GDPR fundamentally changed the relationship between organisations and the individuals whose data they hold. At the centre of that change is a set of nine individual rights that give data subjects meaningful control over their personal data — not as aspirational principles, but as legally enforceable entitlements with specific timelines, procedural requirements, and remedies. For organisations, these rights are not optional features to implement when convenient. They are legal obligations that must be operationalised before any processing begins.
This article covers each of the nine rights, explaining what the right actually entitles a data subject to do, what the organisation is required to do in response, the statutory timeline for response, and the common operational failures that turn manageable rights requests into regulatory complaints. Article 2.4 and Article 3.6 address the deeper operational mechanics — how to build the procedures, verification processes, and infrastructure that make rights responses routine.
The Response Timeline: One Calendar Month
Article 12(3) establishes the standard response timeline for all data subject rights requests: one calendar month from receipt of the request. This is not a business month or a working month — it is a calendar month, counting from the day the request is received. If the request is received on 15 March, the response is due by 15 April.
Where the request is complex or the organisation receives a large number of requests simultaneously, Article 12(3) allows a single extension of two further months. The organisation must notify the data subject of the extension within one calendar month of receiving the request, explaining the reasons for the delay. Failure to respond within the timeline — whether one month or three months where extension applies — is itself a GDPR violation.
Responses must be provided free of charge. The organisation can charge a reasonable fee or refuse to act only where a request is ‘manifestly unfounded or excessive’ — a high threshold that DPAs interpret narrowly. Organisations that routinely charge for rights responses or refuse requests as excessive face regulatory scrutiny.
Right 1: The Right to Be Informed (Articles 13 and 14)
The right to be informed is the right to receive clear, transparent information about how personal data is collected and used. This right is fulfilled at the point of data collection through the privacy notice — not in response to a request. Articles 13 and 14 specify the information that must be provided: the identity and contact details of the controller; the purposes and legal bases for processing; the legitimate interests relied on (where relevant); any recipients of the data; details of any international transfers; retention periods; the existence of the other seven rights; the right to lodge a complaint with a supervisory authority; and whether provision of data is statutory or contractual and the consequences of failing to provide it.
Article 13 applies where data is collected directly from the data subject — the information must be provided at the time of collection. Article 14 applies where data is obtained from other sources — the information must be provided within one month of obtaining the data, or at the time of first communication with the data subject if earlier.
Right 2: The Right of Access (Article 15)
The right of access gives data subjects the right to obtain confirmation of whether an organisation processes their personal data, and if so, access to that data along with supplementary information about the processing: the purposes; the categories of data; the recipients or categories of recipients; the storage period; the existence of other rights; the right to lodge a complaint; the source of the data if not collected from the data subject; and the existence of any automated decision-making including profiling.
The organisation must provide a copy of the personal data being processed. The first copy is free. Subsequent copies may attract a reasonable administrative fee. Responses must be provided in a ‘concise, transparent, intelligible and easily accessible form, using clear and plain language’.
Access requests are among the most operationally demanding rights requests. They require the organisation to search across all systems and records — databases, email, documents, logs, backups — for every piece of personal data relating to the data subject. Organisations without a comprehensive data map struggle to respond accurately and completely. Third-party data (data about other individuals that would be revealed by the response) must be redacted before the response is provided.
| KEY IDEA | A data subject access request is not just a request for a data export. It requires a comprehensive search across all processing systems, identification of all personal data held, and a response that includes the supplementary processing information. Organisations that respond with a database extract from one system while holding data in five others are not meeting the obligation. |
Right 3: The Right to Rectification (Article 16)
The right to rectification gives data subjects the right to have inaccurate personal data corrected without undue delay. It also includes the right to have incomplete personal data completed, including by means of providing a supplementary statement. The controller must correct or complete the data and, where the data has been shared with third parties, notify those third parties of the rectification unless this is impossible or involves disproportionate effort.
