Privacy Tech EU
Data Rights

EU Data Subject Rights

Updated June 2026 · 14 min read

EU data subject rights under GDPR

The General Data Protection Regulation gives EU citizens eight enforceable rights over their personal data. These rights apply to almost any organisation that holds information about you — from banks and retailers to social media platforms and employers. This guide explains each right clearly, when it applies, and how to exercise it.

Overview

The 8 GDPR Rights at a Glance

8 DATA SUBJECT RIGHTS — GDPR CHAPTER III ART. 15 Right of Access Obtain a copy of your personal data and learn how it is used. ART. 16 Rectification Correct inaccurate or incomplete personal data held about you. ART. 17 Erasure Request deletion when no lawful basis exists to retain the data. ART. 18 Restriction Suspend processing while accuracy or legality is disputed. ART. 20 Data Portability Receive your data in a machine-readable format to reuse. ART. 21 Right to Object Stop processing for marketing or legitimate interest grounds. ART. 22 Automated Decisions Challenge decisions made solely by automated systems. ART. 13–14 Right to Be Informed Receive clear notice of how your data is collected and used. RESPONSE OBLIGATIONS FOR ORGANISATIONS 1 Month Standard deadline from receipt of request +2 Months Extension for complex or numerous requests Free of Charge First request at no cost to the individual Any Format No required form for making a request

Source: GDPR Chapter III (Articles 12-23). Applies to EU/EEA data subjects.

Right 1: The Right of Access (Article 15)

The right of access allows any individual to request a copy of the personal data an organisation holds about them, along with information about how that data is used. This is formally called a subject access request (SAR).

A complete subject access response must provide:

  • The categories of personal data being processed
  • The purposes of processing for each category
  • The recipients or categories of recipients to whom the data has been or will be disclosed
  • The retention period, or the criteria used to determine it
  • Information about the rights to rectification, erasure, restriction and objection
  • The right to lodge a complaint with a supervisory authority
  • The source of the data if it was not collected directly from the individual
  • Information about automated decision-making, including profiling

The first copy of the data must be provided free of charge. If the same individual requests additional copies, a reasonable administrative fee can be charged. The response must be provided within one calendar month, extendable to three months for complex requests.

How to make a subject access request: No special form is required. A request can be made verbally or in writing, including by email. Best practice is to write, so there is a record of when the clock started. The organisation may ask you to confirm your identity — a reasonable precaution to prevent data being sent to the wrong person — but cannot demand excessive verification.

Right 2: The Right to Rectification (Article 16)

Individuals have the right to have inaccurate personal data corrected without undue delay. Where data is incomplete, individuals can request that it be completed — including by providing a supplementary statement.

This right is practically important in contexts where inaccurate data causes material harm: credit files, medical records, tax records, employment records. Organisations must correct inaccurate data promptly and, where that data has been shared with third parties, must notify those third parties of the correction unless this is impossible or involves disproportionate effort.

Disputes about accuracy must be handled carefully. Where an individual contests the accuracy of data, the controller may need to restrict processing of that data (see Right 4) while accuracy is verified.

Right 3: The Right to Erasure (Article 17)

The right to erasure — often called the right to be forgotten — allows individuals to request deletion of their personal data. Unlike some rights under GDPR, erasure is not absolute. It applies when one of the following grounds is met:

  • The data is no longer necessary for the purpose for which it was collected
  • The individual withdraws consent and there is no other legal basis for processing
  • The individual objects to processing (see Right 6) and there are no overriding legitimate grounds
  • The data was processed unlawfully
  • Erasure is required by EU or national law
  • The data was collected in relation to a child and relates to information society services

Erasure is not available where processing is necessary for: exercising the right of freedom of expression and information; compliance with a legal obligation; reasons of public interest in public health; archiving, research or statistical purposes in the public interest; or establishing, exercising or defending legal claims.

Where erasure is required and the data has been made public (for example, in an online publication or database), the controller must take reasonable steps to inform other controllers processing the data of the erasure request.

Right 4: The Right to Restriction of Processing (Article 18)

Restriction is a temporary measure. It allows individuals to have processing suspended without requiring deletion of the data. The data remains stored but cannot be used during the restriction period. Restriction applies in four situations:

  1. The individual contests the accuracy of the data — processing is restricted while accuracy is verified
  2. Processing is unlawful but the individual prefers restriction to erasure
  3. The controller no longer needs the data for its purposes but the individual needs it for legal claims
  4. The individual has objected to processing on legitimate interests grounds and is awaiting verification of whether the controller's grounds override theirs

During restriction, the controller can store the data and — with the individual's consent — use it for legal claims, protecting others, or important public interest. The individual must be informed before restriction is lifted.

