 79. They may also claim compensation for material and non-material damages under Article 82.