Data subject rights are the tools individuals can use to understand, challenge and control how organisations use their personal data. Under the GDPR, these rights affect customer service, HR, marketing, product design, vendor management and dispute handling.
A strong process for handling data subject requests is therefore not only a legal requirement. It is a practical control for reducing complaints, improving data quality and showing that the organisation understands its own data flows.
First published: 10 December 2018. Last updated: 26 May 2026.
This article has been refreshed to reflect current EDPB guidance, recent CJEU case law and practical developments in how organisations handle data subject rights requests.
The 8 GDPR data subject rights
The GDPR provides individuals with eight rights to protect their privacy. Information about the rights must be provided by the controller before the data is collected and when the individual otherwise so requests. Sometimes the individual’s right to withdraw their consent to specific use under Article 7 GDPR is presented as a specific data subject right.
Schrems II – Expert Legal Advise
Act with confidence today. Our experts are here to help you manage the Schrems II requirements. Measured and practical solutions. Support through the entire process. Transfer impact assessment. Dealing with supervisory authority. Enforcement action. Defending legal claims. Track record with leading European startup, mid-size companies and listed global enterprises.
Get a quote today from the business law firm Sharp Cookie Advisors
The 8 data subject rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights about automated decision making and profiling.
1. Right to be informed
What is the right to be informed?
Individuals have a right to be informed about how their data is collected and used. Data controllers have to give clear and concise information to individuals, including what information is collected and used, its purposes, retention periods, and with whom the information will be shared. This privacy information must be very easy to understand and easily accessible to the individual.
GDPR defines the right to be informed in articles 12-14.
What do we need to do now?
You must provide the information at the time when you collect their information. If you would obtain personal data from other sources, you have a reasonable time limit to serve these individuals with your privacy information and no later than one month.
The privacy information you serve your data subjects must always be kept up to date. Review the information regularly and always inform the data subjects of any changes in your use of data or your processes before you actually start collecting the data.
The right to be informed is a key element of the GDPR. When you master this right, you typically have a high level of trust with your customers and employees and are less exposed to complaints and reputational damage.
2. The right of access
What is the right of access?
Individuals have the right to access and receive a copy of their personal data, including metadata. This process is called subject access request or “SAR”. Data controllers must provide this access free of charge and in an accessible format.
GDPR defines the right to access in article 15.
How can we recognise a request?
Individuals can put forward their SAR either verbally or in writing, including engaging with the controller on social media channels.
Note that a request does not need to include the words “subject access request” or the like to be a valid request. Hence, you may need to train your staff that interacts with customers or employees on how to identify a request.
It is possible to make a SAR on behalf of someone else. Ensure that the third party is entitled to act for the individual. It is their responsibility to provide evidence of their authority.
What do we need to do now?
Data controllers receiving a SAR must:
- Respond without undue delay and in any event within one month of receiving the request. Where necessary, the period may be extended by two further months because of complexity or the number of requests, but the individual must be informed of the extension and the reasons within the first month.
- The first step must be to secure the identification of the individual. Note that the time scale does not begin until you have received the requested information.
- You can extend the time limit by a further two months if the request is complex or you receive several requests from the same individual.
- Perform a reasonable search for the requested information.
- Review and, if possible, restrict and redact the information before you provide a copy to the individual – the right to access is not absolute – you must also respect the privacy of others and company trade secrets.
- Provide the information in an accessible, concise and intelligible format.
- Securely disclose the information, taking precautions concerning the level of sensitivity of the actual data.
Can we ask for ID?
You must be satisfied that you know the identity of the individual exercising their rights. The level of identification is relative to the sensitivity of the data subject to the request. It is not always that strong authentication is required, though in some instances, such as in healthcare, strong authentication is a must.
Can we charge a fee?
No, not usually. Typically, making a request is free of charge. However, if the same individual makes repetitive requests or requests that are manifestly unfounded or excessive, you may charge a reasonable fee.
Can we refuse to comply with the SAR?
