Rules & Requirements —
Understanding GDPR Data Subject Rights
GDPR grants data subjects rights such as access, correction, erasure, portability, and compliant responses.
Share this article
GDPR Data Subject Rights: All 8, Explained
Most lists of GDPR rights only mention seven. There are actually eight — the right to be informed gets left off a lot, which is a little ironic, since it's the right that makes all the others possible. You can't ask to see your data, fix it, or delete it if you never knew a company had it in the first place.
Here's all eight, plus the deadlines and exceptions that actually matter when you're the one responding to a request.
1. The Right to Be Informed
People have the right to know what data you're collecting, why, and what you're doing with it. Most companies handle this through a privacy notice, but it's not just a checkbox — the information actually has to be clear, not buried in legal language nobody reads.
2. Right of Access
Someone can ask for a copy of their own data. You have one month to respond, and the first copy has to be free. If they ask for more copies after that, you're allowed to charge a reasonable fee.
3. Right to Rectification
If someone's data is wrong or incomplete, they can ask you to fix it. Same one-month clock. And here's the part people forget: if you already shared that wrong data with someone else, you're supposed to tell them about the correction too, unless that's genuinely not possible.
4. Right to Erasure ("Right to Be Forgotten")
This is the one everyone's heard of, and it's also the one most people get wrong, because it's not absolute. You have to delete someone's data if, for example, you don't need it anymore, they've pulled their consent, or you were processing it unlawfully to begin with.
But you can say no in specific situations — if you need the data for a legal obligation, for public interest reasons, to defend yourself in a legal claim, for scientific or historical research, or for freedom of expression and information. If you decline, you have to tell the person why.
5. Right to Restrict Processing
This one's quieter than erasure. Instead of deleting the data, you just stop actively using it — but you can still store it. This shows up a lot when someone disputes the accuracy of their data and wants it frozen while you sort out who's right.
6. Right to Data Portability
People can ask for their data in a format they can actually reuse — and ask you to send it straight to another company if they want. This only applies to data they gave you directly, based on consent or a contract, and only if it was processed automatically. So it's narrower than it sounds.
7. Right to Object
People can object to certain kinds of processing — direct marketing is the big one, and there's no wiggle room there. If someone objects to marketing, you have to stop. Full stop, no exceptions.
This right is actually in the news right now. Meta has argued it can use people's data to train AI under "legitimate interest," without needing opt-in consent first. The privacy group noyb disagrees and has challenged it, with potential legal exposure reportedly in the hundreds of billions of euros range. However that plays out, it's a live example of how far "the right to object" can stretch when AI training data is involved.
8. Rights Related to Automated Decision-Making
People can push back on a decision made entirely by an algorithm if it has a real legal or otherwise significant effect on them — think automated loan denials or hiring screens. They can ask for an actual human to review it instead.
The Deadlines, in Plain Terms
One month from when you receive the request. If it's genuinely complex, or you're dealing with a flood of requests from the same person, you can stretch that to three months total — but you have to tell them about the extension within that first month. Miss that window, and the original one-month deadline just stands, extension or not.
Why This Actually Matters Day to Day
This isn't just a legal obligation sitting in a drawer — these requests are increasing fast. Some reports show access requests growing 50% in just two years. If you don't have a real process for finding someone's data across your systems, verifying who they are, and responding on time, you're going to get caught flat-footed the first time someone actually asks.
Controllers carry primary responsibility for fulfilling these rights — see GDPR: Controller vs. Processor Responsibilities for how that responsibility splits when a processor's involved too. And all eight rights ultimately trace back to the seven core GDPR principles, particularly transparency and accountability.
Where This Connects to Other Frameworks
A lot of the groundwork for handling these requests well — knowing where your data lives, having access controls, keeping good records — overlaps with what ISO 27001 and SOC 2 already expect. If you've built solid data mapping and access governance for either of those, you're most of the way to handling GDPR rights requests smoothly too.
In the Spotlight

Start your GDPR compliance journey with DSALTA's complete checklist.
The General Data Protection Regulation (GDPR) is Europe’s core privacy law, shaping how organizations collect, process, and protect the personal data of EU residents. Non-compliance can result in heavy fines, reputational damage, and loss of customer trust.
GDPR can feel complicated with its broad scope and strict requirements, but DSALTA® makes it manageable. With automated evidence collection, continuous monitoring, and AI- driven risk insights, you can maintain compliance without drowning in manual work. Use this checklist to guide your GDPR journey.
Read more about GDPR compliance with DSALTA.
Stop losing deals to compliance.
Get compliant. Keep building.
Join 100s of startups who got audit-ready in days, not months.




