GDPR Data Subject Rights: Access, Erasure & Portability (2026)
The GDPR grants individuals in the European Union powerful rights over their personal data. These rights, set out in Articles 12 through 22 of Regulation (EU) 2016/679, give people the ability to access, correct, delete, and move their data, and to challenge how organizations use it.
Understanding these rights matters for both individuals who want to exercise them and organizations that must honor them. This guide covers all eight data subject rights, explains how to exercise them, details the response timelines organizations must follow, and identifies the exemptions that apply.
For the broader regulatory context, see our guide to What Is GDPR. For practical compliance steps, see the GDPR compliance checklist.
This article is for informational purposes only and does not constitute legal advice. Consult a qualified data protection attorney or privacy professional for guidance specific to your situation.
Overview of GDPR Data Subject Rights
The GDPR establishes eight individual rights. Each right has specific conditions, limitations, and response requirements. The European Commission's information for individuals provides an accessible summary, while the EDPB's SME guide offers practical implementation guidance.
| Right | GDPR Article | Key Feature |
|---|---|---|
| Right of Access | Article 15 | Obtain a copy of your personal data |
| Right to Rectification | Article 16 | Correct inaccurate or incomplete data |
| Right to Erasure | Article 17 | Request deletion of personal data |
| Right to Restrict Processing | Article 18 | Limit how your data is used |
| Right to Data Portability | Article 20 | Receive your data in a portable format |
| Right to Object | Article 21 | Object to processing based on legitimate interests |
| Automated Decision-Making Rights | Article 22 | Challenge decisions made by algorithms |
| Right to Withdraw Consent | Article 7(3) | Revoke previously given consent |
Right of Access (Article 15)
The right of access is the most commonly exercised GDPR right. It allows individuals to obtain confirmation of whether an organization processes their personal data and, if so, to receive a copy of that data along with detailed information about the processing.
What You Can Request
Under Article 15, individuals can request:
- Confirmation of whether their personal data is being processed
- A copy of the personal data itself
- The purposes of processing
- The categories of personal data concerned
- The recipients or categories of recipients
- The planned retention period (or criteria used to determine it)
- Information about the source of the data (if not collected directly from the individual)
- Whether automated decision-making, including profiling, is used
- Details of any data transfers to third countries and the safeguards in place
How Organizations Must Respond
The EDPB Guidelines 01/2022 on the right of access clarify that controllers must provide data in a "concise, transparent, intelligible and easily accessible form." For electronic requests, the data should be provided in a commonly used electronic format.
The first copy must be provided free of charge. For additional copies, the controller may charge a reasonable fee based on administrative costs. If the request is manifestly unfounded or excessive (particularly if repetitive), the controller can either charge a reasonable fee or refuse to act on the request, but must demonstrate why it considers the request unfounded or excessive.
Right to Rectification (Article 16)
Article 16 gives individuals the right to have inaccurate personal data corrected without undue delay. Individuals can also request that incomplete personal data be completed, including by providing a supplementary statement.
When This Right Applies
This right applies whenever personal data held by an organization is factually incorrect or incomplete. Common examples include an incorrect address, a misspelled name, an outdated phone number, or employment records with wrong dates.
Organization Obligations
When a controller rectifies data, it must inform each recipient to whom the data has been disclosed, unless doing so proves impossible or involves disproportionate effort. The controller must also tell the individual about those recipients if requested.
Right to Erasure / Right to Be Forgotten (Article 17)
The right to erasure, commonly called the "right to be forgotten," allows individuals to request the deletion of their personal data. This is one of the GDPR's most high-profile provisions, but it is not absolute.