Right 5: The Right to Data Portability (Article 20)

Data portability allows individuals to receive their personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller. This right supports switching between services — for example, transferring a social media history or financial transaction data to a competing service.

The right applies only where:

  • Processing is based on consent or on a contract with the individual (not other legal bases such as legitimate interests or legal obligations)
  • Processing is carried out by automated means
  • The data was provided by the individual themselves

This third condition is important. Data portability does not extend to data that the controller has derived or inferred about an individual (such as credit scores or behavioural profiles) — only to the raw data the individual themselves submitted.

Where technically feasible, the individual can also request that data be transmitted directly from one controller to another. Controllers must provide data in formats such as JSON, CSV or XML — not proprietary formats that cannot be read by other services.

Right 6: The Right to Object (Article 21)

The right to object has two distinct applications:

Objection to legitimate interest or public task processing: Where processing is based on legitimate interests (Article 6(1)(f)) or on a public task (Article 6(1)(e)), individuals can object. The controller must then stop processing unless it can demonstrate compelling legitimate grounds that override the individual's interests, rights and freedoms, or unless processing is for establishing, exercising or defending legal claims.

Objection to direct marketing (including profiling): This right is absolute. Individuals can object to their data being used for direct marketing purposes at any time, and the controller must immediately stop using the data for that purpose. No grounds for override exist. The right to object to marketing must be explicitly brought to the individual's attention at the latest at the time of the first communication.

Right 7: Rights Related to Automated Decision-Making (Article 22)

Individuals have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects on them. Examples include automated loan rejections, algorithmic CV screening that prevents a job application from reaching a human reviewer, or automated insurance pricing decisions.

This right applies where the decision:

  • Is based solely on automated processing (no meaningful human involvement)
  • Produces legal effects on the individual (e.g., a contract is granted or refused) or similarly significant effects

Exceptions exist where the automated decision is:

  • Necessary for entering into or performing a contract between the individual and the controller
  • Authorised by EU or member state law
  • Based on the individual's explicit consent

In all cases where exceptions apply, the individual retains the right to obtain human intervention, express their point of view, and contest the decision.

Right 8: The Right to Be Informed (Articles 13-14)

The right to be informed is foundational — it underpins all the other rights. It requires that individuals receive clear, transparent information about how their personal data is processed, delivered at the point of collection or (for indirect collection) within one month.

This right is fulfilled primarily through privacy notices. The information required varies slightly depending on whether data was collected directly from the individual (Article 13) or from third-party sources (Article 14).

Core information that must always be provided includes: the controller's identity and contact details; the DPO's contact details where applicable; the purposes and legal bases for processing; recipients of the data; international transfer details; retention periods; and information about all data subject rights including the right to withdraw consent and the right to complain to a supervisory authority.

For a full breakdown of what privacy notices must include, see our privacy policy requirements guide.

How to Exercise Your Rights

For any GDPR right, the process is similar:

  1. Identify the controller — the organisation that determines how your data is used. This is usually the company you have a relationship with directly.
  2. Make a request in writing — email is sufficient. State what right you are exercising and provide enough information to identify yourself and the data in question.
  3. Keep a record of the date — the one-month response window starts from receipt.
  4. Follow up if no response — if one month passes without acknowledgment, send a reminder. If there is still no response, escalate to the supervisory authority.
  5. Complain to your national supervisory authority — each EU member state has a data protection authority (DPA) with the power to investigate and enforce GDPR. Complaints can be made online via the DPA's website, typically at no cost.

Supervisory Authority Contacts (Selected)

Each EU member state has a national supervisory authority responsible for enforcing GDPR. Major authorities include:

  • France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
  • Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de
  • Ireland: Data Protection Commission (DPC) — dataprotection.ie
  • Netherlands: Autoriteit Persoonsgegevens (AP) — autoriteitpersoonsgegevens.nl
  • Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
  • Sweden: Integritetsskyddsmyndigheten (IMY) — imy.se
  • EU-level coordination: European Data Protection Board (EDPB) — edpb.europa.eu