A controller receiving a SAR cannot usually refuse to provide the information. If an exemption or restriction applies, or if a request is manifestly unfounded, you may refuse a SAR.
Check with your Data Protection Officer or legal department on how to respond to a SAR.
Exemptions of complying with the data subject rights SAR
In certain exemptions, you do not need to comply with a SAR; they are, for example (not an exhaustive list):
- legal professional privilege
- management information
- negotiations with the individual requesting a SAR
- confidential references
Note that there are special rules for SARs and certain categories of data, such as:
- unstructured manual records,
- credit files,
- health data
- educational data
- social work data
What happens if we do not comply with the SAR request?
If you do not comply with a valid request, the individual may complain to the supervisory authority, seek a court order requiring compliance, or claim compensation where the GDPR requirements for damage are met.
Your supervisory authority may also take action against you if your organisation breaches the GDPR.
Key 2023-2025 developments
Recent case law and regulatory guidance have made the access right more operationally demanding. Controllers may need to identify actual recipients of personal data, not only categories of recipients, and provide copies or extracts where context is needed for the individual to understand the processing. The EDPB has also emphasised that controllers should have documented procedures, request logs and proportionate identity checks.
3. The right to rectification
What is the right to rectification?
Individuals have the right to have inaccurate personal data rectified or completed if the data is incomplete. A request may be made verbally or in writing. The right to rectification underpins the principle of accuracy (Article 5(1)(d)) of the GDPR and is a safeguard against discriminatory treatment.
GDPR defines the right to rectification in article 16.
When is data inaccurate?
The GDPR has no formal definition, though, in case law, it is defined as it is incorrect or misleading as to any matter of fact.
What do we need to do now?
The data controller has one month to act on a request. You must take reasonable steps to ensure that the information you hold on an individual is accurate. If personal data is used to make significant decisions, you must make a greater effort to check its accuracy.
What should we do if we are confident that the data is accurate?
If you believe that the data you hold is indeed accurate, let the individual know. Explain that you will not be amending the information and inform the individual of their right to make a complaint to the competent supervisory authority. You should also inform about the individual’s ability to seek enforcement through a judicial remedy.
Can we refuse to comply with the request for rectification?
Normally, you have to comply with the request. You can refuse a request for rectification only when certain circumstances apply, such as, for example, unsubstantiated claims of inaccuracy, manifestly unfounded claims or excessive claims.
4. The right to erasure (right to be forgotten)
What is the right to erasure?
The GDPR introduced a right for individuals to have their data deleted. This right is sometimes referred to as the “right to be forgotten”. This right is not an absolute right and can be limited in certain situations.
The right only applies to data held at the time the request is received. You may still have the right to use data that may be created in the future.
GDPR defines the right to erasure in article 17.
When does the right to erasure apply?
You must comply with a request and delete data if:
- the personal data hold no longer is necessary for the purpose which you originally collected or used it for
- you are relying on consent as the legal basis, and the individual has withdrawn their consent
- you are relying on legitimate interest as the legal basis for processing, and the individual is successful in their objection to the processing of their data
- you are processing the data for direct marketing purposes, and the individual objects to that processing
- you are found processing data unlawfully
- you have to delete data to comply with a legal obligation or
- you have processed the data to offer information society services to a child.
When does the right to erasure not apply?
You are entitled to hold data if it is necessary to comply with a legal obligation.
How to identify a request to delete?
The GDPR does not require a certain form. The individual can state the request verbally or in writing to any point of contact in your organisation (even on social media channels). Your organisation should have processes to identify and properly manage a deletion request.
What time limit applies for managing a deletion request?
You have one month from the date of the receipt of the request to respond to the individual.
Can we extend the time for a response?
Yes, if you can demonstrate that the request is complex and that you are making a reasonable effort.
Do we have to tell other organisations to delete data?
Yes, you must tell other organisations to delete the data if you have shared the data with others or the data has been made public in an online environment. You must make reasonable steps to ensure that relevant data gets deleted. You must share information on any recipients with the individual if asked.