When Erasure Must Be Granted
The European Commission explains that erasure is required when:
- The data is no longer necessary for the purpose it was originally collected
- The individual withdraws consent and no other legal basis applies
- The individual objects to processing under Article 21 and there are no overriding legitimate grounds
- The data was unlawfully processed
- The data must be erased to comply with an EU or member state legal obligation
- The data was collected from a child in relation to information society services (such as social media)
When Erasure Can Be Refused
Organizations can refuse erasure requests when processing is necessary for:
- Exercising the right to freedom of expression and information
- Compliance with a legal obligation (such as tax record retention)
- Public health purposes in the public interest
- Archiving purposes in the public interest, scientific research, or historical research (where erasure would seriously impair the research objectives)
- Establishing, exercising, or defending legal claims
Search Engine Erasure
The right to erasure has particular significance for search engines. Following the landmark 2014 Google Spain ruling (predating the GDPR but influential in shaping Article 17), individuals can request that search engines delist results about them. The EDPB Guidelines 5/2019 establish criteria for evaluating delisting requests.
Right to Restriction of Processing (Article 18)
Article 18 allows individuals to request that an organization restrict (but not delete) the processing of their data. When processing is restricted, the organization can store the data but cannot use it unless the individual consents, or the processing is necessary for legal claims, protecting another person's rights, or important public interest reasons.
When Restriction Applies
Individuals can request restriction when:
- They contest the accuracy of the data (restriction applies while the controller verifies accuracy)
- The processing is unlawful, but the individual prefers restriction over erasure
- The controller no longer needs the data, but the individual needs it for legal claims
- The individual has objected to processing under Article 21 (restriction applies while the controller evaluates whether legitimate grounds override the objection)
Practical Effect
During restriction, the data can be stored but not actively processed. The controller must inform the individual before lifting any restriction. This right serves as a middle ground between full erasure and unrestricted processing.
Right to Data Portability (Article 20)
Data portability gives individuals the right to receive their personal data in a structured, commonly used, and machine-readable format. They can also request that the data be transmitted directly to another controller where technically feasible.
Conditions for Portability
The right to data portability applies only when:
- The processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or contractual necessity (Article 6(1)(b))
- The processing is carried out by automated means
This means data processed under legitimate interests, legal obligations, or public interest is not subject to portability requests.
What Data Is Covered
Portability covers data that the individual "provided to" the controller. This includes data actively submitted (form entries, uploaded documents) and data generated through the individual's use of the service (transaction history, usage logs, location data). It does not include data derived from analysis or profiling (risk scores, customer segments, inferences).
Format Requirements
The data must be provided in a "structured, commonly used and machine-readable format." Common formats include CSV, JSON, and XML. Where technically feasible and requested by the individual, the controller must transmit the data directly to another controller.
Right to Object (Article 21)
The right to object allows individuals to challenge processing based on specific legal grounds. This right varies in strength depending on the type of processing.
Objection to Legitimate Interest or Public Interest Processing
When processing is based on legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e)), individuals can object on "grounds relating to their particular situation." The controller must stop processing unless it demonstrates compelling legitimate grounds that override the individual's interests, rights, and freedoms, or the processing is necessary for legal claims.
Absolute Right to Object to Direct Marketing
The right to object to processing for direct marketing purposes is absolute. No balancing test applies. When an individual objects to direct marketing, the organization must stop processing for that purpose immediately, without exception. This includes profiling related to direct marketing.
Objection to Research Processing
Individuals can also object to processing for scientific, historical, or statistical research purposes on grounds relating to their particular situation, unless the processing is necessary for a task in the public interest.
Rights Related to Automated Decision-Making (Article 22)
Article 22 addresses decisions made entirely by automated systems (including AI and algorithms) that produce legal effects or similarly significant effects on individuals.
The Core Protection
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects (such as being denied credit or a visa) or similarly significant effects (such as being denied insurance coverage or employment).
Exceptions
Automated decision-making with legal effects is permitted when:
- It is necessary for entering into or performing a contract
- It is authorized by EU or member state law with suitable safeguards
- It is based on the individual's explicit consent
Additional Safeguards
When automated decisions are made under the exceptions above, the controller must implement suitable measures to safeguard the individual's rights. At minimum, the individual must have the right to:
- Obtain human intervention in the decision
- Express their point of view
- Contest the decision
Practical Implications
Organizations using AI or algorithms for decisions that significantly affect individuals (credit scoring, automated hiring, insurance underwriting, content moderation) must evaluate whether Article 22 applies and implement the required safeguards.
