GDPR is built around the idea that people should control their own personal data, and it backs that up with eight enforceable rights. For organisations, the obligation is practical: you must recognise these rights and respond properly and on time. Handling them well is a visible, frequently tested part of GDPR compliance.
This guide explains all eight data subject rights, the deadlines and rules that apply across them, and how to build a workflow that handles requests reliably.
Rights put people in control
At the heart of GDPR is a shift of power toward individuals. The regulation grants eight data subject rights that let people understand, access and control how their personal data is used. Honouring them is not optional, and failures here are among the most common triggers for complaints.
You must have working processes to recognise and respond to each right, usually within one month. Below we explain all eight, then cover the practical rules that apply across them.
The eight rights at a glance
The table summarises the eight rights before we look at each in turn.
| Right | What it lets people do |
|---|---|
| 1. Be informed | Know who you are and how their data is used (via a privacy notice). |
| 2. Access | Obtain a copy of their data and details of the processing. |
| 3. Rectification | Have inaccurate or incomplete data corrected. |
| 4. Erasure | Have data deleted in defined circumstances (“right to be forgotten”). |
| 5. Restrict processing | Limit how their data is used while an issue is resolved. |
| 6. Data portability | Receive and reuse their data in a portable format. |
| 7. Object | Object to processing, including direct marketing. |
| 8. Automated decisions | Not be subject to solely automated decisions with significant effects. |
Free resource
The Ultimate Guide to GDPR
Build a reliable workflow to handle every data subject request on time.
1. The right to be informed
People have the right to know who you are, what data you collect, why, and who you share it with — usually through a clear privacy notice. Where you obtain data from a third party rather than the person, you must still tell them within a reasonable period.
This right underpins transparency: people cannot exercise their other rights if they don’t know what you are doing with their data in the first place.
2. The right of access
The right of access lets people obtain a copy of their personal data and information about how it is processed — commonly made through a subject access request (DSAR). You must respond within a month, usually free of charge.
Access requests can be wide-ranging, so a reliable process to find, review and provide the data is essential. This is often the most resource-intensive right to handle.
3. The right to rectification
People can ask you to correct inaccurate personal data or complete data that is incomplete. You should act without undue delay and, where you have shared the data, tell recipients of the correction where feasible.
Accuracy matters most where decisions are made about people, so this right links closely to the accuracy principle.
4. The right to erasure
The right to erasure — the “right to be forgotten” — lets people have their data deleted in specific circumstances, such as when it is no longer needed or consent is withdrawn. It is not absolute: exemptions apply, for example where you must keep data to meet a legal obligation.
Even when you decline, you must respond and explain your reasoning rather than simply ignoring the request.
5. The right to restrict processing
People can ask you to limit how you use their data — for example while a dispute about accuracy or a pending objection is resolved. When processing is restricted, you may store the data but generally not otherwise use it without consent.
Restriction is a useful middle ground: it pauses processing without necessarily deleting the data.
6. The right to data portability
Where processing is based on consent or contract and carried out by automated means, people can ask to receive their data in a structured, commonly used, machine-readable format — and to have it transmitted to another provider where technically feasible.
This right supports competition and user choice, letting people move their data between services.
7. The right to object
People can object to processing in certain cases, including processing based on legitimate interests or public task. For direct marketing, the right is absolute — if someone objects, you must stop, immediately and without exception.
Maintaining suppression lists and an easy objection mechanism is essential to honour this right reliably.
8. Rights around automated decisions
People have the right not to be subject to a decision based solely on automated processing — including profiling — that has legal or similarly significant effects, unless specific conditions apply. Where such processing is allowed, people can obtain human intervention, express their view and contest the decision.
This right is increasingly important as automated and AI-driven decision-making spreads.
The one-month deadline
You must respond to rights requests without undue delay and within one month. You can extend by a further two months for complex or numerous requests, but you must tell the person within the first month and explain why.
Missing the deadline is a clear and easily evidenced failing, so a tracked workflow with reminders is important.
Identity checks and fees
Requests are usually free, though you may charge a reasonable fee or refuse where a request is manifestly unfounded or excessive. You can — and should — verify the requester’s identity before releasing data, using proportionate checks so you don’t disclose data to the wrong person.
Striking the balance — verifying identity without making the process obstructive — is part of handling requests well.
Exemptions and third-party data
Rights are not unlimited. Exemptions can apply — for legal privilege, crime prevention, or others’ rights — and when responding to access requests you must avoid disclosing third-party personal data without consideration. The trick is to honour the right while respecting these limits.
Document your reasoning whenever you rely on an exemption, so you can justify the decision if challenged.
Building a rights workflow
The practical answer to all eight rights is a single, well-designed workflow: a clear way for people to make requests, identity verification, a process to find and review the relevant data, deadline tracking, and templates for responses. With that in place, requests become routine rather than fire drills.
ISpectra Technologies helps organisations build exactly this — turning data subject rights from a source of risk into a smooth, demonstrable part of GDPR compliance.
In one paragraph
GDPR gives individuals eight rights: to be informed, to access their data, to rectification, to erasure, to restrict processing, to data portability, to object, and not to be subject to solely automated decisions with significant effects. You must respond to requests within one month (extendable for complex cases), usually for free, after verifying identity, while respecting exemptions and third-party data. The right to object to direct marketing is absolute. The reliable way to honour them all is a single tracked workflow — intake, verification, search, review, response — that turns rights handling from a scramble into a routine.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Why getting rights right matters
Data subject rights are where GDPR becomes visible to ordinary people, and where mishandling is most likely to generate a complaint to a regulator. A botched access request, an ignored objection, or a missed deadline turns a routine interaction into a grievance — and regulators take a dim view of organisations that cannot honour the rights they are legally required to provide.
Handled well, the opposite is true: responding promptly and helpfully to a request builds trust and signals that you take data protection seriously. The investment in a solid rights workflow therefore pays back twice — reducing regulatory risk and improving how customers experience your organisation.