GDPR Data Subject Rights: Complete Guide

Everything you need to know about the eight fundamental rights granted to individuals under the General Data Protection Regulation.

18 min read Updated April 2026

Understanding GDPR Data Subject Rights

The General Data Protection Regulation (GDPR) grants EU residents (known as "data subjects") significant control over their personal data. These rights are fundamental to the GDPR's mission of giving individuals power over their information.

There are eight distinct rights codified in the GDPR. Organizations that process personal data must understand these rights, how to respond to requests, and the timelines for compliance.

The Eight GDPR Data Subject Rights

  1. Right of Access (Article 15) - Know what data is held
  2. Right to Rectification (Article 16) - Correct inaccurate data
  3. Right to Erasure (Article 17) - "Right to be forgotten"
  4. Right to Restriction (Article 18) - Limit processing
  5. Right to Portability (Article 20) - Transfer data elsewhere
  6. Right to Object (Article 21) - Stop certain processing
  7. Rights Related to Automated Decision (Article 22)
  8. Right to Withdraw Consent (Article 7(3))

Who Can Exercise These Rights?

These rights apply to:

  • EU/EEA residents regardless of citizenship
  • Individuals physically present in the EU when data is processed
  • Children (with age requirements, typically 16)
  • Representatives acting on behalf of individuals

1. Right of Access (Article 15)

The right of access, also known as "subject access request," allows individuals to obtain confirmation that their data is being processed and access their personal data.

What It Covers

Individuals can request:

  • Confirmation that their data is being processed
  • Copy of their personal data
  • Purpose of processing
  • Categories of data concerned
  • Recipients or categories of recipients
  • Retention period or criteria for determining it
  • Source of the data (if not from the individual)
  • Existence of automated decision-making
  • Logic involved in automated processing
  • Significance and consequences of processing

How to Exercise

Data subjects can make requests through:

  • Written requests (email, letter, form)
  • Online account portals
  • Customer service channels
  • Verifiable identity confirmation may be required

Business Obligations

  • Respond within one month
  • Provide information in electronic format (if request is electronic)
  • Not charge a fee for the first copy
  • May charge reasonable fee for additional copies
  • Verify identity before providing information

2. Right to Rectification (Article 16)

The right to rectification allows individuals to have inaccurate personal data corrected and incomplete data completed.

What It Covers

  • Correction of inaccurate data
  • Completion of incomplete data
  • Updating outdated information
  • Adding missing context or supplementary information

Important Considerations

  • You must rectify data without undue delay
  • You must inform any recipients of the correction
  • Recipients must also correct the data
  • This applies to both automated and manual processing

Note

Rectification is different from erasure. Rectification ensures accuracy; erasure removes data entirely. If the data cannot be proven accurate, erasure may be the appropriate response.

3. Right to Erasure (Article 17)

The right to erasure, often called the "right to be forgotten," allows individuals to request deletion of their personal data under certain circumstances.

When It Applies

Data must be erased when:

  • Data is no longer necessary for the original purpose
  • Individual withdraws consent (and no other legal basis exists)
  • Individual exercises right to object (and there are no overriding legitimate grounds)
  • Data was unlawfully processed
  • Erasure is necessary for legal compliance
  • Data relates to a child (for services offered directly to children)

Exceptions

Erasure is NOT required when processing is necessary for:

  • Exercising right of freedom of expression and information
  • Compliance with a legal obligation
  • Reasons of public interest in the area of public health
  • Archiving purposes in the public interest
  • Establishment, exercise, or defense of legal claims

Important Notes

  • You must erase without undue delay
  • Inform recipients of the erasure
  • Consider data "shared" with third parties and notify them
  • May need to anonymize rather than fully delete in some cases

4. Right to Restriction (Article 18)

The right to restriction allows individuals to limit how their data is used while disputes about accuracy or processing are resolved.

