GDPR Individual Rights: A Complete Guide for Businesses
Learn about GDPR individual rights, what each right requires, and how your business must respond. Practical compliance steps included.
GDPR individual rights give every person in the European Economic Area control over how organizations collect, store, and use their personal data. Understanding these rights is not optional for any business that processes personal data of EU or EEA residents.
This guide is educational content and does not constitute legal advice. For questions about your specific obligations, consult a qualified data protection attorney. What follows is a practical breakdown of each right, the obligations it creates, and the steps your business should take to comply.
What Are GDPR Individual Rights?
GDPR individual rights are a set of eight legal entitlements established by the General Data Protection Regulation (EU) 2016/679. They empower data subjects, meaning any identified or identifiable natural person, to exercise meaningful control over their personal data.
These rights are codified across Articles 12 through 22 of the GDPR. They apply whenever an organization acts as a data controller or data processor and handles personal data of individuals within the EEA. The rights also extend to UK residents under the UK GDPR.
The eight individual rights under GDPR are:
- Right to be informed (Articles 13 and 14)
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restrict processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making and profiling (Article 22)
Each right carries specific conditions, exceptions, and timelines. The sections below cover each in detail.
Right to Be Informed
The right to be informed under Articles 13 and 14 of the GDPR requires you to tell individuals what data you collect, why you collect it, and what you do with it. This obligation applies at the point of data collection or, if data is obtained indirectly, within a reasonable period (no later than one month).
Your privacy notice must include:
- Your identity and contact details as the data controller
- The purposes and legal basis for each type of processing
- Categories of personal data collected
- Any recipients or categories of recipients who will receive the data
- Details of any transfers to third countries and the safeguards in place
- Retention periods or the criteria used to determine them
- Information about the individual's rights under the GDPR
- The right to withdraw consent at any time (where consent is the legal basis)
- The right to lodge a complaint with a supervisory authority
A well-structured privacy policy covers most of these requirements. The privacy policy generator can help you build a baseline document that addresses these disclosure obligations, which you then customize for your specific data practices.
Practical tips
Write in plain language. Avoid legal jargon that obscures meaning. The European Data Protection Board (EDPB) has emphasized that transparency means information must be concise, easily accessible, and easy to understand. Layer your notice so users can drill into detail without being overwhelmed upfront.
Right of Access
Article 15 of the GDPR gives individuals the right to obtain confirmation that their personal data is being processed and, if so, to receive a copy of that data along with supplementary information. This is commonly known as a Subject Access Request (SAR).
When someone submits an SAR, you must provide:
- The categories of personal data you hold
- The purposes of processing
- The recipients or categories of recipients
- The envisaged retention period
- Information about their other rights (rectification, erasure, restriction, objection)
- The source of the data if not collected directly from the individual
- Whether automated decision-making or profiling is involved
You must respond within one calendar month. For complex requests, you may extend this by two additional months, but you must notify the individual within the first month and explain the reason. The response must be provided in a commonly used electronic format if the request was made electronically.
Verifying identity
Before fulfilling any request, verify the identity of the requester. You may ask for identification, but do not request more information than necessary. If you cannot verify identity, you may refuse to act, but you must explain why and inform the individual of their right to complain to a supervisory authority.
Right to Rectification and Right to Erasure
Right to rectification
Article 16 gives individuals the right to have inaccurate personal data corrected without undue delay. They can also request that incomplete data be completed, including by providing a supplementary statement. If you have disclosed the data to third parties, you must inform those recipients of the correction unless doing so is impossible or involves disproportionate effort.
Right to erasure (right to be forgotten)
Article 17 of the GDPR, often called the "right to be forgotten," allows individuals to request deletion of their personal data. This right applies when:
- The data is no longer necessary for its original purpose
- The individual withdraws consent and no other legal basis applies
- The individual objects to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required to comply with a legal obligation
- The data was collected in relation to offering information society services to a child
However, the right to erasure is not absolute. You may refuse if processing is necessary for exercising the right of freedom of expression, complying with a legal obligation, public health purposes, archiving in the public interest, or establishing, exercising, or defending legal claims.
Document every erasure request and your response, whether you fulfilled or declined it and the reasoning. This record is essential for demonstrating compliance under Article 5(2).
Right to Restrict Processing and Right to Data Portability
Right to restrict processing
Under Article 18, individuals can request that you limit how you use their data. Restriction means you may store the data but not process it further without the individual's consent (except for legal claims, protecting rights of others, or important public interest reasons). Restriction applies when:
- The individual contests the accuracy of the data (restriction applies while you verify)
- Processing is unlawful but the individual prefers restriction over erasure
- You no longer need the data, but the individual needs it for legal claims
- The individual has objected to processing under Article 21 (restriction applies while you assess whether your legitimate grounds override theirs)
When restriction is lifted, you must inform the individual before resuming processing.