Operationally, rectification requires the organisation to have processes for receiving correction requests, verifying the accuracy of the current data versus the claimed correction, updating the data across all systems where it is held, and notifying any processors or third-party recipients to whom the data has been disclosed. Maintaining a data map that identifies where each type of personal data is stored is essential for complete rectification.
Right 4: The Right to Erasure (Article 17) — The ‘Right to Be Forgotten’
The right to erasure — often referred to as the right to be forgotten — gives data subjects the right to have their personal data deleted without undue delay in specific circumstances. Article 17(1) lists those circumstances: the data is no longer necessary for the purpose it was collected for; the data subject withdraws consent and there is no other lawful basis; the data subject objects under Article 21 and there are no overriding legitimate grounds; the data has been unlawfully processed; the data must be erased to comply with a legal obligation; or the data was collected in relation to the offer of information society services to a child.
Critically, Article 17(3) sets out significant exemptions. The right to erasure does not apply where processing is necessary for exercising the right of freedom of expression and information; for compliance with a legal obligation; for public interest in the area of public health; for archiving, research, or statistical purposes; or for the establishment, exercise, or defence of legal claims.
Where erasure applies, the organisation must delete the data from all systems — including backups, archives, and processing systems maintained by processors. It must also notify third parties to whom the data has been disclosed. Technical erasure — actual deletion, not merely suppression or deactivation — is required. Pseudonymisation does not satisfy an erasure obligation.
| IMPORTANT | The right to erasure is not absolute. Organisations frequently receive erasure requests that they are entitled — or obliged — to refuse: where they need the data to defend legal claims, comply with regulatory retention requirements, or fulfil a contract that has not been completed. The response to an erasure request must assess the applicable conditions and exemptions, document the assessment, and explain the outcome clearly to the data subject. |
Right 5: The Right to Restriction of Processing (Article 18)
The right to restriction gives data subjects the right to require an organisation to restrict the processing of their personal data — to retain it but not actively use it — in specific circumstances. Article 18(1) identifies four: the data subject contests the accuracy of the data (restriction applies while accuracy is verified); the processing is unlawful but the data subject prefers restriction to erasure; the controller no longer needs the data but the data subject requires it for legal claims; or the data subject has objected under Article 21 pending verification of whether the controller’s legitimate grounds override the data subject’s objection.
During restriction, the data may be retained but can only be processed with the data subject’s consent, for legal claims, for protection of another person’s rights, or for public interest reasons. The controller must inform the data subject before lifting a restriction.
The technical implementation of restriction is non-trivial: the organisation must be able to ‘flag’ personal data to prevent its use while retaining it, across all systems where it is held. This requires system capability that many organisations have not built and have not tested.
Right 6: The Right to Data Portability (Article 20)
The right to data portability gives data subjects the right to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. The right also includes the right to have data transmitted directly between controllers where technically feasible.
Two conditions limit the portability right. First, it applies only where the processing is based on consent or contract — not where it is based on legitimate interests, legal obligation, or other bases. Second, it applies only to processing carried out by automated means. Manual filing systems are not subject to portability requirements.
Portability applies to data ‘provided by’ the data subject — data the individual actively submitted, or data generated by their activity (click data, location data, purchase history). It does not apply to data the controller has generated about the data subject through its own analysis (inferred data, risk scores, recommendations). The format requirement — structured, commonly used, machine-readable — means CSV, JSON, or XML rather than PDF or proprietary formats.
Right 7: The Right to Object (Article 21)
The right to object gives data subjects the right, on grounds relating to their particular situation, to object to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)), including profiling on those bases. Upon receiving an objection, the controller must stop processing unless it can demonstrate compelling legitimate grounds that override the data subject’s interests, rights, and freedoms, or unless the processing is for the establishment, exercise, or defence of legal claims.
