Rights Under GDPR: The Complete Guide for 2026
Learn what your rights under GDPR are, including access, erasure, portability, and objection. Practical guide for businesses and individuals.
The rights under GDPR give individuals direct control over how organizations collect, store, and use their personal data. Whether you are a business owner building a compliant website or someone who wants to understand what protections you have, knowing these rights is essential for navigating data privacy in 2026.
This article is for educational purposes and does not constitute legal advice. Consult a qualified data protection attorney for guidance specific to your organization.
What Are Your Rights Under GDPR?
The General Data Protection Regulation establishes eight distinct rights for data subjects (the individuals whose personal data is being processed). These rights are codified in Articles 12 through 22 of the regulation and apply to any organization that processes the personal data of people located in the EU or EEA.
Your rights under GDPR are:
- Right to be informed (Articles 13 and 14)
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restrict processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
- Rights related to automated decision-making and profiling (Article 22)
These rights are not absolute. Each one has specific conditions and exceptions that both individuals and businesses need to understand. Failing to respect these rights can result in fines of up to 20 million EUR or 4% of annual global turnover, whichever is higher.
Right to Be Informed (Articles 13 and 14)
The right to be informed is the foundation of GDPR transparency. Organizations must tell individuals what personal data they collect, why they collect it, and what they do with it, before or at the time of collection.
What must be disclosed
Under Article 13, when data is collected directly from the individual, the organization must provide:
- The identity and contact details of the data controller
- Contact details for the Data Protection Officer, if one exists
- The purposes and legal basis for processing
- The legitimate interests pursued, if relying on that basis
- Any recipients or categories of recipients of the data
- Details of transfers to third countries and the safeguards in place
- The retention period, or the criteria used to determine it
- The existence of each data subject right
- The right to withdraw consent at any time
- The right to lodge a complaint with a supervisory authority
This information must be provided in clear, plain language. Burying it in dense legal text does not satisfy the requirement.
How businesses should comply
The most common way to meet the right to be informed is through a well-drafted privacy policy. A privacy policy generator can help create a baseline document covering the mandatory disclosures. Businesses should also provide concise notices at data collection points, such as sign-up forms, checkout pages, and cookie consent banners.
Right of Access (Article 15)
The right of access, commonly called a Subject Access Request (SAR), allows any individual to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data.
What organizations must provide
When an individual submits an access request, the organization must supply:
- A copy of their personal data in a commonly used electronic format
- The purposes of the processing
- The categories of personal data concerned
- The recipients to whom data has been disclosed
- The envisaged retention period
- Information about the source of the data, if not collected from the individual directly
- Whether automated decision-making, including profiling, is applied
Response timeline
Under Article 12(3), organizations must respond within one calendar month. For complex requests, this can be extended by two additional months, but the individual must be notified of the extension and the reasons within the initial one-month window.
Organizations cannot charge a fee for the first copy of the data. Additional copies may incur a reasonable administrative charge.
Right to Rectification (Article 16)
Individuals have the right to have inaccurate personal data corrected without undue delay. They can also request that incomplete data be completed, including by providing a supplementary statement.
This right is straightforward in practice. Common examples include:
- Correcting a misspelled name in an account profile
- Updating an outdated postal or email address
- Amending incorrect date of birth or other biographical information
- Adding missing information that makes an existing record incomplete
Organizations must notify any third parties to whom the data was disclosed about the rectification, unless doing so is impossible or involves disproportionate effort (Article 19).
Right to Erasure (Article 17)
The right to erasure, widely known as the "right to be forgotten," allows individuals to request that their personal data be deleted. This right applies when:
- The data is no longer necessary for its original purpose
- The individual withdraws consent and no other legal basis exists
- The individual objects to processing and no overriding legitimate grounds exist
- The data was processed unlawfully
- Erasure is required to comply with a legal obligation
- The data was collected from a child in relation to an online service
When erasure can be refused
The right to erasure is not absolute. Organizations can refuse deletion when processing is necessary for:
- Exercising the right of freedom of expression and information
- Compliance with a legal obligation (such as tax record retention)
- Public health purposes in the public interest
- Archiving in the public interest, scientific or historical research, or statistical purposes
- The establishment, exercise, or defense of legal claims
Businesses that handle deletion requests should document the assessment and reasoning, whether they comply or refuse.
Right to Restrict Processing (Article 18)
Restriction is a middle ground between continued processing and erasure. When processing is restricted, the organization may store the data but must not process it further without the individual's consent (except for legal claims, protection of rights, or important public interest reasons).
An individual can request restriction when:
- They contest the accuracy of the data (restriction applies while accuracy is verified)
- Processing is unlawful but the individual prefers restriction over erasure
- The organization no longer needs the data, but the individual requires it for legal claims
- The individual has objected to processing under Article 21 (restriction applies while the balancing test is conducted)
In practical terms, this often means flagging a record in your database as restricted and ensuring no automated processes act on it until the restriction is lifted.
