Data Subject Rights and Responsibilities

Organisations processing personal data under the GDPR must, in most cases, respond to data subject rights requests within one month, provide information free of charge unless a limited exception applies, and maintain procedures that allow people to exercise their rights.

Key Takeaways

• GDPR establishes eight data subject rights, and organisations must have documented procedures to handle requests for each one.

• The standard response deadline is one month from receipt; complex cases allow a two-month extension with prior notification.

• Responses must generally be free of charge and provided in clear, accessible language, although a reasonable fee may be charged or the request refused where it is manifestly unfounded or excessive.

• Data controllers bear primary responsibility for fulfilling rights requests; data processors must support them in meeting these obligations.

• The right to object to direct marketing is absolute when someone objects; processing must stop immediately, with no balancing test required.

This guide covers each of the eight rights, sets out your compliance obligations, and provides practical steps for handling requests at scale.

What Are GDPR Data Subject Rights?

The GDPR establishes eight core rights that give individuals control over their personal data, including the right to access, correct, delete, and transfer it to another provider.

The eight rights are: the right to be informed, the right of access, the right to rectification, the right to erasure (right to be forgotten), the right to restriction of processing, the right to data portability, the right to object, and the right to avoid automated decision-making.

Data controllers determine why and how personal data is processed and bear primary responsibility for fulfilling these rights. Data processors act on controllers’ instructions and must support compliance.

These rights apply when your organisation is established in the EU, or when it offers goods or services to people in the EU or monitors their behaviour within the EU. The GDPR’s extraterritorial reach can therefore apply to organisations based outside the EU.

How Should You Handle Data Subject Rights Requests?

Every organisation needs clear procedures for receiving, verifying, and responding to data subject requests. Poor handling leads to complaints, regulatory scrutiny, and financial penalties.

Respond Within Legal Timeframes

The standard time limit is one month from receipt of the request. For complex requests, or where an individual makes multiple requests, you may extend by up to two additional months, provided you inform the data subject within the first month and explain why the extension is necessary.

Organisations that lack proper systems for managing personal data and rights requests face greater regulatory exposure when complaints or investigations arise.

Best practices for deadline management: log every request with a receipt timestamp, assign clear ownership immediately, set reminders at day 14, day 21, and day 28, and track extension notifications separately.

Verify Identity Before Responding

Before releasing personal data or making changes, confirm the requester is who they claim to be. Disclosing data to the wrong person creates a breach.

Verification methods include matching request details against existing account information, requesting proportionate ID documentation, using existing authentication systems for online platform users, and asking security questions based on data already held. If you have reasonable doubts about identity, request additional information. Where you reasonably need additional information to identify the requester, the response period runs from the time that information is received. Document every verification step.

Provide Information in an Accessible Format

Responses must use clear, plain language. Avoid legal jargon or technical terminology that obscures meaning. For requests submitted electronically, respond electronically unless the data subject requests otherwise. Provide data in structured, commonly used formats such as PDF for documents and CSV or JSON for datasets.

Information must be provided free of charge. You may charge a reasonable fee only where requests are manifestly unfounded or excessive, or where a data subject requests further copies beyond the first.

What Is the Right to Be Informed?

Transparency is the foundation of data protection. Before or at the point of collecting personal data, organisations must inform data subjects about the key facts of their processing.

The information required includes your identity and contact details, the contact details for your Data Protection Officer if applicable, the purposes and legal basis for processing, the categories of recipients, details of any transfers to third countries, retention periods, and the data subject’s rights, including the right to complain to a supervisory authority.

Where data is collected indirectly, provide this information within a reasonable period and at the latest within one month, or earlier if you communicate with the person or disclose the data to another recipient before then. A layered privacy notice works well in practice: present the key information up front, with links to full details for those who want them.

What Is the Right of Access?

Data subjects can submit a subject access request to confirm whether their personal data is being processed and, if so, to receive a copy along with information about how it is used.

A full response must include a copy of the personal data, the purposes of processing, the categories of data concerned, recipients or categories of recipients, retention periods, information about the data subject’s other rights, the source of data if not collected directly, and information about any automated decision-making, including the logic involved.

Where data involves multiple people, such as email threads or shared records, you may redact information about others to protect their rights. The first copy must be provided free of charge. For further copies, you may charge a reasonable fee based on administrative costs.

What Is the Right to Rectification?

Data subjects can require inaccurate personal data to be corrected without undue delay and can request that incomplete data be completed through a supplementary statement.

Assess accuracy against the purpose for which you hold the data. A historical research database may retain information that is no longer current, but a customer database should reflect accurate present-day details. When you correct data, inform any third parties who received the original, where possible. Maintain records of what was corrected, when, and who was notified.

What Is the Right to Erasure?

