GDPR Data Subject Rights Explained
Quick Answer
GDPR grants individuals eight key rights over their personal data: access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making, plus the right to be informed. Organizations must respond within one month.
Overview of Data Subject Rights
One of GDPR's most impactful provisions is the set of rights it grants to individuals (data subjects) over their personal data. These rights create direct obligations for organizations — you must have processes to fulfill requests within strict timelines.
Key Takeaways
- Eight core rights under GDPR Articles 12-22
- Response deadline: 1 month from receipt (can be extended by 2 months for complex requests)
- Requests must be fulfilled free of charge (with limited exceptions for manifestly unfounded/excessive requests)
- You must verify the requester's identity before fulfilling requests
- Failure to respond to DSRs is a common basis for GDPR complaints and enforcement
The Eight Data Subject Rights
| Right | Article | What It Means | Response Time |
|---|---|---|---|
| Right to be Informed | Art. 13-14 | Provide clear information about data processing at collection time | At collection / within 1 month |
| Right of Access | Art. 15 | Provide copies of personal data and processing information | 1 month |
| Right to Rectification | Art. 16 | Correct inaccurate or incomplete personal data | 1 month |
| Right to Erasure | Art. 17 | Delete personal data when no longer necessary | 1 month |
| Right to Restriction | Art. 18 | Limit processing while disputes are resolved | 1 month |
| Right to Data Portability | Art. 20 | Provide data in machine-readable format for transfer | 1 month |
| Right to Object | Art. 21 | Object to processing based on legitimate interest or direct marketing | 1 month (immediately for direct marketing) |
| Automated Decision-Making | Art. 22 | Not be subject to solely automated decisions with legal effects | 1 month |
Handling Data Subject Requests
DSR Response Process
Receive and log the request
Record the request date, type, requester identity, and any details. This starts your 1-month response clock.
Verify identity
Confirm the requester is who they claim to be. For access/erasure/portability, identity verification prevents unauthorized disclosures. Use reasonable measures proportionate to the risk.
Assess the request
Determine if any exemptions apply (legal obligation to retain, freedom of expression, public interest, etc.). If you plan to refuse, document the legal basis for refusal.
Locate all relevant data
Search all systems for the individual's personal data. This is where thorough data mapping pays off — you need to know where all personal data resides.
Fulfill or refuse within 1 month
Provide the requested information/action, or explain why the request is refused. If the request is complex, you can extend by 2 months (but must notify the requester within the first month).
Document the response
Keep records of all DSRs, your response, and the outcome. This documentation demonstrates compliance.
When Can You Refuse a Request?
- Manifestly unfounded or excessive requests: You can charge a reasonable fee or refuse. But the bar is very high — you must demonstrate why the request is unfounded.
- Legal obligations: You can retain data if required by law (tax records, employment records, etc.).
- Erasure exemptions: Freedom of expression, public health, archiving in the public interest, legal claims defense.
- Portability limitations: Only applies to data provided by the subject and processed by automated means on the basis of consent or contract.
- Cannot identify the subject: If you can't identify the requester in your data (and the data isn't identifiable without additional info), you can refuse.
⚠️ Direct Marketing Objection Is Absolute
The right to object to direct marketing processing is absolute — there are no exceptions or grounds for refusal. When someone objects to direct marketing, you must stop processing their data for that purpose immediately. No balancing test, no legitimate interest argument.
1 month
Standard Response Time
From receipt of valid request
+2 months
Extension (Complex)
Must notify requester within first month
Free
Cost to Requester
Except manifestly excessive requests
#1
Most Common Complaint
Right of access is most exercised right
Can I charge for fulfilling a data subject request?
Generally no — requests must be fulfilled free of charge. You may charge a "reasonable fee" based on administrative costs only for requests that are manifestly unfounded or excessive (particularly if repetitive). You may also charge for additional copies beyond the first.
What if I can't find the person's data?
If you've conducted a thorough search across all systems and can't find data matching the requester, inform them that you do not process their personal data. Document your search effort.
Do I need to notify third parties about erasure?
Yes. Under Article 19, if you've disclosed personal data to third parties, you must inform them about the erasure (unless it's impossible or involves disproportionate effort). You must also inform the data subject about the third parties if they request this.
How do I handle requests from employees?
Employee DSRs follow the same rules. However, employment law may provide additional grounds for retention (legal obligation, legitimate interest). Be careful not to disclose third-party data (e.g., other employees) in access request responses.
Automate Data Subject Requests
Find tools that help you manage, track, and fulfill data subject requests within GDPR timelines.
Browse GDPR Tools