If it would entail a disproportionate effort, there are exceptions to this right that may be applicable. Seek legal counsel as to what to do in your situation.
Do we need to delete data from our backup systems?
Yes, if a valid request is received and no exemption to retain data exists, you must delete data from backup systems as well as the production environment.
Backup systems should be included in the erasure process. In practice, immediate deletion from all backups may not always be technically feasible. Where that is the case, the data should be put beyond use, protected from restoration into live systems, and deleted when the backup is overwritten under the normal backup cycle.
You must put the backup data “beyond use”. You must not be able to use such data for other purposes until it is replaced in line with your established schedule.
Can we refuse to comply with a deletion request?
You may rely on an exemption to the right to erasure if the circumstances allow. You can also refuse to comply with a request if it is :
- manifestly unfounded or
- excessive.
Notable case-law
What requirement can a controller require of a deletion request – see case IMY vs Google (2022).
5. The right to restrict processing
What is the right to restrict processing?
In certain circumstances, individuals may request that the use of their data should be limited. Restriction means that the data controller has to stop processing data for certain things. It is an alternative way to request the deletion of their data.
GDPR defines the right to restrict data processing in article 18.
When does the right to restrict processing apply?
Typically, you will be obliged to restrict the processing of certain data:
- while you verify the accuracy of the data;
- the data has been unlawfully used, and the individual opposes erasure and requests restriction as an alternative;
- you no longer need the data, but the individual needs you to retain it to establish, exercise or defend a legal claim; or
- the individual has objected to your use of legitimate interest, and you are underway to determine whether your legitimate grounds override those of the individual.
How do we restrict the processing of personal data?
There are several methods you can use to restrict the further use of personal data; what method is appropriate is dependent on the circumstances. You can, e.g.:
- Temporarily moving the personal data to another system.
- Restricting access to users.
- Temporarily removing published data from a website.
What can we do with restricted data?
You can continue to store the data; however, you must not do anything else. The restriction is most often a temporary solution while you determine if any wrongdoing or mistake has occurred or respond to the data subjects’ concerns.
If you should take action on data that is restricted, it requires:
- the individual’s consent
- that the action you seek is to defend legal claims or protect the rights of another person or company, or
- it is for reasons of important public interest.
Do we have to tell other organisations about the restriction of data?
Yes, you must tell other organisations to restrict the data if you have shared the data with others or the data has been made public in an online environment. You must make reasonable steps to ensure that relevant data gets restricted. You must share information on any recipients with the individual if asked.
If it would entail a disproportionate effort, there are exceptions to this right that may be applicable. Seek legal counsel as to what to do in your situation.
When can the restriction be lifted?
Normally, the restriction of further processing of certain personal data is temporary. Most often, a request for restriction is made on the basis that:
- The individual has questioned the accuracy of the data, and you are investigating this claim; or
- The individual has objected to your processing of specific personal data because it would be necessary for your legitimate interest, and you are considering if your interests override the individuals (reviewing your Legitimate Interest Assessment analysis).
Once you have come to a decision, you may decide to lift the restrictions placed on personal data. Note that you must inform the individual before you lift the restrictions.
6. The right to data portability
What is the right to data portability?
Data subjects have the right to data portability. Portability means that the data controller has to transfer personal data when asked. Data subjects can request that the data be transferred either to themselves or to another controller. The other controller may be a company that provides a service that the data subject wants to use. The controller only has to fulfil this request if it’s technically possible.
GDPR defines the right to data portability in article 20.
7. The right to object
What is the right to object?
Individuals have the right to object to the processing of their data in certain circumstances. An objection may be made in writing or verbally.
An objection can concern all data or certain information or relate to a specific purpose. The individual has an absolute right to stop direct marketing based on personal data.
GDPR defines the right to object in article 21.
What do we need to do now?
Generally, data controllers have to stop processing personal data if this happens. Typically, there is no need to delete all data; in most cases, it would be preferable to suppress their details. Data suppression means retaining the necessary information to ensure that their preference not to receive direct marketing is respected.
