The eight GDPR data subject rights
The GDPR gives individuals eight enforceable rights over their personal data, set out in Chapter 3 (Articles 15–22). Organisations must be able to recognise and act on each request — usually within one month. This reference lists all eight rights with the granting Article, what the person can ask for, and the conditions or exceptions that qualify the right.
All eight rights at a glance
| Article | Right | What it means |
|---|---|---|
| 13–14 | Right to be informed | Clear information about processing at collection point |
| 15 | Right of access (SAR) | Receive a copy of personal data held and supplementary info |
| 16 | Right to rectification | Correct inaccurate or complete incomplete data |
| 17 | Right to erasure (right to be forgotten) | Delete data in qualifying circumstances |
| 18 | Right to restriction of processing | Pause processing while a dispute is resolved |
| 20 | Right to data portability | Receive data in machine-readable format; transmit to another controller |
| 21 | Right to object | Stop processing based on legitimate interests or direct marketing |
| 22 | Rights re: automated decisions | Not be subject to solely automated decisions with significant effects |
How to handle an incoming request
A subject access request (SAR) or other data rights request can arrive in any form — email, letter, phone call, or social media message. The response process follows these steps:
1. Receive and timestamp. The one-month clock starts when you receive the request, not when you confirm it or verify identity. Note the date immediately.
2. Verify identity. You are allowed to request reasonable evidence of identity before providing data, to prevent disclosure to the wrong person. Do not ask for more than is necessary.
3. Identify the scope. For a SAR (Article 15), the individual may ask for all data, or limit the scope. Clarifying the scope is allowed; asking questions to narrow an overly broad request is acceptable, but this pauses the clock only if you genuinely need the information to process the request.
4. Compile and respond. Provide the data itself, plus the supplementary information required by Article 15: the purposes of processing, the categories of data, the recipients, the retention period, information about the individual’s rights, and the right to lodge a complaint with a supervisory authority.
5. Deadline management. Respond within one calendar month. Complex or numerous requests may be extended by up to two further months, but you must notify the individual of the extension within the original one-month window and explain why.
When you can refuse or charge
Requests that are manifestly unfounded or excessive — particularly if repetitive — may be refused or responded to with a reasonable fee. The burden of demonstrating this lies with you as the controller. You must still inform the requester that you are refusing and why, and you must inform them of their right to complain to a supervisory authority.
Erasure: the most misunderstood right
The “right to be forgotten” (Article 17) applies in six specific circumstances:
- Data is no longer necessary for the purpose it was collected
- The individual withdraws consent (where consent was the only lawful basis)
- The individual objects under Article 21 and there are no overriding legitimate grounds
- Data was unlawfully processed
- Erasure is required for compliance with a legal obligation
- Data was collected from a child for information society services
It does not apply — and you may refuse — where processing is necessary for freedom of expression, compliance with a legal obligation, public interest tasks, archiving/research purposes, or the establishment/exercise/defence of legal claims.
Tips and notes
- Default deadline is one calendar month from receipt of the request, with no minimum notice period — start work immediately.
- Most requests must be free of charge; administrative fees only for manifestly excessive or repetitive requests.
- Portability (Article 20) applies only to consent or contract-based processing, carried out by automated means — not to processing under legitimate interests.
- Keep records of all requests received, your response, timing, and any refusals for accountability purposes under Article 5(2).