Clym Logo

Data Subject Rights Under GDPR: The Complete Guide

Published
Updated
AS
AuthorAdam Safar
10 min read

GDPR data subject rights explained

GDPR grants individuals 8 rights over personal data. Learn what each covers, how DSARs work, and how to respond within the required 30-day deadline.

Summarize full article with:

The GDPR gives individuals specific rights over how organizations collect, use, store, and share their personal data. These rights are designed to give people greater transparency and control, while helping organizations build trust through responsible data practices.

Since GDPR came into force in 2018, European regulators have issued more than €7 billion in fines across thousands of enforcement actions, reflecting the continued focus on data protection and accountability.

In this guide, you’ll find a clear breakdown of all eight GDPR data subject rights, how data subject requests (DSRs) work, applicable response deadlines, and practical considerations for managing requests at scale.

Key takeaways
  • GDPR grants individuals 8 rights over their personal data, including access, erasure, portability, and objection.
  • A data subject access request (DSAR) is the formal mechanism for individuals to exercise those rights.
  • Organisations must respond to DSARs within one calendar month, with a possible two-month extension in complex cases.
  • Failure to comply can result in fines of up to 4% of annual global turnover or EUR 20 million, whichever is higher.
  • A structured intake and tracking system is essential for businesses receiving multiple requests.

What is a data subject under GDPR?

A data subject is any identified or identifiable natural person whose personal data is collected or processed. Under GDPR, this includes customers, employees, website visitors, newsletter subscribers, and anyone else whose name, email address, IP address, or other identifier you hold in your systems.

The regulation does not apply to anonymised data (where re-identification is not possible) or to the personal data of deceased individuals.

Data Subject Rights under GDPR

The 8 GDPR data subject rights

GDPR Chapter 3 sets out eight rights for data subjects. Here is a summary of each one.

Right

What it means

Key condition

Right to be informed

Individuals must be told how their data is used at the point of collection.

Requires a clear, accessible privacy notice.

Right of access

Individuals can request a copy of all personal data held about them.

Must be provided free of charge, within one month.

Right to rectification

Individuals can have inaccurate or incomplete data corrected.

Applies to factual inaccuracies, not matters of opinion.

Right to erasure

Individuals can request the deletion of their personal data.

Subject to conditions: e.g., data no longer necessary, consent withdrawn.

Right to data portability

Individuals can receive their data in a structured, machine-readable format.

Applies only to data processed by consent or contract.

Right to restrict processing

Individuals can ask for processing to pause while a dispute is resolved.

Data can still be stored, just not actively used.

Right to object

Individuals can object to processing for direct marketing or legitimate interests.

Objections to marketing must always be honoured.

Right not to be subject to automated decisions

Individuals can opt out of purely automated decisions that significantly affect them.

Includes profiling that produces legal or similarly significant effects.

1. Right to be informed

Individuals must be told before, or at the time you collect their data: what data you collect, why you collect it, how long you keep it, who you share it with, and whether you transfer it outside the EU. This information typically lives in your privacy notice and cookie banner.

2. Right of access (Subject Access Request)

Individuals can submit a Subject Access Request (SAR) to obtain a copy of their personal data and confirmation of how it is being processed. You must respond free of charge within one month. Previously, under UK data protection law, this cost up to £10 and allowed 40 days. GDPR eliminated both the fee and the longer timeframe.

3. Right to rectification

If personal data you hold is inaccurate or incomplete, the data subject has the right to have it corrected. This applies to objective factual data, not to assessments or opinions. You must action the request without undue delay and within one month.

4. Right to erasure (right to be forgotten)

Individuals can request the deletion of their personal data in specific circumstances: the data is no longer necessary, consent has been withdrawn, the individual objects to processing, and you have no overriding legitimate interest, or the data was processed unlawfully. Note that this right is not absolute. Legal obligations, public interest tasks, and freedom of expression can override it.

5. Right to data portability

Where processing is based on consent or contract, individuals can receive their data in a structured, commonly used, machine-readable format (such as CSV or JSON), and can request that it be transmitted directly to another organisation. This right does not apply to data processed based on legitimate interests or legal obligation.

6. Right to restriction of processing

Individuals can request that you temporarily stop processing their data while a dispute is being resolved, for example, if they contest its accuracy or have objected to its processing. The data can still be stored. You just cannot actively use it until the restriction is lifted.

7. Right to object

Data subjects can object to processing carried out under legitimate interests or for direct marketing. An objection to direct marketing must always be honoured immediately and without exception. For other purposes, you must stop unless you can demonstrate compelling legitimate grounds that override the individual's interests.

8. Right to not to be subject to automated individual decision-making

Individuals have the right to not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. If you use automated credit scoring, automated hiring tools, or similar systems, you must offer a route to human review upon request.

What is a data subject access request (DSAR)?

A data subject access request (DSAR) is the formal mechanism by which an individual exercises any of the GDPR rights listed above. The term 'DSAR' is often used specifically for access requests (SARs), but in practice it covers requests to erase, rectify, port, restrict, or object to data processing as well.

According to a 2023 survey by the UK Information Commissioner's Office, the volume of DSARs received by UK organisations rose by 43% over the preceding two years. This trend is mirrored across Europe. Handling them badly is expensive both in regulatory fines and in staff time.

Who can submit a DSAR?

Any identified or identifiable natural person whose data you hold can submit a request. This includes current and former customers, employees, and website visitors. Third parties can act on behalf of a data subject, for example, a solicitor representing a client, provided they have appropriate authorisation.

Organisations are permitted to ask for proof of identity before processing a request, but only where there is reasonable doubt about who is asking. Requesting ID routinely as a barrier to access is not considered appropriate.