As an exception, processing may continue due to public interest, such as scientific research.
Must we erase personal data to comply with an objection?
No, you must not automatically delete all data to comply with an object to further processing. When you have received an objection to certain processing, say direct marketing, and you have no basis for refusing, you must stop or not begin processing data for such purpose.
It may mean that you need to delete certain information. However, you must retain the information necessary to respect the individual’s preferences in the future. In direct marketing, this is often resolved by suppressing the information in the so-called “master do not send list” to ensure that an email is used for mass email marketing.
8. Rights concerning automated decision-making and profiling
What is automated individual decision-making and profiling?
Automated individual decision-making means decisions without any human involvement. Examples can include:
- A bank’s decision to award a loan or not based on an online process; and
- An aptitude test using preprogrammed algorithms and criteria to sort through job applicants and decide who will receive a job interview.
GDPR defines rights concerning automated decision-making and profiling in Article 22.
Automated decision-making must not include profiling, but it often does.
GDPR defines profiling as:
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
Article 4(4) GDPR
Since the CJEU’s SCHUFA judgment in December 2023, organisations should be cautious about scoring and automated recommendations that are heavily relied on by another party. Even if the final decision is formally taken by a human or another organisation, Article 22 may still be relevant where the score has a decisive or strong influence on the outcome.
What does GDPR regulate
The individual has the right to know of and object to any entirely automated decision-making. The individual can also object to where information about the individual is used to create a comprehensive profile about the individual (“profiling”).
GDPR restricts automated decision-making to protect individuals (Article 22 GDPR). Automated decision-making is only allowed if it is: necessary for a contract, authorised by national law, or based on the individual’s explicit consent.
When can we use automated decision-making?
The use of automated decision-making is restricted. It is only allowed to use this technology if the decision is:
- necessary for a contract with the individual at hand
- authorised by law, such as tax evasion or fraud detection
- based on the individual’s explicit consent.
If special categories data is used, you can only use the data if:
- you have the individual’s explicit consent, or
- the use is necessary for reasons of substantial public interest.
What do we need to consider to be able to use automated decision-making?
GDPR defines automated decision-making, including profiling, as a high-risk activity, meaning you have to perform a risk assessment. A Data Protection Impact Assessment (DPIA) is required to demonstrate your compliance with the GDPR, show which risks you have identified and how you will mitigate such risks.
Besides the impact assessment, under Article 22(1) GDPR, you must also:
- Inform the individuals of the logic involved in the decision-making process, as well as the consequences for the individual;
- Use appropriate statistical or mathematical procedures;
- Ensure that individuals can: (a) get human intervention, (b) express their point of view, (c) get an explanation of the decision and challenge it;
- Protect the outcome by having appropriate technical and organisational measures in place to correct inaccuracies and minimise the risk of errors; and
- Secure personal data proportionate to the risk and interests of the individual to prevent discriminatory effects.
You must always identify and record the processing in the records of processing (e.g. lawful basis, categories of data, internal and external recipients of the data etc.).
Can we ask for ID?
You must be satisfied that you know the identity of the individual exercising their rights. The level of identification is relative to the sensitivity of the data subject to the request. It is not always that strong authentication is required, though in certain cases, such as in healthcare, strong authentication is a must.
Can we charge a fee for complying with the data subject rights?
No, not usually. Normally, making a request is free of charge. However, if the same individual makes repetitive requests or requests that are manifestly unfounded or excessive, you may charge a reasonable fee.
Can we refuse to comply with the data subject rights request?
Normally, you have to comply with the request. You can refuse a request only when certain circumstances apply, such as, for example, unsubstantiated claims, manifestly unfounded claims or excessive claims.
What is manifestly unfounded?
Supervisory authority guidance treats a request as manifestly unfounded only in limited circumstances, for example where the request is clearly malicious, abusive or not genuinely intended to exercise a GDPR right:
- The individual has no intention of exercising their data subject rights.
