Skip to main content
Datenschutz / DSGVO

Data Subject Rights

The rights of natural persons to access, rectify, erase, restrict, port, and object to the processing of their personal data under Art. 15–21 GDPR.

The GDPR grants natural persons whose data is being processed a comprehensive set of rights against the controller. The right of access (Art. 15 GDPR) entitles data subjects to know whether and which personal data is being processed about them, and for what purposes. The right to rectification (Art. 16 GDPR) allows them to have inaccurate data corrected. The right to erasure (Art. 17 GDPR) — also known as the "right to be forgotten" — entitles individuals to request deletion of their data under certain conditions.

Further important rights include the right to restriction of processing (Art. 18 GDPR), the right to data portability (Art. 20 GDPR), and the right to object (Art. 21 GDPR). The right to object is particularly significant for direct marketing: if an individual objects to processing for marketing purposes, that processing must stop immediately, with no balancing of interests required. Data subjects also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on them (Art. 22 GDPR).

As a compliance officer, you must ensure that requests from data subjects are handled within the statutory deadlines — generally one month, extendable to three months for complex or numerous requests. This requires clear internal processes, defined responsibilities, and a functioning channel for receiving data subject requests. Responses must be provided free of charge; a fee may only be charged in the case of manifestly unfounded or excessive requests.

Legal Basis

Art. 15–21 GDPR

Practical Example

A former employee sends your organisation an email requesting, under Art. 15 GDPR, a copy of all personal data held about them, and subsequently asks, under Art. 17 GDPR, for the deletion of all data no longer required for statutory retention purposes. As compliance officer, you coordinate the request with HR, IT, and finance, compile a complete overview of all stored data, and provide the access response within the one-month deadline. You then delete all data that is no longer required and document which records must be retained due to statutory tax and commercial law retention periods.

FAQ

The GDPR grants the following rights: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), right to object (Art. 21), and the right not to be subject to solely automated decision-making (Art. 22).
Data subject requests must generally be answered within one month. For complex or numerous requests, the deadline may be extended by a further two months, provided the data subject is informed of the extension and its reasons within the initial one-month period.
In limited exceptional circumstances — for example, if providing the information would adversely affect the rights of others or jeopardise a criminal investigation. Any refusal must be reasoned and documented. Manifestly unfounded or excessive requests may be subject to a reasonable fee or refused.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Personal Data Consent Data Protection Officer (DPO) Data Breach Data Deletion Concept
Back to Glossary