Data Subject Rights: What Users Can Request Under GDPR
GDPR grants individuals extensive rights over their personal data. Organizations handling EU residents' data need to be prepared to honor these rights within specified timeframes, typically one month for most requests.
Key Takeaways
| Point | Summary |
|---|---|
| 8 rights | Information, Access, Rectification, Erasure, Restrict Processing, Portability, Object, Automated Decision-Making |
| Response deadline | One month (extendable by two further months for complex requests) |
| Most common requests | Access (DSAR) and Erasure ("right to be forgotten") |
| Free of charge | First request must be free; can charge for excessive/repetitive requests |
| Identity verification | You can verify identity before fulfilling requests |
Quick Answer: GDPR gives individuals 8 rights including access to their data, deletion, and portability. You must respond within one month. Most common: Data Subject Access Requests (DSAR) and erasure requests. Have a process ready before you receive requests.
Overview of Data Subject Rights
- Right to be Informed. Know how their data is used
- Right of Access. Get a copy of their data
- Right to Rectification. Correct inaccurate data
- Right to Erasure. Delete their data ("right to be forgotten")
- Right to Restrict Processing. Limit how data is used
- Right to Data Portability. Transfer data elsewhere
- Right to Object. Stop certain processing
- Rights Related to Automated Decision-Making. Human intervention in automated decisions
Right to Be Informed
Individuals have the right to know how their data is collected and used.
Information You Must Provide
| At Collection | After Collection (Indirect) |
|---|---|
| Your identity and contact details | Source of the data |
| DPO contact (if applicable) | Categories of data |
| Purposes of processing | Purposes of processing |
| Legal basis for processing | Legal basis for processing |
| Recipients or categories | Recipients or categories |
| International transfer details | International transfer details |
| Retention period | Retention period |
| Their rights | Their rights |
| Right to complain to DPA | Right to complain to DPA |
| Whether providing data is required | - |
How to Communicate
- Privacy Policy: Comprehensive, always accessible
- Just-in-Time Notices: At point of collection
- Layered Approach: Summary + full details
- Clear Language: Avoid legal jargon
Right of Access (DSAR)
Individuals can request a copy of their personal data and information about processing.
What You Must Provide
| Information Required | Details |
|---|---|
| Confirmation of Processing | Yes/no if you process their data |
| Copy of Data | All personal data you hold |
| Processing Purposes | Why you're processing |
| Data Categories | Types of data |
| Recipients | Who you've shared with |
| Retention Period | How long you'll keep it |
| Their Rights | Right to rectification, erasure, etc. |
| Data Source | Where you got the data |
| Automated Decisions | Logic of any automated processing |
DSAR Response Process
Day 1: Request Received
- Log the request
- Start one-month clock
- Acknowledge receipt
Day 1-5: Verify Identity
- Confirm requester's identity
- Request additional info if needed
- Clock pauses if waiting for verification
Day 5-20: Gather Data
- Search all systems
- Compile personal data
- Redact third-party data
- Prepare response document
Day 20-25: Review
- Legal/compliance review
- Ensure completeness
- Apply any exemptions
Day 25-30: Respond
- Send secure response
- Document completion
- Close request
Response Timeframe
| Scenario | Deadline |
|---|---|
| Standard Request | One month |
| Complex Request | Up to three months (notify within one month) |
| Identity Verification Pending | Clock pauses |
| Manifestly Unfounded/Excessive | Can refuse or charge fee |
Right to Rectification
Individuals can request correction of inaccurate personal data.
Rectification Requirements
| Requirement | Action |
|---|---|
| Inaccurate Data | Correct without undue delay |
| Incomplete Data | Add supplementary information |
| Third Parties | Inform recipients of corrections |
| Response Time | Within one month |
Implementation
- Self-service profile editing (preferred)
- Support channel for corrections
- Process to verify corrections
- Update all systems holding the data
- Notify third parties who received original data
Right to Erasure (Right to Be Forgotten)
Individuals can request deletion of their personal data in certain circumstances.
When Erasure Applies
| Circumstance | Erasure Required |
|---|---|
| Data no longer necessary | Yes |
| Consent withdrawn | Yes |
| Object to processing (no override) | Yes |
| Unlawful processing | Yes |
| Legal obligation to erase | Yes |
| Child's data collected online | Yes |
When You Can Refuse
| Circumstance | Erasure Not Required |
|---|---|
| Legal obligation to keep | No (e.g., tax records) |
| Legal claims defense | No |
| Public health purposes | No |
| Archiving in public interest | No |
| Freedom of expression | No |
Erasure Implementation
Step 1: Validate Request
- Verify identity
- Check if erasure grounds apply
- Identify any exemptions
Step 2: Locate Data
- All databases
- Backups (note: may be impractical)
- Third-party processors
- Manual records
Step 3: Execute Deletion
- Primary systems
- Notify processors
- Consider backup retention policy
- Document what was deleted
Step 4: Respond
- Confirm deletion
- Explain any retained data (with reason)
- Within one month
Right to Restrict Processing
Individuals can request that you stop processing their data while issues are resolved.
