TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Rights of GDPR: All 8 Data Subject Rights Explained
Legal Compliance

Rights of GDPR: All 8 Data Subject Rights Explained

Learn about the rights of GDPR, including access, erasure, portability, and objection. Practical guide to all 8 data subject rights with compliance steps.

TermsBox Team|April 3, 202615 min read

The rights of GDPR are a set of eight legally enforceable protections that give individuals control over how organizations collect, use, and store their personal data. Understanding what the rights of GDPR are is essential for any business that handles the personal data of people in the European Union or European Economic Area, whether through a website, app, or any other channel.

This guide explains each of the eight data subject rights established by the General Data Protection Regulation (Regulation (EU) 2016/679), when they apply, what exceptions exist, and what your business must do to comply. This content is educational and does not constitute legal advice. Consult a qualified data protection attorney for guidance specific to your organization.

Overview of the Rights of GDPR

The rights of GDPR are codified in Chapter III (Articles 12 through 23) of the General Data Protection Regulation. These rights apply to any "data subject," defined in Article 4(1) as an identified or identifiable natural person. In practical terms, a data subject is any living individual whose personal data your organization processes.

Article 12 establishes the overarching framework for how organizations must facilitate these rights. It requires that information and communications relating to the exercise of data subject rights be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. Organizations must respond to requests without undue delay and within one month.

The eight rights are:

  1. Right to be informed
  2. Right of access
  3. Right to rectification
  4. Right to erasure (right to be forgotten)
  5. Right to restrict processing
  6. Right to data portability
  7. Right to object
  8. Rights related to automated decision-making and profiling

Not every right applies in every situation. Several rights are conditional on the lawful basis used for processing or the specific circumstances of the request. The sections below examine each right in detail.

Right to Be Informed (Articles 13 and 14)

The right to be informed is the foundational right of GDPR that underpins all others. It requires organizations to tell individuals what personal data is being collected, why, how it will be used, and who it will be shared with.

When data is collected directly from the individual

Article 13 applies when you collect personal data directly from the data subject, such as through a website form, account registration, or purchase. At the point of collection, you must provide:

  • The identity and contact details of the data controller
  • The contact details of your Data Protection Officer, if applicable
  • The purposes of processing and the lawful basis for each
  • Any legitimate interests pursued, if that is the lawful basis
  • The recipients or categories of recipients of the data
  • Details of any international transfers and the safeguards in place
  • The retention period or the criteria used to determine it
  • The existence of each of the other data subject rights
  • The right to withdraw consent at any time, if consent is the lawful basis
  • The right to lodge a complaint with a supervisory authority
  • Whether providing the data is a statutory or contractual requirement and the consequences of not providing it
  • The existence of any automated decision-making, including profiling

When data is obtained from other sources

Article 14 applies when personal data is not collected directly from the individual, for example when obtained from a data broker, public registry, or third-party partner. In addition to the information required under Article 13, you must also disclose the source of the personal data and, if applicable, whether it came from publicly accessible sources. This information must be provided within a reasonable period and no later than one month after obtaining the data.

How to comply

The primary mechanism for fulfilling the right to be informed is a comprehensive privacy policy. A privacy policy generator can help you create a document that addresses the required disclosures under Articles 13 and 14. Your privacy policy should be accessible from every page of your website, written in clear language, and updated whenever your data processing practices change.

Right of Access (Article 15)

The right of access allows individuals to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with supplementary information. This is one of the most frequently exercised rights of GDPR.

What the individual can request

Under Article 15, a data subject can request:

  • Confirmation of whether personal data concerning them is being processed
  • A copy of the personal data
  • The purposes of the processing
  • The categories of personal data concerned
  • The recipients or categories of recipients to whom the data has been or will be disclosed
  • The retention period or criteria for determining it
  • Information about their other rights (rectification, erasure, restriction, objection)
  • The source of the data, if not collected from the individual directly
  • The existence of automated decision-making, including profiling, and meaningful information about the logic involved
  • Details of any international transfers and the safeguards in place

Responding to access requests

You must provide the first copy of the data free of charge. For additional copies, Article 15(3) allows you to charge a reasonable fee based on administrative costs. The data must be provided in a commonly used electronic format if the request was made electronically, unless the individual requests otherwise.

The one-month response deadline under Article 12(3) applies. For complex requests or a high volume of simultaneous requests, you can extend this by an additional two months, but you must notify the individual of the extension and the reasons within the initial one-month period.

Practical considerations

Access requests can be resource-intensive if your organization stores personal data across multiple systems. Establishing a clear internal process, including verification of the requester's identity, a designated point of contact, and a system for locating and compiling all relevant data, is essential for responding within the statutory timeframe.

Right to Rectification (Article 16)

The right to rectification entitles individuals to have inaccurate personal data corrected and incomplete data completed. This right of GDPR is straightforward in principle but requires organizations to have processes for updating records across all systems where the data is stored.

