Data Subject Rights under GDPR

Data Subject Rights under the GDPR

The GDPR grants individuals (data subjects) comprehensive rights over their personal data. These rights are enshrined in Articles 15 through 22 and represent one of the most significant aspects of the regulation. Organisations must establish processes to respond to data subject requests within one month (extendable by two months for complex requests).

Failure to comply with data subject rights can result in significant fines and reputational damage. Below, we examine each right in detail and outline what it means for your organisation in practice.

Right of Access (Art. 15)

Data subjects have the right to obtain confirmation as to whether their personal data is being processed and, if so, to access that data. The controller must provide a copy of the data being processed, free of charge. The information to be provided includes:

• The purposes of the processing
• The categories of personal data concerned
• The recipients or categories of recipients to whom the data has been or will be disclosed
• The envisaged retention period or the criteria used to determine it
• The existence of rights to rectification, erasure, restriction, and objection
• The right to lodge a complaint with a supervisory authority
• Where the data was not collected directly from the data subject, any available information about its source
• The existence of automated decision-making, including profiling, and meaningful information about the logic involved

Practical tip: Prepare standardised response templates and ensure you can locate all personal data across your systems within the one-month deadline. A GRC tool like Kopexa can help track and document these requests.

Right to Rectification (Art. 16)

Data subjects have the right to have inaccurate personal data corrected without undue delay. They also have the right to have incomplete personal data completed, including by providing a supplementary statement. This right extends to all systems where the data is stored, including backups and archives.

You must also notify each recipient to whom the data has been disclosed about the rectification, unless this proves impossible or involves disproportionate effort (Art. 19).

Right to Erasure / Right to Be Forgotten (Art. 17)

Data subjects can request the erasure of their personal data when one of several conditions applies:

• The data is no longer necessary for the purposes for which it was collected
• The data subject withdraws consent and there is no other legal basis
• The data subject objects to the processing under Art. 21
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation
• The data was collected in relation to the offer of information society services to a child

Important exceptions exist: erasure is not required when processing is necessary for exercising freedom of expression, complying with a legal obligation, reasons of public interest in public health, archiving purposes, or the establishment, exercise, or defence of legal claims.

Right to Restriction of Processing (Art. 18)

Data subjects can request the restriction of processing in specific circumstances: when accuracy is contested, when processing is unlawful but the data subject opposes erasure, when the controller no longer needs the data but the data subject requires it for legal claims, or pending verification of an objection under Art. 21.

When processing is restricted, the data may only be stored and may not be further processed without the data subject's consent, except for the establishment of legal claims, the protection of the rights of another person, or reasons of important public interest.

Right to Data Portability (Art. 20)

Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format. They also have the right to transmit that data to another controller without hindrance. This right applies when processing is based on consent or contract and is carried out by automated means.

Where technically feasible, the data subject can request that the data be transmitted directly from one controller to another. Common formats include JSON, CSV, and XML.

Right to Object (Art. 21)

Data subjects can object to processing based on legitimate interests (Art. 6(1)(f)) or public interest (Art. 6(1)(e)) at any time, on grounds relating to their particular situation. The controller must then cease processing unless they can demonstrate compelling legitimate grounds that override the interests of the data subject.

For direct marketing purposes, the right to object is absolute: when a data subject objects to processing for direct marketing, the data must no longer be processed for that purpose. No balancing test is required.

Automated Decision-Making and Profiling (Art. 22)

Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them. Exceptions exist when the decision is necessary for a contract, authorised by law, or based on explicit consent.

When exceptions apply, the controller must implement suitable measures to safeguard the data subject's rights, including the right to obtain human intervention, express their point of view, and contest the decision. This is particularly relevant for organisations using AI-based or algorithmic decision-making systems.

Implementing Data Subject Rights in Practice

To handle data subject requests efficiently, organisations should:

• Establish a dedicated intake process: Provide clear channels (email, web form) for data subjects to submit requests and confirm receipt promptly.
• Verify identity before responding: Ensure the requester is who they claim to be, especially for access and portability requests.
• Map data across all systems: Know where personal data resides so you can respond completely within the deadline.
• Track deadlines rigorously: The one-month response period is mandatory. Extensions must be communicated to the data subject with reasons.
• Document every request and response: Under the accountability principle, you must demonstrate compliance.

For more on documenting your processing activities, see our guide on Records of Processing Activities. For the technical measures needed to secure personal data, visit Technical and Organisational Measures.