Data subject rights under EU GDPR — all eight
EU GDPR gives individuals eight distinct rights over their personal data. Each requires an operational procedure — not just a policy statement — and most must be responded to within one calendar month. National DPAs across the EU receive large volumes of complaints about failure to respond to data subject rights requests, and enforcement fines have been issued against organisations of all sizes.
1. Right of access — Article 15
Individuals have the right to obtain confirmation that their data is being processed and, if so, to receive a copy along with supplementary information about the processing. Responses must be provided free of charge within one calendar month. See How to handle a Subject Access Request for detailed guidance.
2. Right to rectification — Article 16
Individuals have the right to have inaccurate personal data corrected without undue delay, and to have incomplete data completed. Third parties to whom data has been disclosed must be notified of the rectification unless impossible or disproportionate.
3. Right to erasure — Article 17
Individuals can request erasure where data is no longer necessary for the original purpose; consent is withdrawn and no other lawful basis exists; the processing was unlawful; or erasure is required by EU or member state law. Article 17(3) exemptions apply — most relevantly, where retention is required by law (such as AML retention obligations), or for legal claims. Each request must be assessed individually and the outcome documented.
4. Right to restriction — Article 18
Individuals can request that processing is restricted — data stored but not otherwise used — where they contest accuracy; processing is unlawful but they prefer restriction to erasure; the controller no longer needs the data but the individual does for legal claims; or they have objected pending assessment.
5. Right to data portability — Article 20
Individuals can receive personal data they have provided in a structured, commonly used, machine-readable format and transmit it to another controller. Applies only where processing is based on consent or contract and carried out by automated means. Most relevant for consumer-facing digital services.
6. Right to object — Article 21
Individuals can object to processing based on legitimate interests or public task at any time. Processing must stop unless compelling legitimate grounds are demonstrated that override the individual’s interests. Where processing is for direct marketing, the right to object is absolute — processing must stop immediately with no assessment of overriding grounds.
7 & 8. Rights related to automated decisions — Article 22
Individuals have the right not to be subject to decisions based solely on automated processing producing legal or similarly significant effects. Where such processing occurs, specific conditions must be met and safeguards provided, including human review and the ability to contest decisions.
Operational procedures
Each right requires a documented procedure: a process for recognising rights requests in any format; identity verification; response deadline tracking; exemption assessment; and a log of each request and outcome. National DPAs do not accept that a request was not recognised as a formal rights request if the communication clearly conveyed that the individual wanted access to, correction of, or deletion of their data.
Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.