Data Subject Rights
Chapter III of the GDPR (Articles 12-22) establishes rights for data subjects that controllers must facilitate. Article 12 sets the overarching requirement: information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
The general response deadline is one month from receipt of the request, extendable by a further two months where necessary (Art. 12(3)). Non-compliance with data subject rights is subject to fines of up to EUR 20,000,000 or 4% of worldwide annual turnover (Art. 83(5)(b)).
| # | Right | Article | Response Deadline | Description | Exceptions |
|---|---|---|---|---|---|
| 1 | Right of Access | Art. 15 | 1 month (extendable by 2 months for complex requests) | The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed, and where that is the case, access to the personal data and specified information including: purposes of processing, categories of data, recipients, envisaged retention period, existence of rights, right to lodge a complaint, source of data, and existence of automated decision-making. | May be restricted where it would adversely affect the rights and freedoms of others (Recital 63). Manifestly unfounded or excessive requests may be charged a reasonable fee or refused (Art. 12(5)). |
| 2 | Right to Rectification | Art. 16 | 1 month (extendable by 2 months) | The data subject has the right to obtain the rectification of inaccurate personal data without undue delay. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement. | None specified in the regulation itself. The controller must notify each recipient to whom the data has been disclosed of the rectification, unless this proves impossible or involves disproportionate effort (Art. 19). |
| 3 | Right to Erasure (Right to be Forgotten) | Art. 17 | 1 month (extendable by 2 months) | The data subject has the right to obtain erasure of personal data without undue delay where: data is no longer necessary for its original purpose, consent is withdrawn, the data subject objects under Art. 21, data has been unlawfully processed, erasure is required by law, or data was collected in relation to information society services offered to a child. | Does not apply where processing is necessary for: exercising the right of freedom of expression and information, compliance with a legal obligation, reasons of public interest in the area of public health (Art. 9(2)(h)-(i)), archiving/research/statistical purposes (Art. 89(1)), or establishment/exercise/defence of legal claims. |
| 4 | Right to Restriction of Processing | Art. 18 | 1 month (extendable by 2 months) | The data subject has the right to obtain restriction of processing where: accuracy is contested (for the period of verification), processing is unlawful but the data subject opposes erasure, the controller no longer needs the data but the data subject requires it for legal claims, or the data subject has objected under Art. 21 (pending verification of legitimate grounds). | Restricted data may still be stored. Processing beyond storage requires: data subject consent, establishment/exercise/defence of legal claims, protection of the rights of another person, or important public interest of the EU or a Member State (Art. 18(2)). |
| 5 | Right to Data Portability | Art. 20 | 1 month (extendable by 2 months) | The data subject has the right to receive the personal data they have provided to a controller in a structured, commonly used and machine-readable format, and has the right to transmit that data to another controller without hindrance. Where technically feasible, the data subject has the right to have the data transmitted directly from one controller to another. | Only applies where: (a) processing is based on consent (Art. 6(1)(a) or Art. 9(2)(a)) or contract (Art. 6(1)(b)), AND (b) processing is carried out by automated means. Does not apply to processing necessary for the performance of a task in the public interest or in the exercise of official authority (Art. 20(3)). Must not adversely affect the rights and freedoms of others. |
| 6 | Right to Object | Art. 21 | Without undue delay, at the latest within 1 month | The data subject has the right to object at any time to processing based on public interest (Art. 6(1)(e)) or legitimate interests (Art. 6(1)(f)), including profiling based on those provisions. Where data is processed for direct marketing purposes, the data subject has an absolute right to object at any time, and processing must cease immediately. | For non-marketing objections, the controller may continue processing if it demonstrates compelling legitimate grounds that override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. For direct marketing, there are no exceptions -- processing must cease. |
| 7 | Rights Related to Automated Decision-Making | Art. 22 | 1 month (extendable by 2 months) | The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. Where automated decisions are permitted, the controller must implement suitable measures to safeguard the data subject's rights, including at a minimum the right to obtain human intervention, to express their point of view, and to contest the decision. | Automated decisions are permitted where: (a) necessary for entering into or performance of a contract, (b) authorised by EU or Member State law with suitable safeguards, or (c) based on explicit consent. Special categories of data (Art. 9(1)) may only be used in automated decisions under conditions (a) or (c) with suitable measures in place. |
Transparency Obligations (Article 12)
Article 12 requires the controller to take appropriate measures to provide information relating to processing (Articles 13-14) and communications regarding rights (Articles 15-22) in a concise, transparent, intelligible and easily accessible form. Information must be provided in writing or by electronic means. Where the data subject makes a request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. Information must be provided free of charge; the controller may charge a reasonable fee or refuse to act only where requests are manifestly unfounded or excessive.
Disclaimer
This page provides general information about GDPR data subject rights and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organisation.