Right to Data Portability (Article 20)
Data portability gives individuals the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that the data be transmitted directly to another controller where technically feasible.
Conditions for portability
This right applies only when:
- Processing is based on consent or a contract (not legitimate interest or legal obligation)
- Processing is carried out by automated means
What this looks like in practice
When an individual exercises this right, the organization should provide the data as a JSON, CSV, or XML file. Common scenarios include:
- Exporting purchase history from an e-commerce platform
- Downloading personal profile data from a social media service
- Transferring health records between providers
- Moving subscription data from one SaaS platform to another
Data portability covers only the data the individual provided directly, not data derived through analytics or profiling.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowRight to Object (Article 21)
The right to object allows individuals to stop the processing of their personal data in certain situations. There are two distinct forms of this right.
General right to object
Individuals can object to processing based on legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e)). The organization must stop processing unless it can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms.
Absolute right to object to direct marketing
When personal data is processed for direct marketing purposes, the individual has an absolute right to object. There are no grounds for refusal. Processing must stop immediately upon receiving the objection.
Organizations must bring the right to object to the individual's attention at the point of first communication, clearly and separately from other information. Your privacy policy and any marketing consent forms should reference this right explicitly.
Rights Related to Automated Decision-Making (Article 22)
Article 22 protects individuals from decisions made solely by automated processing, including profiling, that produce legal effects or similarly significant effects. Examples include automated loan application rejections, algorithmic hiring decisions, and insurance pricing based entirely on profiling.
What organizations must provide
When automated decision-making applies, the individual has the right to:
- Obtain human intervention in the decision
- Express their point of view
- Contest the decision
Exceptions
Automated decision-making is permitted when it is:
- Necessary for a contract between the individual and the organization
- Authorized by EU or member state law
- Based on explicit consent
Even when an exception applies, the organization must implement suitable safeguards, including the right to obtain human intervention.
How Businesses Should Handle GDPR Rights Requests
Handling rights requests efficiently is not just a legal requirement. It protects your business from complaints to supervisory authorities. Here is a practical framework.
Establish a request intake process
Designate a clear channel (email address, web form, or both) for receiving GDPR requests. Train customer-facing staff to recognize and escalate requests even when the individual does not use formal legal language. "Delete my account" is an erasure request.
Verify identity before responding
You must confirm the identity of the requestor before disclosing or modifying personal data. However, verification must be proportionate. Asking for a passport scan to verify an email address change is excessive.
Track and document everything
Maintain a log of every rights request, including:
- Date received
- Type of right exercised
- Identity verification steps taken
- Response date
- Outcome and reasoning
Respond within deadlines
The one-month response deadline under Article 12(3) is firm. Set internal targets of 21 days to leave a buffer. If you need the two-month extension, communicate it proactively with a clear explanation.
Update your privacy policy
Your privacy policy must describe how individuals can exercise each of their rights under GDPR. Include the designated contact channel, expected response times, and the right to lodge a complaint with a supervisory authority. TermsBox offers a privacy policy generator that includes a compliant data subject rights section covering all eight rights.
GDPR Rights in Practice: Key Enforcement Examples
Supervisory authorities across Europe have issued significant fines for failures related to data subject rights.
- Right of access failures: The Swedish DPA fined a company 75,000 EUR for failing to respond to a subject access request within the required timeframe.
- Right to erasure failures: Google was fined 50 million EUR by the French CNIL in part for failing to provide transparent information about data retention and erasure options.
- Right to object failures: Multiple organizations have been fined for continuing direct marketing after individuals objected, with penalties ranging from 10,000 EUR to several million EUR depending on scale.
These cases demonstrate that regulators take data subject rights seriously. Compliance is not optional, and the cost of ignoring requests far exceeds the cost of building proper processes. For website owners, making sure your terms of service and privacy documentation clearly address these obligations is an important first step.
Frequently Asked Questions
What are the 8 rights under GDPR?
The eight rights under GDPR are the right to be informed, right of access, right to rectification, right to erasure, right to restrict processing, right to data portability, right to object, and rights related to automated decision-making and profiling. These are found in Articles 12 through 22 of the regulation.
Can a business refuse a GDPR rights request?
Yes, in limited circumstances. A business can refuse a request if it is manifestly unfounded or excessive under Article 12(5), or if a legal exemption applies such as legal obligations to retain data. The business must explain the refusal in writing and inform the individual of their right to complain to a supervisory authority.
How long does a company have to respond to a GDPR request?
Under Article 12(3), a company must respond within one calendar month of receiving the request. This can be extended by two additional months for complex or numerous requests, but the company must inform the individual of the extension and the reasons within the first month.
Do GDPR rights apply to non-EU citizens?
GDPR rights apply based on location, not citizenship. Anyone physically present in the EU or EEA when their data is processed is protected, regardless of nationality. A US citizen browsing a website while visiting Paris has the same GDPR rights as a French citizen.