When Restriction Applies
| Circumstance | Action |
|---|---|
| Accuracy contested | Restrict until verified |
| Processing unlawful but user wants restriction not erasure | Restrict as requested |
| You no longer need data but user needs it for legal claims | Keep but restrict |
| User has objected pending verification | Restrict pending decision |
Restricted Data Handling
When data is restricted, you can only:
- Store the data
- Process with consent
- Process for legal claims
- Process to protect others' rights
- Process for important public interest
Right to Data Portability
Individuals can receive their data in a portable format and transmit it elsewhere.
When Portability Applies
Portability only applies when:
- Processing is based on consent or contract
- Processing is carried out by automated means
Portability Requirements
| Requirement | Specification |
|---|---|
| Format | Structured, commonly used, machine-readable |
| Common Formats | JSON, CSV, XML |
| Direct Transfer | To another controller if technically feasible |
| Timeframe | One month |
What Data Must Be Portable
Per Article 20 and WP29 Guidelines on Data Portability, the scope includes:
| Category | Examples | Portable? |
|---|---|---|
| Data actively provided | Form submissions, uploaded files, profile information | Yes |
| Data observed from use | Search history, location data, transaction logs, heartbeat from wearables | Yes |
| Inferred or derived data | Credit scores, health inferences, behavioral predictions, user segments | No |
Important nuance: The boundary between "observed" and "inferred" data requires case-by-case assessment. Raw activity logs are typically portable; analytics or scores derived from that activity are not. When in doubt, consult the WP29 guidelines or seek legal advice for edge cases.
Right to Object
Individuals can object to certain types of processing.
Processing You Must Stop (Absolute Right)
| Processing Type | User Can Object |
|---|---|
| Direct Marketing | Always. Must stop immediately |
| Profiling for Marketing | Always. Must stop immediately |
Processing You May Continue (Conditional)
| Processing Type | When You Can Continue |
|---|---|
| Legitimate Interests | Compelling grounds override user's interests |
| Research/Statistics | Public interest grounds |
Objection Handling
Direct Marketing Objection:
- Stop processing immediately
- No assessment needed
- Confirm to user
Other Objections:
- Assess if compelling grounds exist
- Document assessment
- Either stop processing OR explain compelling grounds to user
Rights Related to Automated Decision-Making, Including Profiling
Article 22 GDPR gives individuals rights regarding decisions based "solely on automated processing, including profiling," that produce legal effects or similarly significantly affect them.
What Is Profiling?
Profiling is defined in Article 4(4) as: "Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person."
Common examples of profiling include:
- Credit scoring - Evaluating creditworthiness based on financial history
- Behavioral analysis - Predicting interests or behavior from browsing patterns
- Performance evaluation - Assessing employee productivity through automated metrics
- Health risk assessment - Analyzing health data to predict medical outcomes
When These Rights Apply
- Decision based solely on automated processing (no meaningful human involvement)
- Includes profiling activities
- Produces legal or similarly significant effects
- Examples: Automated loan decisions, automated hiring rejection, insurance premium calculations
User Rights
| Right | Description |
|---|---|
| Information | Be told about automated processing |
| Human Intervention | Request human review of decision |
| Express View | Explain their point of view |
| Contest Decision | Challenge the automated outcome |
Exemptions
Automated decision-making is allowed when:
- Necessary for contract
- Authorized by law
- Based on explicit consent
Even with exemptions, you must implement safeguards.
Building a DSAR Response System
| Component | Purpose |
|---|---|
| Intake Channel | Receive and log requests |
| Identity Verification | Confirm requester's identity |
| Data Discovery | Find all personal data |
| Response Template | Consistent, compliant responses |
| Tracking System | Monitor deadlines |
| Escalation Process | Handle complex requests |
How Bastion Helps
Handling data subject rights efficiently requires well-designed processes and the ability to locate data across your systems quickly. Working with experienced partners helps ensure your approach is both compliant and operationally sustainable.
| Challenge | How We Help |
|---|---|
| DSAR Management | Streamlined workflows for handling requests efficiently |
| Data Discovery | Support in mapping where personal data resides across your systems |
| Response Templates | Pre-built response formats that address GDPR requirements |
| Deadline Tracking | Systems for monitoring response deadlines and escalating when needed |
| Documentation | Evidence collection to demonstrate compliant handling |
Building robust rights-handling processes with expert support helps avoid the scramble that often occurs when organizations receive their first complex DSAR without preparation.
Looking for help establishing data subject rights processes? Talk to our team →
Sources
- GDPR Chapter III: Rights of the Data Subject - Articles 12-23 of the GDPR
- ICO Guide to Individual Rights - UK Information Commissioner's Office guidance
- EDPB Guidelines on Data Subject Rights - European Data Protection Board guidelines
- Article 15 GDPR: Right of Access - Official text on access requests
- Article 17 GDPR: Right to Erasure - Official text on the "right to be forgotten"