Understanding GDPR data subject rights is essential for any organisation that handles the personal data of people in the European Union. The General Data Protection Regulation (EU Regulation 2016/679), applicable since 25 May 2018, gives individuals a set of enforceable rights over how their data is collected, used, shared and stored. This guide explains each right in plain language, the deadlines that apply, and the practical steps controllers should take to respond.
This article is general guidance only and is not legal advice.
What are GDPR data subject rights?
The GDPR gives individuals (called “data subjects”) control over their personal data. These rights sit alongside the regulation’s core principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability. Any processing must also rest on one of the six lawful bases, such as consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Rights are not absolute. Several can be limited depending on the lawful basis you rely on, the purpose of processing, and other legal obligations. The key is knowing which rights apply to a given situation and being able to act on a request quickly and consistently.
The core GDPR data subject rights at a glance
The table below summarises each right, what it means in practice, and typical limitations. Treat it as an orientation tool rather than a definitive legal test.
| Right | What it lets the individual do | Common limits or conditions |
|---|---|---|
| Right of access | Obtain confirmation that their data is processed and receive a copy plus supporting information. | Must not adversely affect the rights of others; manifestly unfounded or excessive requests may be refused or charged. |
| Right to rectification | Have inaccurate data corrected and incomplete data completed. | Applies to factual inaccuracy, not to opinions the individual disagrees with. |
| Right to erasure (“right to be forgotten”) | Have their data deleted in defined circumstances. | Does not apply where processing is needed for legal obligations, public interest, or defending legal claims. |
| Right to restriction | Limit how their data is used while a dispute or check is resolved. | Often a temporary measure pending accuracy checks or an objection. |
| Right to data portability | Receive their data in a structured, commonly used, machine-readable format and transmit it elsewhere. | Applies mainly to consent- or contract-based processing carried out by automated means. |
| Right to object | Object to certain processing, including direct marketing. | For direct marketing the objection is absolute; for legitimate interests the controller may show compelling grounds. |
| Rights around automated decisions | Not be subject to solely automated decisions with legal or similarly significant effects, including profiling. | Exceptions exist; where allowed, safeguards such as human review must be offered. |
Access and transparency
The right of access underpins the others. Individuals can ask what data you hold, why you process it, who you share it with, and how long you keep it. Being able to answer well depends on maintaining accurate records of processing and clear internal ownership of personal data.
Correcting and deleting data
Rectification and erasure work together. If data is wrong, correct it; if you have no lawful reason to keep it, delete it. Remember that erasure is conditional, so document why you did or did not delete data in each case.
Restriction, portability and objection
Restriction is a useful “pause” while you verify a claim. Portability lets people move their data between services. Objection is powerful for direct marketing, where you must stop processing on request without exception.
Responding to a request: deadlines and process
Controllers must respond to a valid request without undue delay and, in most cases, within one month. That period can be extended by up to two further months for complex or numerous requests, provided you inform the individual and explain why within the first month.
- Verify identity proportionately before disclosing data.
- Log the request and start the clock immediately.
- Search all systems, including backups and third-party processors acting on your behalf.
- Redact third-party data where disclosure would harm others’ rights.
- Respond in writing, usually free of charge, and explain any refusal and the right to complain.
Under GDPR, controllers decide the purposes and means of processing, while processors act on documented instructions. Both share responsibility for enabling rights, so contracts should set out how processors will help you meet request deadlines. Where required, appoint a Data Protection Officer to oversee compliance, and use Data Protection Impact Assessments for high-risk processing.
Why GDPR data subject rights matter for compliance
Handling requests well is not just good service; it is a legal duty backed by significant penalties. The GDPR allows fines of up to 20 million euro, or 4% of global annual turnover, whichever is higher, for the most serious infringements. Separately, personal data breaches that risk individuals’ rights must be notified to the supervisory authority within 72 hours of becoming aware of them.
Strong rights-handling also builds trust. A clear, well-documented process demonstrates accountability, reduces the chance of complaints escalating to regulators, and signals that your organisation takes privacy seriously. For the full legal text and recitals, consult the official GDPR information portal.
Frequently asked questions about GDPR data subject rights
How long do we have to respond to a data subject request?
You must respond without undue delay and generally within one month of receiving a valid request. For complex or high-volume requests, you may extend by up to two additional months, but you must tell the individual about the extension and the reason within the first month.
Can we charge a fee for handling requests?
In most cases you must respond free of charge. You may charge a reasonable fee based on administrative cost, or refuse to act, only where a request is manifestly unfounded or excessive, particularly if it is repetitive. Document your reasoning whenever you take that step.
Is the right to erasure absolute?
No. Erasure applies only in specific circumstances and can be overridden where you still have a lawful reason to keep the data, such as compliance with a legal obligation, exercising the right of freedom of expression, or establishing or defending legal claims.
Do these rights apply to organisations outside the EU?
They can. The GDPR has extraterritorial reach and may apply where you offer goods or services to people in the EU or monitor their behaviour, regardless of where your organisation is based.

Related guides
- GDPR compliance guide: principles, bases and practical steps
- GDPR requirements checklist for controllers and processors
- GDPR vs CCPA: how the EU and California privacy laws compare
Ready to operationalise these rights? Our editable GDPR (EU Regulation 2016/679) toolkit gives you ready-to-use data subject request procedures, response templates, logs and policies you can brand and deploy today. Explore the GDPR Toolkit and turn compliance obligations into a repeatable process.