When It Applies

Restriction must be applied when:

  • Individual contests accuracy of data (while verification occurs)
  • Processing is unlawful but erasure is opposed
  • Controller no longer needs data but individual needs it for legal claims
  • Individual has objected to processing (while verification occurs)

What Happens When Data Is Restricted

  • Data may only be stored, not further processed
  • Data can be used for legal claims protection
  • You must mark the data as restricted
  • You must inform recipients of the restriction
  • You must inform individual before lifting restriction

Restriction vs. Erasure

Restriction is a temporary measure that halts processing while issues are resolved. It preserves the data for potential future use while addressing the individual's concerns. Erasure permanently removes the data.

5. Right to Portability (Article 20)

The right to portability allows individuals to receive their personal data in a structured, commonly used, machine-readable format and transfer it to another controller.

When It Applies

Portability applies when:

  • Processing is based on consent or contract
  • Processing is carried out by automated means

What Must Be Provided

  • Personal data in structured, commonly used format
  • Machine-readable format (JSON, CSV, XML)
  • Data provided by the individual
  • Data processed automatically

Key Points

  • Must respond within one month
  • Transfer directly to another controller when technically feasible
  • Does not apply to processing necessary for tasks carried out in public interest
  • Does not affect the right to erasure

6. Right to Object (Article 21)

The right to object allows individuals to stop certain types of processing, particularly processing based on legitimate interests or public interest.

When It Applies

Individuals can object to processing based on:

  • Legitimate interests
  • Performance of a task in public interest
  • Direct marketing (absolute right)
  • Processing for scientific/historical research or statistical purposes

How to Handle Objections

  • For marketing: Stop immediately upon objection
  • For other processing: Must demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms
  • Can continue processing for legal claims

Marketing Is Different

The right to object to direct marketing is absolute. You must stop processing for marketing purposes immediately upon objection, with no ability to override this. Always provide a clear opt-out in all marketing communications.

7. Rights Related to Automated Decision-Making (Article 22)

These rights protect individuals from decisions made solely by automated processing that have significant effects, including profiling.

What Is Covered

Individuals have rights regarding:

  • Automated individual decision-making (solely automated)
  • Profiling that produces legal effects
  • Profiling that significantly affects the individual

When It Applies

These rights apply to decisions that:

  • Are based solely on automated processing
  • Produce legal effects or similarly significant effects
  • Examples: Credit decisions, employment decisions, algorithmic pricing

Exceptions

Automated decision-making is permitted when:

  • Necessary for contract performance
  • Explicitly authorized by law
  • Based on explicit consent with safeguards

Required Safeguards

  • Right to human intervention
  • Right to express point of view
  • Right to challenge the decision
  • Appropriate measures to protect rights

Response Timelines

GDPR sets strict deadlines for responding to data subject requests:

Right Response Deadline Extension
Right of Access 1 month +2 months (complex requests)
Right to Rectification 1 month +2 months (complex requests)
Right to Erasure 1 month +2 months (complex requests)
Right to Restriction Without undue delay One month to inform of lifting
Right to Portability 1 month +2 months (complex requests)
Right to Object Without undue delay Stop marketing immediately
Automated Decisions Within timeframe of request N/A

Key Points About Timelines

  • Start counting from when the request is received
  • Complex requests can extend deadline by 2 months
  • Must inform individual of extension within first month
  • If you don't respond, this is a violation
  • Count calendar days, not business days

Enforcement and Penalties

Failure to comply with data subject rights can result in significant consequences:

Regulatory Penalties

  • Tier 1: Up to €10 million or 2% of global annual revenue
  • Tier 2: Up to €20 million or 4% of global annual revenue
  • For more details, see our GDPR Fines Guide

Individual Remedies

Individuals can also:

  • Bring court action against controllers/processors
  • Seek compensation for material/non-material damage
  • Lodge complaints with supervisory authorities

Analyze Your Privacy Policy

Use PolicyLens to verify your privacy policy properly addresses all GDPR data subject rights and demonstrates your compliance commitments.

Analyze Your Policy Free