Data subjects can request deletion of their personal data in specified circumstances, but this right is not absolute, and several exceptions allow organisations to retain data despite a request.

Grounds for an erasure request include: data is no longer necessary for its original purpose; the data subject withdraws consent; no other legal basis applies; the data subject objects and no overriding legitimate interest exists; processing is unlawful; or a legal obligation requires deletion.

Erasure may be refused where processing is necessary for exercising freedom of expression, for compliance with a legal obligation, for public health purposes, for archiving in the public interest, or for establishing, exercising, or defending legal claims. Effective erasure requires organisations to address personal data across relevant live systems and to manage backups and redundant systems in line with their retention, restoration, and deletion policies.

What Is the Right to Restriction of Processing?

In four specific circumstances, data subjects can require you to stop processing their data while retaining it restriction is different from erasure.

The four circumstances are: accuracy is contested while you verify; the data subject prefers restriction over erasure despite unlawful processing; you no longer need the data, but the data subject requires it for legal claims; or an objection is pending while you assess whether legitimate interests override.

During restriction, you may store the data but must not process it further except with consent, for legal claims, or to protect another person’s rights. Notify third parties who received the data about restrictions. When you lift a restriction, inform the data subject before resuming processing.

What Is the Right to Data Portability?

Data portability lets individuals move their information between service providers. It applies when processing is based on consent or contract and carried out by automated means.

You must provide data in a structured, commonly used, machine-readable format such as JSON, XML, or CSV. Where technically feasible, the data subject has the right to have personal data transmitted directly from one controller to another at their request.

Portability does not cover data you inferred or derived, processing not based on consent or contract, or processing carried out in the public interest. Redact third-party information before any transfer to protect others’ rights.

What Is the Right to Object?

Data subjects can object to processing based on legitimate interests, public tasks, or direct marketing, and the right to object to direct marketing is absolute.

Where the objection is to legitimate interests or public task processing, you must stop processing unless you can demonstrate compelling legitimate grounds that override the individual’s interests, or processing serves the establishment, exercise, or defence of legal claims.

Direct marketing is different: if someone objects to it, stop immediately. No balancing test applies. Inform data subjects of their right to object at the first communication and present it clearly, separate from other information.

What Is the Right to Avoid Automated Decision-Making?

People have the right not to be subject to decisions made solely by automated means that produce legal effects or similarly significant effects on them.

Examples include automated credit decisions, algorithmic hiring rejections, and insurance risk profiling affecting premiums. Exceptions apply when automated decision-making is necessary for a contract, authorised by law, or based on explicit consent.

Where exceptions apply, you must still provide the data subject with the opportunity to obtain human intervention, express their view, and contest the decision. Automated decision-making involving sensitive personal data requires explicit consent or a substantial public-interest justification.

What Are the Compliance Best Practices for Organisations?

Sustainable compliance with data subject rights requires designated responsibility, trained staff, technical systems, and documented workflows, not just policy documents.

Designate responsible staff. Someone must own data subject rights compliance. Larger organisations appoint Data Protection Officers; smaller ones can assign this to existing roles with appropriate training and authority.

Build technical systems. Manual tracking fails at scale. Purpose-built software can log requests automatically, track deadlines, generate response templates, document verification steps, and produce audit trails.

Create standardised workflows. Map each of the eight rights to a documented procedure with decision trees for common scenarios. Conduct quarterly reviews of completed requests to identify delays, refusals, and complaints.

What Are the Common Challenges and How Do You Address Them?

Managing requests across fragmented systems, balancing rights with business operations, and handling complex multi-right requests are the three challenges that trip up most organisations.

Managing requests across multiple systems: personal data often spans CRM, email, backups, and third-party platforms. Map your data landscape before requests arrive and maintain an updated inventory so staff know where to search.

Balancing rights with business operations: some requests conflict with legitimate interests or legal obligations. Document your reasoning when refusing or limiting responses; the burden of justification falls on you.

Handling complex requests: a single request may simultaneously invoke access, portability, and erasure. Address each right separately within the response and use the two-month extension only when genuinely needed.

Frequently Asked Questions

Do data subject rights apply to employees as well as customers?

Yes. All eight rights apply to any individual whose personal data you process, including current and former employees. Employment records, performance reviews, payroll data, and disciplinary files are all within the scope of a subject access request.

Can you charge for responding to data subject rights requests?

Generally, no. Responses to rights requests should be free of charge. A reasonable fee may be charged, or the request refused, where it is manifestly unfounded or excessive; a reasonable fee may also be charged for additional copies of personal data requested under the right of access.

What happens if you cannot identify the person making a request?

If you have reasonable doubts about identity, you can request additional information proportionate to the sensitivity of the data. Where you reasonably need additional information to identify the requester, the response period runs from the point at which you receive the information needed to proceed.