In This Guide
Data Subject Rights Overview
GDPR grants individuals eight rights over their personal data:
| Right | Article | Description |
|---|---|---|
| Information | 13-14 | Be informed about processing |
| Access | 15 | Obtain copy of personal data |
| Rectification | 16 | Correct inaccurate data |
| Erasure | 17 | Delete data ("right to be forgotten") |
| Restriction | 18 | Limit processing |
| Portability | 20 | Receive data in machine-readable format |
| Object | 21 | Object to processing |
| Automated decisions | 22 | Not be subject to automated decisions |
Data Subject Access Requests
The right of access (Article 15) allows individuals to obtain confirmation of processing and a copy of their personal data.
What Must Be Provided
- Confirmation whether data is processed
- Copy of personal data
- Purposes of processing
- Categories of personal data
- Recipients or categories of recipients
- Retention period or criteria
- Rights information (rectification, erasure, restriction, object)
- Right to complain to supervisory authority
- Source of data (if not collected from individual)
- Automated decision-making information
- Transfer safeguards (if applicable)
DSAR Process
Step 1: Receive and Log
- Accept requests through any channel
- Log immediately with timestamp
- Acknowledge receipt
Step 2: Verify Identity
- Reasonable steps to verify identity
- Request additional information if needed
- Balance verification with privacy
Step 3: Search and Collect
- Search all relevant systems
- Include structured and unstructured data
- Check backups if necessary
- Include processor-held data
Step 4: Review and Redact
- Review for third-party data
- Apply exemptions if applicable
- Redact third-party information
- Document exemptions applied
Step 5: Compile and Respond
- Compile response with required information
- Provide in requested format (usually electronic)
- Include supplementary information
- Send securely
Timelines
| Situation | Timeline |
|---|---|
| Standard response | Within 1 month |
| Complex/numerous requests | Extended to 3 months (notify within 1 month) |
| Identity verification needed | Clock pauses until verified |
| Fee charged (if permitted) | Clock pauses until payment |
Month is calculated from receipt date, not working days. If month ends on weekend/holiday, deadline is next working day.
Other Rights Processes
Rectification (Article 16)
- Same 1-month timeline
- Correct inaccurate data
- Complete incomplete data
- Notify recipients of corrections
Erasure (Article 17)
Applies when:
- Data no longer necessary
- Consent withdrawn
- Objection upheld
- Unlawful processing
- Legal obligation to erase
- Child's data (information society services)
Restriction (Article 18)
Applies when:
- Accuracy contested (while verifying)
- Processing unlawful but erasure refused
- Controller no longer needs data but individual needs for legal claims
- Objection pending verification
Portability (Article 20)
- Only applies to data provided by individual
- Only for consent or contract basis
- Only for automated processing
- Structured, commonly used, machine-readable format
Objection (Article 21)
- Must stop processing unless compelling legitimate grounds
- Direct marketing: must stop immediately
- Research: may continue if in public interest
Evidence Requirements
Maintain records demonstrating compliance:
- Request log with dates and outcomes
- Identity verification records
- Search methodology documentation
- Exemptions applied and reasoning
- Response copies
- Timeline compliance evidence