Data Subject Rights Under GDPR: What They Are and How to Comply

This is some text inside of a div block.
8 mins
March 18, 2025

Table of contents

The General Data Protection Regulation (GDPR) grants individuals, known as data subjects, specific rights concerning their personal data. Understanding and complying with these data subject rights is crucial for organizations handling personal information within the European Union (EU) and the European Economic Area (EEA). This comprehensive guide delves into the essence of data subject rights, outlines the eight fundamental rights under the GDPR, discusses their legal and practical implications, and provides actionable steps for organizations to ensure compliance.

What Are Data Subject Rights?

Data subject rights are provisions under the GDPR that empower individuals to have control over how their personal data is collected, processed, and utilized. These GDPR rights aim to enhance transparency, allow individuals to access and manage their data, and hold organizations accountable for data protection. Find out more details here: Who does GDPR apply to.

Who Is a Data Subject?

A data subject is any individual whose personal data is processed by an organization. This includes customers, employees, and any other individuals whose data is collected and used by a data controller or processor.

Overview of the 8 Data Subject Rights Under GDPR

The GDPR outlines eight fundamental rights of data subjects:

  1. Right to Be Informed (Transparency)
  2. Right to Access (Article 15)
  3. Right to Rectification (Article 16)
  4. Right to Erasure/Right to Be Forgotten (Article 17)
  5. Right to Restrict Processing (Article 18)
  6. Right to Data Portability (Article 20)
  7. Right to Object (Article 21)
  8. Rights Related to Automated Decision-Making and Profiling (Article 22)

Right to Be Informed (Transparency)

Data subjects have the right to be informed about the collection and use of their personal data. Organizations must provide clear and concise information regarding the purposes of data processing, data retention periods, and who the data will be shared with. This information is typically conveyed through privacy notices or policies.

Right to Access (Article 15)

Under Article 15, individuals have the right to access their personal data held by an organization. This includes obtaining confirmation of whether their data is being processed, accessing the actual data, and receiving information about how the data is being used. Organizations must provide a copy of the personal data upon request, free of charge, within one month.

Right to Rectification (Article 16)

Article 16 grants data subjects the right to have inaccurate or incomplete personal data corrected. If an individual identifies that their data is incorrect or outdated, they can request the organization to rectify it promptly.

Right to Erasure/Right to Be Forgotten (Article 17)

Also known as the "Right to Be Forgotten," Article 17 allows individuals to request the deletion of their personal data in certain circumstances, such as:

  • The data is no longer necessary for the original purpose it was garnered.
  • The individual withdraws consent, and there is no other legal basis for processing.
  • The data has been unlawfully processed.
  • The data is required to be deleted due to legal compliances.

However, this right is not absolute and may be overridden by other legal obligations or public interest considerations.

Right to Restrict Processing (Article 18)

Article 18 provides individuals with the right to restrict the processing of their personal data under specific circumstances, including:

  • The accuracy of the data is contested.
  • The processing is unlawful, and the individual opposes erasure.
  • The organization no longer needs the data, but the individual requires it for legal claims.
  • The individual has objected to processing, pending verification of legitimate grounds.

When processing is restricted, organizations can store the data but not use it.

Right to Data Portability (Article 20)

Article 20 grants data subjects the right to receive their personal data in a structured, commonly used, and machine-readable format. It also allows for the direct transfer of data from one controller to another, where technically feasible. This right applies when processing is based on consent or a contract and is carried out by automated means.

Right to Object (Article 21)

Under Article 21, individuals have the right to object to the processing of their personal data based on legitimate interests or performance of a task in the public interest. If an individual objects, the organization must cease processing unless it can demonstrate compelling legitimate grounds that override the individual's rights or for legal claims.

Rights Related to Automated Decision-Making and Profiling (Article 22)

Article 22 provides individuals with the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects or significantly affects them. Exceptions exist if the decision is necessary for a contract, authorized by law, or based on explicit consent.

Legal and Practical Implications of Data Subject Rights

Understanding the legal framework supporting GDPR rights and the consequences of non-compliance is essential for organizations.

GDPR Articles Supporting These Rights

The GDPR dedicates Chapter 3 (Articles 12 to 23) to outlining data subject rights and the obligations of data controllers and processors in facilitating these rights. Each right is detailed within specific articles, providing legal grounding and guidance for implementation.

Penalties for Non-Compliance

Non-compliance with data subject rights can lead to significant penalties under the GDPR. Fines can reach up to €20 million or 4% of the organization's global annual turnover, whichever is higher. Beyond financial penalties, organizations may suffer reputational damage and loss of customer trust.

Real-World Examples of Rights Violations

Several organizations have faced substantial fines for failing to uphold data protection rights. For instance, in 2020, H&M was fined €35,3 million for violating GDPR rights 

How to Respond to Data Subject Requests

Step 1: Identify the Request

Organizations must first determine whether the request falls under data subject rights and categorize it appropriately (e.g., access, rectification, erasure, etc.).

Step 2: Verify the Data Subject's Identity

Before processing a request, it is essential to confirm the identity of the requester to prevent unauthorized data access or manipulation.

Step 3: Fulfill the Request Within the GDPR Timeframe

Under GDPR, organizations must respond to data subject requests within one month. In some cases, an extension may be granted if the request is complex.

Step 4: Maintain Records of Requests

Organizations should document all requests, responses, and any actions taken to demonstrate compliance in case of audits or legal inquiries.

Challenges Businesses Face in Managing Data Subject Rights

High Volume of Requests

With increasing awareness of GDPR privacy rights, organizations may receive a large number of requests, requiring efficient processes and automation.