When an individual submits a rectification request, you must:

  • Correct the inaccurate data without undue delay
  • Complete any incomplete data, taking into account the purposes of processing (this may involve accepting a supplementary statement from the individual)
  • Inform any third parties to whom the data was disclosed about the rectification, unless this proves impossible or involves disproportionate effort (Article 19)
  • Inform the individual about those third-party recipients if they request it

There are no general exceptions to the right to rectification. If personal data is factually inaccurate, the individual has an unconditional right to have it corrected.

Right to Erasure (Article 17)

The right to erasure, commonly called the "right to be forgotten," allows individuals to request the deletion of their personal data. It is one of the most well-known rights of GDPR, but it is not absolute.

When the right applies

An individual can request erasure when:

  • The personal data is no longer necessary for the purpose it was collected
  • The individual withdraws consent and there is no other lawful basis for processing
  • The individual objects to processing under Article 21 and there are no overriding legitimate grounds
  • The personal data has been unlawfully processed
  • The data must be erased to comply with a legal obligation under EU or member state law
  • The data was collected in relation to the offer of information society services to a child under Article 8(1)

Exceptions to the right to erasure

The right to erasure does not apply when processing is necessary for:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation that requires processing under EU or member state law
  • Reasons of public interest in the area of public health
  • Archiving purposes in the public interest, scientific or historical research, or statistical purposes, where erasure would render impossible or seriously impair the objectives
  • The establishment, exercise, or defense of legal claims

Practical implementation

When honoring an erasure request, you must delete the data from all systems, including backups (where technically feasible within a reasonable timeframe), and notify any third parties to whom the data was disclosed, per Article 19. If you made the data public, Article 17(2) requires you to take reasonable steps to inform other controllers processing the data that the individual has requested erasure of any links to, copies, or replications of that data.

Right to Restrict Processing and Right to Data Portability

These two rights of GDPR serve different purposes but both give individuals granular control over how their data is handled.

Right to restrict processing (Article 18)

The right to restrict processing allows an individual to request that you stop actively using their personal data while keeping it stored. This applies in four situations:

  • The individual contests the accuracy of the data, and you need time to verify it
  • The processing is unlawful, but the individual opposes erasure and requests restriction instead
  • You no longer need the data for processing, but the individual needs it for the establishment, exercise, or defense of legal claims
  • The individual has objected to processing under Article 21, and you are verifying whether your legitimate grounds override theirs

While processing is restricted, you may only store the data. Any other processing requires the individual's consent, a legal claim basis, the protection of another person's rights, or important public interest grounds.

Right to data portability (Article 20)

The right to data portability allows individuals to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This right only applies when:

  • The processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or contractual necessity (Article 6(1)(b))
  • The processing is carried out by automated means

The right to data portability does not extend to data processed on the basis of legitimate interests, legal obligation, or public task. Common formats for providing portable data include JSON, CSV, and XML. Where technically feasible, the individual can request that data be transmitted directly from one controller to another.

Right to Object and Automated Decision-Making Rights

The final two rights of GDPR address situations where individuals want to challenge how their data is used, either by objecting to specific processing or by contesting decisions made entirely by algorithms.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Right to object (Article 21)

The right to object allows individuals to challenge processing based on two specific lawful bases:

  • Public task (Article 6(1)(e))
  • Legitimate interests (Article 6(1)(f))

When an individual objects, the organization must stop processing unless it can demonstrate "compelling legitimate grounds" for the processing that override the individual's interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

For direct marketing purposes, the right to object is absolute. No balancing test is required. Once an individual objects to processing for direct marketing, the organization must stop immediately and without exception. Article 21(3) requires that this right be explicitly brought to the individual's attention at the point of first communication.

Your privacy policy must clearly inform individuals of their right to object. A privacy policy generator can help ensure this disclosure is included, but you should verify the output covers the specific lawful bases you rely on for processing.

Rights related to automated decision-making (Article 22)

Article 22 gives individuals the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. Examples include automated credit scoring decisions, algorithmic recruitment screening without human review, or automated insurance claim assessments.

This right applies when three conditions are met simultaneously:

  1. The decision is based solely on automated processing (no meaningful human involvement)
  2. The processing includes profiling or automated decision-making
  3. The decision produces legal effects or similarly significantly affects the individual

Exceptions exist when the automated decision is necessary for a contract, authorized by EU or member state law, or based on the individual's explicit consent. In those cases, the organization must still implement suitable safeguards, including at minimum the right to obtain human intervention, to express their point of view, and to contest the decision.

How to Handle GDPR Rights Requests

Building a reliable process for handling data subject requests is a compliance necessity, not a nice-to-have. Failing to respond properly to requests related to the rights of GDPR is an upper-tier violation under Article 83(5), carrying fines of up to 20 million EUR or 4% of global annual turnover.