Does a DSAR need to be in writing?

No. GDPR does not require requests to be submitted in writing. A verbal request, a message via social media, or a contact form submission all qualify. Your staff must be trained to recognise a valid request regardless of how it arrives.

DSAR Response Timeline

Responding to data subject requests: timelines and obligations

Once a valid request is received, the clock starts immediately. Under GDPR Article 12, you must respond within one calendar month. This can be extended by a further two months for complex or numerous requests, but you must notify the requester of the extension and explain why within the first month.

GDPR Fines

Penalties for failing to respond

Non-compliance can trigger fines of up to 4% of global annual turnover or EUR 20 million, whichever is higher. These are Tier 2 GDPR fines: the most serious category, typically reserved for breaches of the core principles and rights obligations. Supervisory authorities across the EU have issued fines specifically for DSR failures to organisations, including Google, Meta, and a range of mid-size businesses.

The DSAR response process: step by step

  1. Verify the requester's identity if there is a genuine reason to doubt who they are. Keep the request for identification proportionate.
  2. Log the request immediately with the date received so the one-month clock is clear.
  3. Identify all data held across your systems: CRM, email, databases, cloud storage, third-party processors.
  4. Assess applicable exemptions. Legal professional privilege, crime prevention, and third-party data rights may limit what you disclose.
  5. Prepare and send the response. Provide a clear, plain-English summary of the data held, how it is used, with whom it is shared, and how long it will be kept.
  6. Document the request and your response. GDPR requires you to demonstrate accountability. Keep a record of every request and the action taken.

DSAR compliance checklist

Use this checklist to assess your current readiness for handling data subject requests.

  • A documented process exists for receiving DSARs across all channels (email, phone, web form, in-person)
  • Staff are trained to recognise a DSAR regardless of how it is phrased
  • An intake system logs each request with the date received
  • Identity verification procedures are proportionate and documented
  • Data mapping covers all systems where personal data is stored
  • Response templates are drafted for each request type (access, erasure, portability, etc.)
  • Legal review is available for complex or disputed requests
  • A record of all requests and responses is maintained for accountability
  • Extensions (where needed) are communicated within the first month

Data subject rights beyond GDPR: CCPA and global comparisons

GDPR is the most comprehensive data subject rights framework, but it is not the only one. If you operate across multiple jurisdictions, you need to consider how other regulations address individual rights.

Clym's ReadyCompliance® feature covers 150+ global regulations, applying the right controls based on user location automatically.

Regulation

Jurisdiction

Key rights granted

Response deadline

GDPR

European Union

8 rights (access, erasure, portability, object, etc.)

1 month

UK GDPR / DPA 2018

United Kingdom

Same 8 rights as EU GDPR

1 month

CCPA / CPRA

California, USA

Know, delete, opt-out of sale, correct, limit use

45 days (extendable to 90)

PIPEDA

Canada

Access and correction

30 days

LGPD

Brazil

8 rights similar to GDPR

15 days

DSR Types

How Clym supports data subject request management

Managing DSRs manually across email and spreadsheets becomes unworkable as request volumes grow. Clym's data subject request management solution provides a structured workflow from submission to resolution, making it easier for your team to stay on top of requests, track deadlines, and maintain the documentation needed to demonstrate accountability.

The Governance Portal gives individuals a central place to submit any type of privacy request. Each submission is automatically logged with a timestamp, routed to the appropriate team, and tracked through to resolution. Communication templates keep requesters informed at each stage. Comprehensive records are maintained automatically.

Clym is built around ReadyCompliance®, which configures your privacy controls based on the regulations that apply to your users' locations. So if a user in Germany submits a request under GDPR and a user in California submits a request under CCPA, your workflow handles each appropriately without manual configuration.

Conclusion

GDPR data subject rights are not optional features to implement when it suits your roadmap. They are legal requirements with real financial consequences for organisations that ignore them.

The eight rights covered here form the backbone of what individuals can expect when they interact with your business. Your job is to make it easy for them to exercise those rights, and to respond correctly when they do. That means having a documented process, trained staff, and a system that tracks every request from intake to resolution.

The good news is that this does not need to be a manual, resource-heavy operation. A structured approach backed by the right tools makes DSR management efficient, auditable, and far less stressful for your team.

Frequently asked questions

GDPR grants data subjects eight rights: the right to be informed, right of access, right to rectification, right to erasure, right to data portability, right to restrict processing, right to object, and the right not to be subject to automated decision-making. Each right applies under specific conditions.

A DSAR (data subject access request) is a formal request by an individual to exercise their GDPR rights over their personal data. Any identified or identifiable person whose data you hold can submit one, including customers, employees, and website visitors. There is no requirement for the request to be in writing.

You must respond within one calendar month of receiving a valid request. In complex or numerous cases, you can extend this by up to two additional months, but you must inform the individual within the first month and explain the reason for the extension.

No. Under GDPR, you must respond to data subject requests free of charge. The only exception is where requests are clearly unfounded or excessive, in which case you can charge a reasonable fee or refuse to respond, but you must be able to justify that decision.

An SAR (Subject Access Request) specifically refers to a request for access to personal data held about an individual. A DSAR (Data Subject Access Request) is a broader term used to cover any request to exercise GDPR data subject rights, including erasure, rectification, portability, and objection.

Missing the deadline without notifying the requester is a breach of GDPR Article 12. Supervisory authorities can investigate and issue fines of up to EUR 20 million or 4% of global annual turnover. Data subjects can also complain directly to their national data protection authority.

Adam Safar

Head of Digital Marketing

Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.

Find out more about Adam