TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Individual Rights Under GDPR: A Complete Guide
Legal Compliance

Individual Rights Under GDPR: A Complete Guide

Learn what individual rights under GDPR protect, how each right works, and what your business must do to comply with data subject requests.

TermsBox Team|April 3, 202612 min read

Individual rights under GDPR form the backbone of European data protection law. These rights give people meaningful control over how organizations collect, store, and use their personal data, and every business that handles EU residents' data must be prepared to honor them.

This article explains what are individual rights under GDPR, how each one works in practice, and what your organization needs to do to stay compliant. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

Overview of Individual Rights Under GDPR

The General Data Protection Regulation, which took effect on 25 May 2018, establishes eight core rights for data subjects. These rights are codified in Articles 12 through 22 of the regulation and apply whenever an organization processes personal data of individuals in the European Economic Area.

What are individual rights under GDPR at a high level? They include:

  1. The right to be informed (Articles 13 and 14)
  2. The right of access (Article 15)
  3. The right to rectification (Article 16)
  4. The right to erasure (Article 17)
  5. The right to restrict processing (Article 18)
  6. The right to data portability (Article 20)
  7. The right to object (Article 21)
  8. Rights related to automated decision-making and profiling (Article 22)

These rights are not absolute. Each one comes with specific conditions, exemptions, and procedural requirements that organizations must understand before responding to requests.

The Right to Be Informed

Articles 13 and 14 of the GDPR require organizations to tell individuals what personal data they collect and why. This right is the foundation for all the others because people cannot exercise rights they do not know about.

When you collect data directly from someone, Article 13 requires you to provide the following at the time of collection:

  • Your identity and contact details as the data controller
  • Contact details for your data protection officer, if applicable
  • The purposes of processing and the legal basis for each purpose
  • Any recipients or categories of recipients who will receive the data
  • Details of any international data transfers and the safeguards in place
  • The retention period or the criteria used to determine it
  • The existence of each data subject right
  • The right to withdraw consent at any time, where consent is the legal basis
  • The right to lodge a complaint with a supervisory authority

When you obtain data indirectly (from a third party or public source), Article 14 adds the requirement to disclose the source of the data and the categories of personal data involved.

A well-structured privacy policy generator can help you build a notice that covers all of these disclosure requirements in plain language. The key is making this information genuinely accessible, not burying it in dense legal text.

The Right of Access

Article 15 gives individuals the right to obtain confirmation of whether their data is being processed and, if so, to receive a copy of that data along with supplementary information. This is commonly known as a Subject Access Request (SAR).

When someone submits a SAR, you must provide:

  • The purposes of the processing
  • The categories of personal data involved
  • The recipients or categories of recipients
  • The retention period or criteria for determining it
  • Information about the individual's other rights
  • The source of the data, if not collected directly
  • Whether automated decision-making or profiling is involved
  • Details of any safeguards for international transfers

You must supply the first copy of the data free of charge. For additional copies, Article 15(3) allows you to charge a reasonable fee based on administrative costs. The data must be provided in a commonly used electronic format if the request was made electronically.

Practical considerations for access requests

Organizations that handle significant volumes of personal data should build internal processes for SARs before they receive one. This means maintaining a data inventory so you can locate all data relating to a specific individual, establishing identity verification procedures to prevent unauthorized disclosure, and setting up templates and workflows to meet the one-month response deadline under Article 12(3).

The Right to Rectification

Article 16 of the GDPR gives individuals the right to have inaccurate personal data corrected without undue delay. It also allows individuals to have incomplete data completed, taking into account the purposes of the processing.

This right is relatively straightforward but has practical implications:

  • You need a process for individuals to flag inaccurate data
  • You must correct the data and inform any third parties to whom the data was disclosed, unless doing so proves impossible or involves disproportionate effort (Article 19)
  • You should document all rectification requests and actions taken

Common scenarios include correcting a misspelled name, updating an outdated postal address, or amending an incorrect date of birth in a customer account. Where you have disclosed the data to third parties, Article 19 requires you to notify those recipients of the correction.