Article 21(2) provides a separate, absolute right to object to processing of personal data for direct marketing purposes — including profiling for direct marketing. This right has no ‘compelling grounds’ override. Once a data subject objects to direct marketing, processing for that purpose must stop immediately and unconditionally.
| KEY IDEA | The right to object to direct marketing is the one data subject right with no exceptions and no discretion. An organisation that continues to send marketing communications to a data subject who has objected — even once — is in clear violation of GDPR. Building robust opt-out mechanisms and ensuring they are applied across all marketing channels and systems is a basic compliance requirement. |
Where an objection is received for processing based on legitimate interests, the organisation must suspend processing and conduct a fresh balancing assessment. If the assessment demonstrates compelling legitimate grounds — grounds that were not fully appreciated when the LIA was originally conducted — processing may continue. The assessment must be documented, and the outcome communicated to the data subject.
Right 8: Rights in Relation to Automated Decision-Making and Profiling (Article 22)
Article 22 gives data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. This right does not prohibit automated decision-making — it prohibits decisions that are both solely automated and legally or significantly consequential.
The exemptions to Article 22(1) are important. Automated decision-making is permissible where it is necessary for entering into or performing a contract, where it is authorised by EU or member state law, or where the data subject has given explicit consent. In each case, the controller must implement suitable safeguards: the right to obtain human intervention, the right to express their point of view, and the right to contest the decision.
Automated decision-making that uses special category data requires explicit consent or substantial public interest, even where one of the Article 22(2) exemptions applies. Credit scoring, insurance pricing decisions, recruitment screening, and content moderation decisions that significantly affect individuals all require careful Article 22 analysis. The intersection of Article 22 with the EU AI Act — which introduces additional obligations for high-risk AI systems — is discussed in Article 6.4 of this knowledge hub.
Right 9: Rights Related to Children (Article 8 and Article 22)
Children receive heightened protection under GDPR. Article 8 establishes specific conditions for consent in relation to information society services offered directly to children. Where processing relies on consent, member states may set an age of digital consent between 13 and 16. Below that age, consent must be given or authorised by the holder of parental responsibility. The controller must make reasonable efforts to verify that parental consent has been given, taking into account available technology.
More broadly, GDPR requires controllers to take into account children’s interests in the legitimate interests balancing test, in privacy by design decisions, and in communications about rights. Supervisory authorities have imposed some of the largest GDPR fines on platforms that processed children’s data without proper safeguards — including the €405 million fine against Instagram and the €345 million fine against TikTok. Processing children’s data demands a heightened compliance standard across all areas.
Implementing Rights Infrastructure: Key Requirements
Operationalising data subject rights requires four infrastructure components. First, an intake mechanism that allows data subjects to submit requests through accessible channels — online forms, email addresses, in-app features — and that creates a timestamped record of the request from the moment of receipt. The timeline starts at receipt, not at the moment staff review the request.
Second, an identity verification process. The organisation must verify that the person making the request is who they claim to be, without requiring disproportionate effort or additional personal data. Verification should be proportionate to the nature of the data involved: a standard name and email check may be sufficient for low-sensitivity data; a more robust verification may be warranted for requests involving health, financial, or other sensitive categories.
Third, a fulfilment workflow that searches all systems for relevant data, compiles the response, applies exemptions where applicable, redacts third-party data, and coordinates with any processors who hold data relevant to the request. For access requests, this workflow must be comprehensive — a response that misses data held in one system is an incomplete response.
Fourth, documentation. Every rights request — whether fulfilled, refused, or extended — must be documented. The date of receipt, the nature of the request, the action taken, the date of response, and the basis for any refusal must all be recorded. This documentation is what demonstrates compliance to a supervisory authority investigating a complaint.
| BITLION INSIGHT | Rights requests most commonly fail because of incomplete data mapping, inadequate verification processes, or missed timelines. An organisation that can produce, within 30 days, a complete and accurate response to any data subject access request — covering all data held across all systems — has achieved a level of data governance that positions it well for supervisory authority scrutiny across all GDPR obligations, not just rights fulfilment. |