The 8 mandatory GDPR data subject rights, broken down
GDPR gives individuals enforceable rights over their personal data. Organizations must respond without undue delay and generally within one month—with clear processes, not ad hoc inbox searches.
Related guides:
Key takeaways
- GDPR Chapter III sets out eight core rights (plus related safeguards in automated decision-making).
- Responses are usually due within one month, extendable to three months for complex requests.
- Rights are not absolute—legal exceptions apply (e.g., legal claims, freedom of expression).
- Effective programs use identity verification, system inventories, and templated responses.
This guide covers:
- Summary table of all eight rights
- Deep dive on access, correction, and deletion
- Restriction, portability, objection, and automated decisions
- How to build a scalable DSAR process
GIF via GIPHY
The eight rights at a glance
| # | Right | Article | In brief |
|---|---|---|---|
| 1 | Information | 13–14 | Receive clear privacy information when data is collected |
| 2 | Access | 15 | Obtain copy of personal data and processing details |
| 3 | Rectification | 16 | Correct inaccurate or incomplete data |
| 4 | Erasure | 17 | Request deletion (“right to be forgotten”) where grounds apply |
| 5 | Restriction | 18 | Limit processing in defined circumstances |
| 6 | Portability | 20 | Receive structured, machine-readable data; transmit to another controller |
| 7 | Objection | 21 | Object to processing based on legitimate interests or for direct marketing |
| 8 | Automated decisions | 22 | Not be subject solely to automated decisions with legal/significant effects (with exceptions) |
Free of charge in most cases; excessive or repetitive requests may incur a reasonable fee or refusal with justification.
Access, rectification, and erasure
Right of access (Article 15)
Provide a copy of personal data plus metadata: purposes, categories, recipients, retention, rights, and sources. Redact third-party data where necessary.
Right to rectification (Article 16)
Correct errors promptly and notify downstream processors/recipients when required.
Right to erasure (Article 17)
Honor deletion requests unless an exception applies—common grounds include:
- Data no longer necessary for the purpose
- Withdrawn consent (where consent was the basis)
- Unlawful processing
- Legal obligation to erase
Exceptions may include freedom of expression, legal claims, public interest archiving, or compliance with law.
Restriction, portability, and objection
Restriction (Article 18): When accuracy is contested, processing is unlawful but erasure is declined, or the individual needs data for legal claims—store data but limit other processing.
Portability (Article 20): Applies to data provided by the individual, processed by automated means, based on consent or contract. Export in a structured, commonly used format (e.g., JSON, CSV).
Objection (Article 21): Stop processing based on legitimate interests unless compelling grounds override. Direct marketing objections must be honored immediately.
Automated decision-making (Article 22): Provide meaningful information, human review, and contestation rights when decisions produce legal or similarly significant effects—subject to exceptions and Member State rules.
Operationalizing DSAR workflows
- Intake — dedicated email/portal; log date received.
- Verify identity — proportionate checks to prevent unauthorized disclosure.
- Discover data — RoPA-linked systems, backups, vendors.
- Fulfill or refuse — document legal basis for any denial.
- Close and retain proof — audit trail for regulators.
Target SLAs below the legal maximum to reduce backlog risk during peak periods.
Get audit-ready with SecureSlate
SecureSlate helps teams track privacy controls, DSAR evidence, and cross-system ownership so rights requests do not depend on tribal knowledge.
FAQ
Can we charge for DSARs?
Usually no, unless requests are manifestly unfounded or excessive. You may refuse or charge a reasonable administrative fee in those cases.
Do processors respond directly to individuals?
Processors generally assist controllers per the DPA. Customer-facing SaaS often routes requests to the customer (controller) while providing tooling.
What format satisfies portability?
Provide data in a structured, commonly used, machine-readable format where Article 20 applies.
Disclaimer (legal note)
General information only—not legal advice. Rights and exceptions depend on specific processing contexts and EU member state implementations.
Need compliance without the complexity?
SecureSlate automates ISO 27001, SOC 2, GDPR, HIPAA, and more. Built for growing teams. See it in action.
No credit card required