Establish a request intake process

Designate a clear channel for receiving data subject requests. This could be a dedicated email address (such as [email protected]), a web form, or a section on your website. Make this channel easy to find and accessible from your privacy policy and cookie policy generator output.

Verify the requester's identity

Before fulfilling any request, you must verify that the person making it is actually the data subject. Article 12(6) permits you to request additional information necessary to confirm identity. Verification should be proportionate to the sensitivity of the data and the nature of the request.

Track deadlines

The one-month response deadline is strict. Set up internal tracking to ensure no request slips through the cracks. Document the date of receipt, the nature of the request, the verification steps taken, the deadline, and the outcome.

Document everything

Maintain records of all data subject requests and how they were handled. This documentation serves the accountability principle under Article 5(2) and provides evidence of compliance in the event of a supervisory authority investigation.

Know when you can refuse

You are permitted to refuse requests that are manifestly unfounded or excessive under Article 12(5). If you refuse, you must inform the individual of the reasons for the refusal, their right to lodge a complaint with a supervisory authority, and their right to seek a judicial remedy. The burden of demonstrating that a request is manifestly unfounded or excessive falls on the organization.

Train your team

Anyone in your organization who might receive or process data subject requests needs to understand the rights of GDPR, your internal procedures, and the response deadlines. Regular training reduces the risk of missed deadlines and improper handling.

Rights of GDPR and Your Privacy Policy

Your privacy policy is the primary document through which you inform individuals about the rights of GDPR. Articles 13 and 14 require that you include a description of each data subject right, information about how individuals can exercise those rights, and the contact details for submitting requests.

A privacy policy that fails to mention data subject rights, or describes them vaguely, does not meet the transparency requirements of EU Regulation 2016/679. Supervisory authorities have issued fines specifically for inadequate privacy policies that omitted or insufficiently described data subject rights.

When drafting or updating your privacy policy, ensure it covers:

  • Each of the eight data subject rights by name
  • How to submit a request (the specific channel or contact)
  • The timeframe for response (one month, extendable by two months)
  • Any circumstances under which a request might be refused
  • The right to lodge a complaint with a supervisory authority
  • The identity and contact details of the relevant supervisory authority

Tools like TermsBox can help you generate a privacy policy that includes the required data subject rights disclosures, and a compliance scanner can verify that your published policy meets the standards set by EU Regulation 2016/679.

Frequently Asked Questions

What are the 8 rights of GDPR?

The eight rights of GDPR are: the right to be informed (Articles 13-14), the right of access (Article 15), the right to rectification (Article 16), the right to erasure (Article 17), the right to restrict processing (Article 18), the right to data portability (Article 20), the right to object (Article 21), and rights related to automated decision-making and profiling (Article 22). These rights are established in Chapter III of the GDPR.

Can a business refuse a GDPR data subject request?

Yes, but only in limited circumstances. A business can refuse a request if it is manifestly unfounded or excessive, particularly if it is repetitive, under Article 12(5). Specific rights also have built-in exceptions. For example, the right to erasure does not apply when processing is necessary for exercising the right of freedom of expression, for compliance with a legal obligation, or for the establishment or defense of legal claims.

How long does a business have to respond to a GDPR rights request?

Under Article 12(3), a business must respond to a data subject request without undue delay and within one month of receiving it. This deadline can be extended by two additional months for complex or numerous requests, but the business must inform the individual of the extension and the reasons for it within the original one-month period.

What happens if a business violates the rights of GDPR data subjects?

Violating data subject rights is classified as an upper-tier infringement under Article 83(5) of the GDPR. Supervisory authorities can impose administrative fines of up to 20 million EUR or 4% of the organization's total worldwide annual turnover, whichever is higher. Data subjects can also seek judicial remedies under Article 79 and claim compensation for material or non-material damage under Article 82.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • Overview of the Rights of GDPR
  • Right to Be Informed (Articles 13 and 14)
  • When data is collected directly from the individual
  • When data is obtained from other sources
  • How to comply
  • Right of Access (Article 15)
  • What the individual can request
  • Responding to access requests
  • Practical considerations
  • Right to Rectification (Article 16)
  • Right to Erasure (Article 17)
  • When the right applies
  • Exceptions to the right to erasure
  • Practical implementation
  • Right to Restrict Processing and Right to Data Portability
  • Right to restrict processing (Article 18)
  • Right to data portability (Article 20)
  • Right to Object and Automated Decision-Making Rights
  • Right to object (Article 21)
  • Rights related to automated decision-making (Article 22)
  • How to Handle GDPR Rights Requests
  • Establish a request intake process
  • Verify the requester's identity
  • Track deadlines
  • Document everything
  • Know when you can refuse
  • Train your team
  • Rights of GDPR and Your Privacy Policy
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.