What do Data Subject Rights under GDPR entail?

Data Subject Rights are the statutory rights an identifiable natural person has in relation to a controller, as set out in Chapter 3 (Articles 12–23) GDPR, to control how their personal data are processed.

When does the right to be forgotten apply?

The right to erasure may apply when personal data are no longer necessary, consent is withdrawn, the processing is unlawful, or other grounds in Article 17 GDPR are met, subject to relevant exceptions and legal obligations.

How should an organisation handle a request about Data Subject Rights?

An organisation should follow documented procedures, verify the requester’s identity, acknowledge the request where appropriate, and respond within the GDPR timeframe while recording actions taken to demonstrate accountability.

Data Subject Rights

Read more about data subject rights, meaning the rights of an identifiable natural person under the General Data Protection Regulation (GDPR).

Glossary
Data Subject Rights

Explained – Understanding data subject rights and the right to be forgotten

Data subject rights are a core concept in GDPR and refer to the rights an individual enjoys when their personal data are processed. These rights are set out in Chapter 3, Articles 12–23 GDPR, and are designed to give individuals control over their personal data. They apply to anyone who is identified or identifiable through the personal data processing in question. Typical contexts include data protection, privacy rights and compliance work within organisations.

When do data subject rights, including the right to be forgotten, arise?

Data subject rights arise whenever an organisation collects, stores or otherwise undertakes personal data processing. This applies in relation to customers, employees and other data subjects. For example, an individual may submit a data subject access request (DSAR), ask for inaccurate information to be rectified, or object to direct marketing.

Person managing GDPR data subject rights on a digital dashboard with icons for access, rectification, erasure and restriction of personal data.

Key considerations for the right to be forgotten and data subject rights

Organisations should maintain clear procedures to handle requests concerning data subject rights in accordance with GDPR. Important aspects to consider include:

Maintain documented processes for receiving and handling requests.
Ensure responses are provided within the timeframe specified by GDPR.
Verify the identity of the requester before taking action.
Provide clear information on the rights in the privacy notice and at the point of collection.
Provide information free of charge unless a request is manifestly unfounded or excessive.
Deliver data protection training for employees to ensure correct handling.
Document all actions taken to demonstrate accountability under GDPR.

By working systematically with these points, organisations reduce the risk of non-compliance and administrative fines.

Data Subject Rights

Why data subject rights matter

These rights are central to GDPR’s purpose: safeguarding individual privacy rights and ensuring individuals retain control over how their data are used. They also drive transparency and accountability for organisations engaged in personal data processing.

For organisations, respecting these rights is essential to avoid complaints, supervisory measures and administrative fines from the Data Protection Agency. Complying with the rules builds trust with customers, employees and partners.

From a business perspective, sound handling of data subject rights strengthens the brand, supports customer loyalty and ensures sustainable data protection compliance in an increasingly data-driven environment.

They are the statutory rights individuals have vis-à-vis the controller under Chapter 3 GDPR.

Chapter 3 covers the right to information, right of access, right to rectification, right to erasure (the right to be forgotten), right to restriction of processing, right to data portability, right to object, and rights related to automated decision-making and profiling.

Organisations should have processes to handle a DSAR promptly and correctly. This typically includes:

Acknowledge receipt of the request.
Verify the identity of the data subject.
Respond within one month (sometimes a shorter or longer deadline may apply).

A request may be refused if it is manifestly unfounded or excessive, or if it conflicts with other legal obligations binding on the organisation.

Providing this information ensures transparency and GDPR compliance. It is part of the duty to inform under Articles 13 and 14, and helps build trust.

The right of access allows a data subject to know which data are processed and why. The right to data portability allows the data subject to receive their personal data in a structured, machine-readable format to transfer them to another controller.

Related terms you may encounter include: gdpr data subject rights, right to information, right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, rights related to automated decision making, personal data processing, identifiable natural person, data protection, employee privacy rights.