GDPR grants individuals eight fundamental rights over their personal data. For businesses, handling these requests correctly is not optional — failure to respond within deadlines or applying rights incorrectly has triggered significant fines across Europe. This guide covers every right, with practical workflows for handling requests.
The 8 Data Subject Rights Under GDPR
| Right | GDPR Article | Response Deadline | Can You Charge? |
|---|---|---|---|
| Right of access | Art. 15 | 1 month | Free (first copy) |
| Right to rectification | Art. 16 | 1 month | Free |
| Right to erasure | Art. 17 | 1 month | Free |
| Right to restriction | Art. 18 | 1 month | Free |
| Right to data portability | Art. 20 | 1 month | Free |
| Right to object | Art. 21 | 1 month | Free |
| Automated decision rights | Art. 22 | 1 month | Free |
| Right to withdraw consent | Art. 7(3) | Immediately | Free |
1. Right of Access (Article 15) — DSAR
The most common request. Data subjects can ask you to confirm whether you process their data and, if so, receive a copy of all personal data along with information about your processing.
You must provide:
- A copy of all personal data you hold about them
- The purposes of processing
- Categories of data concerned
- Recipients or categories of recipients
- Retention periods
- The source of data (if not collected directly)
- Whether automated decision-making is used
- Information about international transfers
Format: Provide data in a commonly used electronic format (JSON, CSV, PDF). If the request was made electronically, respond electronically unless they request otherwise.
2. Right to Rectification (Article 16)
Data subjects can request correction of inaccurate data or completion of incomplete data. This is straightforward: verify the claim and update your records.
- Verify identity before making changes
- Update data across all systems (including backups and processors)
- Notify third parties you've shared the data with (Art. 19)
- Confirm the rectification to the requester
3. Right to Erasure — "Right to Be Forgotten" (Article 17)
Perhaps the most well-known right. Data subjects can request deletion when:
- Data is no longer necessary for the original purpose
- They withdraw consent (and no other legal basis applies)
- They object to processing under Art. 21
- Data was unlawfully processed
- Data must be erased for legal compliance
- Data was collected from a child
Exceptions — you can refuse erasure when data is needed for:
- Freedom of expression and information
- Legal obligations (tax records, employment law)
- Public health purposes
- Archiving in the public interest, research, or statistics
- Establishment, exercise, or defense of legal claims
Important: If you've made the data public, you must take "reasonable steps" to inform other controllers processing the data that the data subject has requested erasure.
4. Right to Restriction of Processing (Article 18)
A less common but important right. The data subject can request that you stop processing (but not delete) their data when:
- They contest the accuracy of data (while you verify)
- Processing is unlawful but they prefer restriction over erasure
- You no longer need the data but they need it for legal claims
- They have objected under Art. 21 (while you verify legitimate grounds)
During restriction, you can store the data but cannot process it without consent (except for legal claims, protecting rights, or important public interest).
5. Right to Data Portability (Article 20)
Data subjects can request their data in a structured, commonly used, machine-readable format and transmit it to another controller. This applies only when:
- Processing is based on consent or contract
- Processing is carried out by automated means
What to provide: Only data the subject actively provided (form submissions, profile data, usage data) — not your derived insights or analytics. Use JSON or CSV format. Where technically feasible, transmit directly to the new controller.
6. Right to Object (Article 21)
Data subjects can object to processing based on legitimate interest (Art. 6(1)(f)) or public interest (Art. 6(1)(e)). You must stop processing unless you demonstrate "compelling legitimate grounds" that override the data subject's interests.
Direct marketing: The right to object to direct marketing is absolute — there are no exceptions. You must stop immediately.
7. Automated Decision-Making Rights (Article 22)
Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. When you must use automated decisions, ensure you provide:
- The right to obtain human intervention
- The right to express their point of view
- The right to contest the decision
- Meaningful information about the logic involved
DSAR Handling Workflow
Follow this step-by-step process for every data subject request:
- Step 1: Receive and log. Record the request date, type, and communication channel. Start the 30-day clock.
- Step 2: Verify identity. Request sufficient information to confirm the requester's identity. Don't over-collect — ask only what's proportionate.
- Step 3: Assess scope. Determine which right is being exercised, what data is involved, and whether any exemptions apply.
- Step 4: Search all systems. Check databases, email, CRM, analytics, backups, and processors. Don't forget data held by third-party tools.
- Step 5: Fulfill or refuse. Compile the response, apply exemptions if applicable, and document your reasoning.
- Step 6: Respond within 30 days. If you need an extension (up to 2 additional months), notify the requester within the first month.
- Step 7: Notify processors. If data was rectified, erased, or restricted, inform all recipients (Art. 19).
- Step 8: Document everything. Maintain a log of all requests and responses for accountability (Art. 5(2)).
Common Mistakes to Avoid
- Ignoring requests: Silence is not a valid response. Failure to respond is a direct GDPR violation.
- Missing deadlines: The 30-day clock starts when you receive the request, not when you verify identity.
- Over-collecting for verification: Don't ask for ID documents when an email confirmation suffices.
- Forgetting processors: You must cascade erasure/rectification requests to all third-party processors.
- Blanket refusals: Each request must be assessed individually. Blanket policies are not acceptable.
Next Steps
Make sure your website provides clear mechanisms for exercising data subject rights. Your privacy policy must list all rights and how to exercise them. PrivacyChecker audits your privacy policy for missing rights disclosures and checks that your contact mechanisms are accessible and functional.