The Right to Erasure (Right to Be Forgotten)

Article 17 of the GDPR establishes the right to erasure, sometimes called the right to be forgotten. This right allows individuals to request that their personal data be deleted when specific conditions are met.

An individual can request erasure when:

  • The data is no longer necessary for the purpose it was collected
  • They withdraw consent and no other legal basis applies
  • They object to processing under Article 21 and there are no overriding legitimate grounds
  • The data has been unlawfully processed
  • Erasure is required to comply with a legal obligation
  • The data was collected in relation to offering information society services to a child

When erasure does not apply

The right to erasure is not absolute. Article 17(3) lists several exemptions where you can refuse a deletion request:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation that requires processing
  • Public health purposes in the public interest
  • Archiving in the public interest, scientific research, historical research, or statistical purposes
  • Establishment, exercise, or defense of legal claims

When you delete data, you must also take reasonable steps to inform other controllers who are processing copies of that data, as required by Article 17(2). If you made the data public, you must take reasonable steps to inform those processing the data to erase any links, copies, or replications.

The Right to Restrict Processing

Article 18 allows individuals to request that you limit how their data is used, without deleting it entirely. This right applies in four situations:

  1. The individual contests the accuracy of the data, and you need time to verify it
  2. The processing is unlawful, but the individual prefers restriction over erasure
  3. You no longer need the data, but the individual needs it for legal claims
  4. The individual has objected to processing under Article 21, and you are verifying whether your legitimate grounds override theirs

When processing is restricted, you may only store the data. Any other processing requires the individual's consent, unless it is for legal claims, protecting another person's rights, or important public interest reasons.

Before you lift a restriction, Article 18(3) requires you to inform the individual. This gives them the opportunity to take further action, such as requesting erasure, before processing resumes.

The Right to Data Portability

Article 20 of the GDPR gives individuals the right to receive their personal data in a structured, commonly used, and machine-readable format. They also have the right to transmit that data to another controller without hindrance.

This right applies only when two conditions are met:

  • The processing is based on consent or a contract
  • The processing is carried out by automated means

In practice, this means you should be able to export a user's data in a standard format such as JSON, CSV, or XML. Where technically feasible, you must also transmit the data directly to another controller at the individual's request.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Data portability applies specifically to data the individual has provided. It does not extend to derived data, inferred data, or data generated through your analysis of the individual's behavior. The distinction between "provided" data and "observed" or "inferred" data is one area where the Article 29 Working Party (now the European Data Protection Board) has issued detailed guidance.

The Right to Object and Automated Decision-Making

Right to object (Article 21)

Individuals have the right to object to processing based on legitimate interests (Article 6(1)(f)) or the performance of a task in the public interest (Article 6(1)(e)). When someone objects, you must stop processing unless you can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or the processing is necessary for legal claims.

For direct marketing, the right to object is absolute. When someone objects to processing for direct marketing purposes, you must stop immediately and without exception. Article 21(3) states that the data must no longer be processed for such purposes.

You must inform individuals of the right to object at the point of first communication and present it clearly and separately from other information.

Automated decision-making and profiling (Article 22)

Article 22 gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. Examples include automated credit scoring that leads to loan rejection, algorithmic hiring decisions, or automated insurance premium calculations.

Exceptions apply when the decision is:

  • Necessary for a contract between you and the individual
  • Authorized by EU or member state law
  • Based on the individual's explicit consent

In any case, the individual has the right to obtain human intervention, express their point of view, and contest the decision.

How to Comply With Individual Rights Under GDPR

Knowing what are the individual rights under GDPR is the first step. Building operational processes to handle them is where most organizations struggle. Here is a practical framework for compliance.

