Under the General Data Protection Regulation, individuals have eight distinct rights over their personal data. These are enforceable entitlements that your customers, employees, and website visitors can exercise at any time. And when they do, your business has obligations with hard deadlines attached.
This guide covers every right in detail: what each one means, when it applies, what your business must do, and where the exceptions lie.
The Core Framework: Response Timelines, Verification, and Fees
The 30-day clock. When you receive a valid request, you have one calendar month to respond. You can extend this by a further two months for complex or numerous requests, but you must notify the individual within the first month.
Identity verification. You must verify identity before responding — but don't demand disproportionate proof. For an online customer emailing from their registered address, that's usually sufficient.
Fees. Responding must generally be free. You can charge a reasonable fee where requests are manifestly unfounded or excessive, particularly where repetitive.
Refusals. If you refuse a request, you must tell the individual within one month, explain your reasons, and inform them of their right to complain to a supervisory authority.
Right 1: The Right to Be Informed
Individuals have the right to be told, at the point their data is collected, what you're doing with it and why. This is fulfilled primarily through your privacy notice.
What businesses must do: Your privacy notice must cover who you are, the purpose and legal basis for each type of processing, who you share data with, retention periods, details of third-country transfers, and the individual's rights.
Exceptions: Not required if the individual already has the information, if it would be impossible, or if it involves disproportionate effort.
Right 2: The Right of Access (DSAR)
Individuals can ask whether you hold personal data about them, and receive a copy. This is the Data Subject Access Request — the most commonly exercised right.
What businesses must do: Confirm whether you process their data and provide a copy of all personal data you hold, plus supplementary information including processing purposes, data categories, recipients, retention periods, and details of any automated decision-making.
What businesses commonly miss: "All personal data" means all personal data — emails, support tickets, call recordings, analytics profiles, access logs. You cannot cherry-pick before responding.
Exceptions: You can withhold data where disclosure would adversely affect the rights of others, where legal professional privilege applies, or where it would prevent or detect crime.
Right 3: The Right to Rectification
Individuals can require you to correct inaccurate personal data and complete incomplete data.
What businesses must do: Correct the inaccuracy without undue delay. If you've shared data with third parties, notify them of the correction.
Exceptions: None broadly — if data is inaccurate, you must correct it. You can add a note recording the individual's view if there's a genuine dispute, but you cannot ignore the request.
Right 4: The Right to Erasure (Right to be Forgotten)
Individuals can request deletion of their personal data. Widely covered — but not absolute.
When it applies: When data is no longer necessary for its original purpose; when consent is withdrawn and there's no other legal basis; when the individual objects and there are no overriding legitimate grounds; when data has been processed unlawfully.
What businesses must do: Delete data across all systems — including backups, email archives, and third-party platforms. Inform third parties with whom you've shared the data.
Exceptions: You can refuse where processing is necessary to comply with a legal obligation, for public health purposes, for archiving in the public interest, or to establish or defend legal claims.
Right 5: The Right to Restrict Processing
Individuals can require you to suspend processing of their data while keeping it stored.
When it applies: When accuracy is contested (while you verify); when processing is unlawful but the individual prefers restriction to erasure; when you no longer need the data but the individual needs it for a legal claim; when the individual has objected and you're assessing your legitimate interests.
What businesses must do: Flag restricted data clearly. Stop processing it for any purpose. Before lifting a restriction, inform the individual.
Right 6: The Right to Data Portability
Individuals can receive their personal data in a structured, machine-readable format and transmit it to another controller.
When it applies: Only where the legal basis is consent or contract performance (not legitimate interest), and processing is carried out by automated means.
What businesses must do: Provide data in a format like CSV or JSON within one month. Transmit directly to another controller where technically feasible.
What it doesn't require: Any particular format or API. Erasure of the data after porting.
Right 7: The Right to Object
Individuals can object to processing on grounds of their particular situation.
For legitimate interest processing: You must stop unless you can demonstrate compelling legitimate grounds that override the individual's interests.
For direct marketing: This is absolute. If an individual objects to marketing use of their data, you must stop. No override is available.
Key requirement: If you rely on legitimate interest, inform individuals of their right to object at the point of first contact.
Right 8: Rights Related to Automated Decision-Making and Profiling
Individuals have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
"Solely automated" is key. If a human meaningfully reviews the automated output before a decision is made, the right doesn't apply. A loan approval made entirely by algorithm is in scope; a marketing segment that a human reviews before acting on is not.
What businesses must do: Inform individuals in your privacy notice; implement suitable safeguards; give individuals the right to obtain human intervention; allow them to express their point of view and contest the decision.
Building Systems to Handle Rights Requests
Knowing the rights is step one. Building reliable processes to handle them is where most businesses fall short.
- Clear intake point: Individuals should be able to make requests easily — via email or a dedicated form. Your privacy notice must include contact details.
- Internal process: Document how requests are received, verified, triaged, responded to, and tracked.
- Data mapping: You cannot respond to a DSAR if you don't know where all your personal data lives.
- Training: Anyone who might receive a rights request needs to recognise it. "Can you tell me what information you have on me?" is a DSAR.
- Audit trail: Keep records of every rights request, your response, and your reasoning for any refusals.
Understanding your obligations under GDPR data subject rights is one part of the picture. The other is knowing what personal data your website is actually collecting — through trackers, analytics, advertising pixels, and third-party tools — and whether you have a legal basis for each one.
Scan your website free at Custodia — no signup required. Results in 60 seconds.
This post provides general information about GDPR data subject rights. It does not constitute legal advice. Consult a qualified data protection professional for advice specific to your organisation.
Top comments (0)