Balancing Rights and Business Interests

While honoring the rights of data subjects, businesses must also ensure operational efficiency and regulatory compliance without compromising security.

Ensuring Accuracy and Timeliness

Handling requests accurately and within the legal timeframe is challenging, especially for organizations managing vast amounts of personal data.

Tools and Resources for Managing Data Subject Rights

GDPR Compliance Software

Organizations can leverage specialized GDPR compliance software to streamline request management, documentation, and reporting.

Data Mapping and Inventory Tools

Data mapping tools help organizations track and categorize personal data, ensuring quick data subject access rights and compliance with GDPR requirements.

Training for Employees

Regular GDPR training programs ensure that employees are well-equipped to handle data subject requests and maintain GDPR compliance.

Ensuring Compliance with Data Subject Rights

Organizations must implement strong policies and procedures to handle data subject rights requests effectively. Here are some actionable steps to ensure compliance:

1. Develop Clear Privacy Notices

Organizations should create transparent data subject right policy that clearly outline how personal data is collected, processed, stored, and shared. These notices should be easy to access and understand.

2. Establish a Process for Handling Data Subject Requests

A structured process should be in place to manage and respond to requests related to data subject rights, including:

  • Verifying the identity of the requestor
  • Logging and tracking requests
  • Responding within the GDPR-mandated timeframe (typically one month)

3. Train Employees on GDPR Compliance

All employees handling personal data should be trained on the GDPR compliance checklist and how to handle data subject requests effectively.

4. Implement Secure Data Management Practices

Organizations should use encryption, access controls, and data minimization strategies to ensure personal data is securely managed and protected from unauthorized access.

5. Conduct Regular GDPR Audits

Periodic audits should be conducted to ensure ongoing compliance with GDPR regulations, identify potential gaps, and address any compliance risks.

6. Appoint a Data Protection Officer (DPO)

For organizations that process large amounts of personal data, appointing a Data Protection Officer (DPO) can help oversee GDPR compliance and manage data subject requests.

7. Maintain Records of Processing Activities

Under Article 30 of the GDPR, organizations must maintain records of their data processing activities, including details about data subject requests and how they were handled.

8. Implement Mechanisms for Consent Management

Organizations should have clear systems in place for obtaining, recording, and managing user consent, ensuring compliance with GDPR’s requirements for lawful data processing.

DPO consulting offers expert GDPR compliance services ensuring your organization covers all the crucial aspects of this regulation.

FAQ: Data Subject Rights Under GDPR

What is the right to access under GDPR?

The right to access under GDPR allows individuals to request and obtain a copy of their personal data that an organization holds. This right ensures transparency by enabling individuals to understand how their data is being processed and whether it is handled lawfully.

Are there exceptions to the right to be forgotten?

Yes. Organizations may refuse deletion requests if the data is necessary for legal obligations, public interest, freedom of expression, or the establishment, exercise, or defense of legal claims.

How quickly must a business respond to a data subject request?

Under GDPR, businesses must respond within one month for any data subject request. If a request is complex or requires additional information, the organization may extend the deadline by up to two additional months, but the individual must be informed of the delay.

Can a business charge for fulfilling a data subject request?

In most cases, businesses cannot charge for handling data subject requests. However, if the request is clearly unfounded, excessive, or repetitive, organizations may charge a reasonable fee to cover administrative costs or refuse the request.

What happens if a business refuses to comply with a request?

If a business refuses to comply with a data subject request, it must provide a clear explanation for the refusal and inform the individual of their right to lodge a complaint with a supervisory authority. Non-compliance can result in fines and reputational damage.

DPO Consulting: Your Partner in AI and GDPR Compliance

Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise. 

External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.

Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.

Our solutions

GDPR and Compliance

Outsourced DPO & Representation

Training & Support

Read this next

See all
Hey there 🙌🏽 This is Grained Agency Webflow Template by BYQ studio
Template details

Included in Grained

Grained Agency Webflow Template comes with everything you need

15+ pages

25+ sections

20+ Styles & Symbols

Figma file included

To give you 100% control over the design, together with Webflow project, you also get the Figma file. After the purchase, simply send us an email to and we will e happy to forward you the Figma file.

Grained Comes With Even More Power

Overview of all the features included in Grained Agency Template

Premium, custom, simply great

Yes, we know... it's easy to say it, but that's the fact. We did put a lot of thought into the template. Trend Trail was designed by an award-winning designer. Layouts you will find in our template are custom made to fit the industry after carefully made research.

Optimised for speed

We used our best practices to make sure your new website loads fast. All of the images are compressed to have as little size as possible. Whenever possible we used vector formats - the format made for the web.

Responsive

Grained is optimized to offer a frictionless experience on every screen. No matter how you combine our sections, they will look good on desktop, tablet, and phone.

Reusable animations

Both complex and simple animations are an inseparable element of modern website. We created our animations in a way that can be easily reused, even by Webflow beginners.

Modular

Our template is modular, meaning you can combine different sections as well as single elements, like buttons, images, etc. with each other without losing on consistency of the design. Long story short, different elements will always look good together.

100% customisable

On top of being modular, Grained was created using the best Webflow techniques, like: global Color Swatches, reusable classes, symbols and more.

CMS

Grained includes a blog, carrers and projects collections that are made on the powerful Webflow CMS. This will let you add new content extremely easily.

Ecommerce

Grained Template comes with eCommerce set up, so you can start selling your services straight away.

Figma included

To give you 100% control over the design, together with Webflow project, you also get the Figma file.