Build a data subject request workflow

Create a documented procedure that covers:

  1. Intake: Provide a clear channel for requests (email, web form, or postal address) and acknowledge receipt promptly
  2. Verification: Confirm the requester's identity before disclosing any data. Use proportionate verification methods based on the sensitivity of the data.
  3. Assessment: Determine which right is being exercised, whether any exemptions apply, and which internal teams need to act
  4. Execution: Fulfill the request within the one-month deadline under Article 12(3), or notify the individual of an extension of up to two additional months for complex requests
  5. Documentation: Record the request, your response, any exemptions relied upon, and the timeline

Train your team

Every employee who handles personal data should understand the basics of individual rights under GDPR. Customer-facing staff need to recognize when someone is making a data subject request, even if the individual does not use formal legal language. A customer saying "delete my account and all my data" is exercising their right to erasure.

Update your privacy notices

Your privacy policy must clearly explain each right and how individuals can exercise them. It should include your contact details, the contact details for your data protection officer where applicable, and the right to complain to a supervisory authority. Tools like a privacy policy generator can help you structure this information correctly, but always review the output with legal counsel for your specific jurisdiction.

Keep records

Article 5(2) of the GDPR establishes the accountability principle: you must be able to demonstrate compliance. Maintain logs of all data subject requests, your responses, any exemptions applied, and the dates involved. These records will be essential if a supervisory authority investigates a complaint.

Enforcement and Penalties

Supervisory authorities across the EEA actively enforce individual rights under GDPR. Failing to respond to data subject requests, responding late, or providing incomplete responses can all trigger enforcement action.

Under Article 83(5), violations of data subject rights can result in fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Beyond fines, individuals have the right under Article 79 to seek judicial remedies, and under Article 82 to claim compensation for both material and non-material damages.

Notable enforcement examples include:

  • The Greek DPA fined a telecommunications provider 150,000 EUR for failing to respond adequately to an access request
  • The Polish DPA fined a data controller 220,000 PLN for refusing to comply with an erasure request
  • Multiple supervisory authorities have issued reprimands and warnings for excessive response times on SARs

The trend across European regulators is clear: organizations that treat data subject rights as optional face escalating consequences. Building proper processes before you receive a complaint is far more cost-effective than dealing with enforcement after the fact.

Frequently Asked Questions

What are the individual rights under GDPR?

The GDPR grants eight individual rights: the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling. These rights apply to any person whose personal data is processed by an organization subject to the GDPR.

How long does a business have to respond to a data subject request?

Under Article 12(3) of the GDPR, organizations must respond to data subject requests without undue delay and within one calendar month of receiving the request. This deadline can be extended by two additional months for complex or numerous requests, but the organization must inform the individual of the extension and explain why within the first month.

Can a business refuse a GDPR data subject request?

Yes, but only in limited circumstances. Under Article 12(5), a controller may refuse requests that are manifestly unfounded or excessive, particularly if they are repetitive. The controller must demonstrate why the request qualifies as such. Certain rights also have specific exemptions, for example the right to erasure does not apply when processing is necessary for legal claims or public health obligations.

What happens if a business ignores individual rights under GDPR?

Failure to comply with data subject rights can result in enforcement action by a supervisory authority, including fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher. Individuals also have the right to lodge complaints with their local data protection authority and to seek judicial remedies, including compensation for material and non-material damages.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: Complete Guide to privacy.apple.com

Learn how to use Apple's data & privacy website to download, manage, and delete your personal data. Step-by-step guide to privacy.apple.com.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • Overview of Individual Rights Under GDPR
  • The Right to Be Informed
  • The Right of Access
  • Practical considerations for access requests
  • The Right to Rectification
  • The Right to Erasure (Right to Be Forgotten)
  • When erasure does not apply
  • The Right to Restrict Processing
  • The Right to Data Portability
  • The Right to Object and Automated Decision-Making
  • Right to object (Article 21)
  • Automated decision-making and profiling (Article 22)
  • How to Comply With Individual Rights Under GDPR
  • Build a data subject request workflow
  • Train your team
  • Update your privacy notices
  • Keep records
  • Enforcement and Penalties
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.