Right to data portability
Article 20 gives individuals the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that you transmit the data directly to another controller where technically feasible. This right applies only when:
- Processing is based on consent or a contract
- Processing is carried out by automated means
Common formats include CSV, JSON, and XML. The right to portability does not require you to adopt or maintain technically compatible systems with other controllers, but you must not create barriers to transmission.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowRight to Object to Processing
Article 21 of the GDPR grants individuals the right to object to processing based on legitimate interests (Article 6(1)(f)) or the performance of a task in the public interest (Article 6(1)(e)). When someone objects, you must stop processing unless you can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or the processing is necessary for legal claims.
There are two specific contexts where the right to object has stronger protections:
- Direct marketing: The individual has an absolute right to object to processing for direct marketing purposes. No balancing test applies. You must stop immediately upon receiving the objection.
- Research and statistics: Individuals can object to processing for scientific, historical research, or statistical purposes unless the processing is necessary for a task carried out in the public interest.
You must bring the right to object to the individual's attention at the point of first communication, clearly and separately from other information. This is a requirement of Article 21(4).
Rights Related to Automated Decision-Making and Profiling
Article 22 of the GDPR protects individuals from decisions made solely by automated means, including profiling, that produce legal or similarly significant effects. Examples include automated credit scoring, algorithmic recruitment screening, or dynamic pricing that materially affects access to services.
Under this article, individuals have the right to:
- Not be subject to a decision based solely on automated processing
- Obtain human intervention from the controller
- Express their point of view
- Contest the decision
Automated decision-making is permitted only when it is necessary for a contract, authorized by law, or based on explicit consent. Even in these cases, you must implement suitable safeguards, including the right to human intervention and the right to contest.
If your organization uses profiling or algorithmic decision-making, disclose this in your privacy policy. Explain the logic involved and the significance and envisaged consequences for the individual, as required by Articles 13(2)(f) and 14(2)(g).
How to Handle GDPR Individual Rights Requests
Building an efficient process for handling data subject requests is essential. Supervisory authorities evaluate not just whether you comply, but how quickly and systematically you respond.
Step-by-step request handling
- Receive and log the request. Accept requests through multiple channels (email, web form, in-app). Log the date, the right being exercised, and the requester's identity.
- Verify identity. Confirm the requester is the data subject. Use proportionate verification methods.
- Assess the request. Determine which right applies, whether any exemptions exist, and what data or actions are involved.
- Respond within one month. Provide the requested information, action, or a clear explanation of why you are declining. Use plain language.
- Document everything. Record your response, the date, the reasoning, and any data disclosed or deleted. Retain these records for accountability under Article 5(2).
- Notify third parties. If you have shared the relevant data with third parties, inform them of any rectification, erasure, or restriction unless doing so is impossible or involves disproportionate effort (Article 19).
Common pitfalls
- Ignoring requests because they arrive informally (the GDPR does not prescribe a format)
- Requesting excessive identification, which itself can become a data protection issue
- Missing the one-month deadline without communicating an extension
- Fulfilling erasure requests without checking for legal retention obligations
Tools like TermsBox can help you maintain a compliant privacy policy that clearly communicates data subject rights and how to exercise them. When your policy is accurate and up to date, individuals know what to expect and your team knows what to deliver.
Penalties for Failing to Uphold GDPR Individual Rights
Non-compliance with individual rights under GDPR carries serious consequences. Article 83(5) sets the maximum administrative fine at 20 million EUR or 4% of annual global turnover, whichever is higher. These maximum fines apply specifically to violations of data subject rights (Articles 12 through 22).
Notable enforcement examples include:
- Austrian Post (2019): Fined 18 million EUR for processing political affinity data without a lawful basis, violating data subjects' rights and transparency obligations.
- H&M (2020): Fined 35.3 million EUR by the Hamburg DPA for extensive employee surveillance, including failure to respect employees' data protection rights.
- Clearview AI (2022): Multiple European DPAs issued fines totaling over 50 million EUR for scraping facial images and ignoring access and deletion requests.
Beyond fines, individuals can seek judicial remedies under Article 79 and claim compensation for material and non-material damage under Article 82. Reputational harm from publicized enforcement actions often exceeds the financial penalty itself.
Proactive compliance is significantly less expensive than reactive enforcement. Invest in clear processes, staff training, and accurate documentation now rather than responding to regulatory inquiries later.
Frequently Asked Questions
How many individual rights does the GDPR grant?
The GDPR grants eight individual rights: the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling.
How long do I have to respond to a data subject request?
You must respond without undue delay and within one calendar month of receiving the request. For complex or numerous requests, you may extend the deadline by a further two months, but you must inform the individual within the first month and explain the reason for the delay.
Can I charge a fee to process a data subject request?
In most cases, no. You must handle requests free of charge. However, Article 12(5) allows you to charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive, particularly if it is repetitive. You must be able to demonstrate why the request qualifies.
What happens if I fail to comply with GDPR individual rights?
Failure to respect data subject rights can result in enforcement action by supervisory authorities, including fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher, under Article 83(5) of the GDPR. Individuals may also seek judicial remedies and compensation.