FAQ

Frequently Asked Questions

What are the 8 GDPR data subject rights? +
The eight rights are: (1) right of access, (2) right to rectification, (3) right to erasure, (4) right to restriction of processing, (5) right to data portability, (6) right to object, (7) rights related to automated decision-making and profiling, and (8) the right to be informed (through privacy notices).
How long does an organisation have to respond to a data subject request? +
Under GDPR Article 12, organisations must respond without undue delay and in any event within one calendar month of receiving the request. This can be extended by a further two months for complex or numerous requests, provided the individual is informed of the extension within the first month.
Can organisations charge a fee for data subject access requests? +
No. Organisations must respond to the first copy of a subject access request free of charge. A reasonable fee can be charged for subsequent copies of the same information, or where requests are manifestly unfounded or excessive — but the bar for claiming this exception is high and must be justified.
What is the right to erasure under GDPR? +
The right to erasure (Article 17), sometimes called the right to be forgotten, allows individuals to request deletion of their personal data in specific circumstances: where the data is no longer necessary for its original purpose, where consent is withdrawn and there is no other legal basis, where the individual objects and the controller has no overriding grounds, where data was processed unlawfully, or where erasure is required by law.
Does the right to data portability apply to all data? +
No. The right to data portability (Article 20) applies only to personal data that the individual themselves provided to the controller, and only where processing is based on consent or on a contract. It does not apply to data processed on other legal bases (such as legitimate interests or legal obligation). The data must be provided in a structured, commonly used and machine-readable format.
Can I object to my data being used for direct marketing? +
Yes. Under GDPR Article 21(2), individuals have an absolute right to object to their personal data being processed for direct marketing purposes, including profiling for direct marketing. This right is unconditional — the controller must cease processing for that purpose immediately upon receiving the objection.
What is the right to restriction of processing? +
The right to restriction of processing (Article 18) allows individuals to request that an organisation suspends processing of their personal data in certain circumstances — for example, while they contest the accuracy of the data, or while waiting for a response to an objection. During restriction, the controller can still store the data but cannot actively use it.
Are data subject rights the same in the UK as in the EU? +
Largely yes. After Brexit, the UK retained GDPR-equivalent rules in its domestic law (UK GDPR). The eight data subject rights exist under UK GDPR in substantially the same form as under EU GDPR. However, UK GDPR enforcement is handled by the UK Information Commissioner's Office (ICO), not EU supervisory authorities.
What happens if an organisation ignores my data subject request? +
Failing to respond to a valid data subject request within one month is a violation of GDPR. Individuals can complain to their national supervisory authority, which has the power to investigate and impose fines of up to €20 million or 4% of global annual turnover for serious violations.
Can an organisation refuse a data subject request? +
Yes, in specific circumstances. Organisations can refuse where the request is manifestly unfounded or excessive, where responding would adversely affect the rights of other individuals, or where specific exemptions apply. When refusing, the organisation must inform the individual within one month and explain the reason, along with their right to complain to a supervisory authority.
What must a subject access response include? +
A subject access response must include: the categories of personal data held; the purposes for which it is processed; the recipients or categories of recipients; the retention period or criteria used; information about the rights to rectification, erasure, restriction and objection; the right to complain to a supervisory authority; the source of the data if not collected directly; and information about any automated decision-making including profiling.
What are my rights regarding automated decisions? +
Under GDPR Article 22, individuals have the right not to be subject to a decision based solely on automated processing — including profiling — that produces legal or similarly significant effects. Exceptions exist where the decision is necessary for a contract, authorised by law, or based on explicit consent. In all cases, individuals must be able to request human review and contest the decision.
Does the right to erasure apply to social media posts? +
Generally yes, for the platform. Where a social media platform processes your personal data and the grounds for erasure are met (e.g. you withdraw consent), you can request deletion. However, where content you posted contains information about other individuals, different considerations apply. The platform cannot always delete all traces of content that has been shared by other users.
Can I transfer my data between services under the right to portability? +
Where technically feasible, yes. Article 20(2) states that where the individual requests it and it is technically feasible, data must be transmitted directly from one controller to another. Most commonly, portability is exercised by receiving a download of your own data to take elsewhere yourself.
Do GDPR data rights apply to employees? +
Yes. Employees are data subjects and hold all GDPR rights in relation to their employer's processing of their personal data — including the right of access to HR records, payroll data and communications involving them. Employers must respond to employee subject access requests under the same rules as for customers.
What is the difference between the right to erasure and the right to restriction? +
The right to erasure results in deletion of the data. The right to restriction suspends processing but the data is retained. Restriction is appropriate where the issue is temporary or contested; erasure is appropriate where there is no legitimate basis to retain the data at all.
How do I make a data subject request? +
There is no required form. A request can be made verbally or in writing, including by email. The request does not need to quote the specific GDPR article. Best practice is to make requests in writing (email) to create a record of the date, which starts the one-month response clock.

Related Guides

GDPR Guide → Cookie Consent → Privacy Policy Requirements →