- The request is malicious in intent and is being used to harass an organisation without a real purpose, for example, when (a) the individual has stated in the request or in other communications that they intend to cause disruption; or (b) the request makes unsubstantiated claims of wrongdoing by your organisation or specific employees; (c) the request is targeting an employee with whom the requestor has a personal grudge; or (d) the individual systematically sends different data subject rights requests as part of a campaign, to cause disruption.
What is an excessive claim?
A request to exercise any of the individual data subject rights under the GDPR can be excessive if:
- The request repeats the substance of the previous requests, or
- it overlaps with other requests.
It depends on the circumstances and the request if it is considered excessive.
You may still be obliged to comply with the data subject rights requests if the individual:
- Requests the same subject matter from you. There may be new perspectives, or maybe the controllers have mishandled previous requests.
- Makes an overlapping request rather than the former.
- Previous requests have been submitted that were excessive or manifestly unfounded.
Minimum process checklist
- One intake route, but staff trained to recognise requests from any channel.
- Identity check proportionate to the data and risk.
- Internal owner and escalation path.
- Search checklist covering core systems, backups, vendors and archives.
- Redaction process for third-party data, privileged and confidential information.
- Response templates that are adapted to the request, not used blindly.
- Request log recording dates, scope, decisions, exemptions and response.
- Periodic testing of whether the process works in practice.
2026 update: What has changed in practice?
Data subject rights are no longer a purely administrative GDPR topic. Access, erasure, objection and automated decision-making requests are increasingly used in disputes, employment matters, platform complaints, customer exits and regulator investigations. Organisations should treat data subject requests as an operational process, not as one-off legal correspondence.
1. Access requests: expect more detail and better documentation
The right of access has received significant attention from courts and regulators. The EDPB’s final Guidelines 01/2022 explain how controllers should handle access requests in practice, including scope, format, identity checks, excessive requests, and how to provide information clearly. In 2025, the EDPB also published the results of its coordinated enforcement action on right of access implementation, highlighting the need for internal procedures, request logs and case-by-case handling rather than standard responses.
For businesses, the practical message is simple: keep a request playbook, know where personal data sits, document your decisions, and make sure front-line teams can recognise a request even when the words “GDPR” or “subject access request” are not used.
2. Recipients may need to be named
Where an individual asks who their personal data has been disclosed to, controllers should be prepared to provide the actual recipients, not only broad categories, unless it is impossible or the request is manifestly unfounded or excessive. This follows the CJEU’s judgment in RW v Österreichische Post on Article 15 GDPR.
Operationally, this means vendor registers, CRM integrations, support tools, payroll providers, analytics tools and group-company disclosures need to be mapped well enough to answer the question.
3. A “copy” of personal data may require context
The right to obtain a copy of personal data does not always mean sending every document, email or database extract. However, the CJEU has clarified that copies of extracts, documents, or database records may be required where necessary for the individual to understand the personal data being processed.
This underscores the importance of redaction and review workflows. Controllers need to protect third-party rights, trade secrets and privileged material, but cannot use those concerns as a reason to give an empty or unhelpful response.
4. Automated decisions and scoring need special attention
The CJEU’s SCHUFA judgment confirmed that automated scoring may fall within Article 22 of the GDPR where a third party relies heavily on that score to make a decision affecting the individual.
Any organisation using automated scoring, eligibility checks, fraud tools, ranking systems or automated rejection logic should review whether individuals are given meaningful information, whether human review is genuine, and whether the process has been assessed in a DPIA.
5. Erasure, restriction and objection requests must be technically executable
The right answer is rarely “delete everything”. Businesses often need to retain limited data for legal claims, accounting, security, suppression lists or regulatory obligations. The important point is to distinguish between deletion, restriction, suppression and retention.
A mature process should answer four questions quickly:
- what data is in scope?
- what systems and vendors hold it;
- what must be deleted, restricted or retained; and
- how the decision is evidenced.
Practical takeaway
A good data subject rights process is not only a privacy compliance measure. It reduces complaint risk, improves data hygiene, reveals weak data maps and gives the business a clearer view of how personal data actually moves through its systems.