Right to Withdraw Consent (Article 7(3))
When processing is based on consent, individuals have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal, but the organization must stop processing based on consent going forward.
Key Requirements
- Withdrawing consent must be as easy as giving it
- Organizations must inform individuals of the right to withdraw before they consent
- The withdrawal mechanism must be clearly accessible and straightforward
This is one reason the GDPR encourages organizations to consider alternative legal bases where possible. If processing can continue under a different legal basis (such as contractual necessity), the withdrawal of consent does not require processing to stop.
Response Timelines and Procedures
Article 12 sets the procedural framework for handling all data subject rights requests.
Standard Timeline: One Calendar Month
Organizations must respond to rights requests within one calendar month of receipt. The ICO guidance on time limits clarifies that the month runs from the day after the request is received.
Extended Timeline: Up to Three Months
For complex requests or when an organization receives a large number of requests from the same individual, the deadline can be extended by two additional months (total of three months). However, the organization must:
- Inform the individual within the first month
- Explain the reason for the extension
Format Requirements
- Responses must be in a concise, transparent, intelligible, and easily accessible form
- Use clear and plain language (no legal jargon)
- For electronic requests, provide information in a commonly used electronic format unless the individual requests otherwise
- The first response is free of charge
Refusing Requests
Organizations can refuse requests that are manifestly unfounded or excessive, but they must:
- Explain why the request was refused
- Inform the individual of their right to complain to a supervisory authority
- Inform the individual of their right to seek a judicial remedy
The burden of proof lies with the organization to demonstrate that a request is unfounded or excessive.
How to Exercise Your GDPR Rights
Individuals do not need to use specific legal language or reference GDPR articles to make a valid rights request. The European Commission guidance confirms that any clear communication expressing a desire to exercise a right is sufficient.
Steps for Individuals
- Identify the organization (controller) that holds your data
- Contact the organization through any channel (email, web form, letter, phone)
- Clearly state what you want (access, deletion, correction, etc.)
- Provide enough information for the organization to verify your identity
- Keep a record of your request and when you sent it
- If the organization does not respond within one month, or you are unsatisfied with the response, lodge a complaint with your national data protection authority
Filing a Complaint
Every EU member state has a supervisory authority where individuals can file complaints. The EDPB maintains a list of all national supervisory authorities. Complaints are free to file and do not require legal representation.
More GDPR Guides
- What Is GDPR for a comprehensive overview of the regulation
- GDPR Compliance Checklist for a step-by-step compliance guide
- GDPR Fines and Penalties for enforcement data and the consequences of non-compliance
- GDPR Consent Requirements for valid consent standards
- GDPR Breach Notification 72-Hour Rule for breach reporting obligations
- GDPR for Small Businesses for SME-specific guidance
- [EU Data Privacy Laws](/world-laws/world-data-privacy-laws/eu-data-privacy-laws) for the complete EU data protection overview
Sources and References
- GDPR Full Text - Regulation (EU) 2016/679(eur-lex.europa.eu).gov
- European Commission - Information for Individuals(commission.europa.eu).gov
- EDPB - Respect Individuals' Rights (SME Guide)(edpb.europa.eu).gov
- EDPB Guidelines 01/2022 on Right of Access(edpb.europa.eu).gov
- European Commission - Handling Data Subject Rights Requests(commission.europa.eu).gov
- ICO - Right to Erasure(ico.org.uk).gov
- European Commission - Do We Always Have to Delete Personal Data?(commission.europa.eu).gov
- EDPB Guidelines 5/2019 on Right to Be Forgotten (Search Engines)(edpb.europa.eu).gov
- ICO - A Guide to Individual Rights(ico.org.uk).gov
- ICO - Time Limits for Responding to Rights Requests(ico.org.uk).gov
- ICO - A Guide to Subject Access(ico.org.uk).gov
- EDPB - How Long to Respond to an Access Request(edpb.europa.eu).gov