GDPR Data Subject Rights Explained: All Eight Rights (2026)

Under Chapter III of Regulation (EU) 2016/679, the GDPR grants eight enforceable rights to individuals in the European Union: the right to be informed, access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making (Articles 13 through 22). Organisations must respond to any request within one calendar month.

The GDPR gives every individual in the European Union enforceable rights over their own personal data. These rights appear in Chapter III of Regulation (EU) 2016/679 (Articles 12 to 22). They cover the full lifecycle of data: from the moment an organisation first collects it (the right to be informed) through accessing, correcting, deleting, moving, and challenging its use.

Understanding these rights matters in both directions. Individuals need to know what they can demand and how to demand it. Organisations need to know what they are obliged to do, within what timelines, and where exemptions apply.

This article explains all eight rights in detail, covers how data subject access requests (DSARs) work in practice, notes the key CJEU rulings that have shaped interpretation, and addresses the most significant recent developments including the EDPB's coordinated enforcement reports and the Digital Omnibus proposal.

For the broader regulatory framework, see What Is GDPR. For compliance implementation steps, see the GDPR Compliance Checklist. For consent rules in detail, see GDPR Consent Requirements.

Jurisdiction scope: This article addresses data subject rights under EU Regulation (EU) 2016/679 (GDPR). It does not cover UK GDPR (which diverged from EU GDPR after Brexit), or Member State-specific derogations that may apply in particular sectors. For UK-specific rights, consult the ICO.

This article provides general legal information only. It is not legal advice. Consult a qualified data protection lawyer or privacy professional for advice specific to your situation.

The Eight GDPR Data Subject Rights at a Glance

The GDPR's Chapter III establishes eight distinct rights. Article 12 provides the overarching procedural framework: responses must be free of charge (in the first instance), delivered in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The one-month default response deadline runs across all rights.

The Right to Be Informed (Articles 13 and 14)

The right to be informed is the foundation on which all other GDPR rights rest. It requires organisations to provide individuals with clear information about what personal data is being collected and how it will be used, before or at the point of collection. Without transparency, individuals cannot meaningfully exercise any of the other seven rights.

Article 13 governs situations where the organisation collects personal data directly from the individual, for example via a web form, app registration, or written application. Article 14 governs situations where personal data is obtained from a third party rather than from the individual themselves.

What Organisations Must Disclose

Under both Articles 13 and 14, organisations must provide at minimum:

• The identity and contact details of the data controller, and of the data protection officer if one is appointed
• The purposes of processing and the legal basis for each purpose
• Where processing relies on legitimate interests, the specific interests pursued
• Any recipients or categories of recipients
• Details of transfers to third countries and the applicable safeguards
• The retention period, or criteria used to determine it
• The existence of all applicable data subject rights and how to exercise them
• The right to withdraw consent, where consent is the legal basis
• The right to lodge a complaint with a supervisory authority
• Under Article 14 only: the source from which the personal data originates

Timing Requirements

For direct collection under Article 13, privacy information must be provided at the time the data is obtained. For indirect collection under Article 14, the deadline is within one month of obtaining the data, or at first contact with the individual if earlier, or at the point of disclosure to another recipient if earlier still.

The CEF 2026 Enforcement Focus

The EDPB selected Articles 12, 13 and 14 as the topic for its 2026 Coordinated Enforcement Framework (CEF) action, launched in 2026. Twenty-five data protection authorities across the EU are participating. The EDPB described the right to be informed as "a core element of transparency that ensures individuals have more control over their data." Enforcement outcomes are expected to generate findings on whether privacy notices in practice meet the GDPR standard.

Right of Access (Article 15)

The right of access is the most commonly exercised GDPR right and the most litigated. Article 15 allows individuals to obtain confirmation of whether an organisation processes their personal data and, if so, to receive a copy of that data together with prescribed supplementary information.

What the Right Covers

Under Article 15(1), the data subject is entitled to:

• Confirmation that processing is occurring
• A copy of the personal data itself
• The purposes of processing
• The categories of personal data concerned
• The recipients or categories of recipients, including those in third countries
• The planned retention period, or criteria used to determine it
• The existence of the rights to rectification, erasure, restriction and objection
• The right to lodge a complaint with a supervisory authority
• Where data was not collected from the individual, information about its source
• Whether automated decision-making including profiling is used, and meaningful information about the logic involved

CJEU Case Law on Article 15

The CJEU has substantially narrowed the discretion controllers previously exercised in responding to access requests.

In Case C-154/21, RW v Österreichische Post AG (judgment of 12 January 2023), the Court held that Article 15(1)(c) requires controllers to disclose the specific identity of recipients to whom personal data has been or will be disclosed. Only where it is genuinely impossible to identify specific recipients may the controller fall back on disclosing categories of recipients. This ruling ended the common practice of providing vague generic category descriptions.

In Case C-487/21, F.F. v Österreichische Datenschutzbehörde and CRIF GmbH (judgment of 4 May 2023), the Court held that the right to obtain a "copy" under Article 15(3) means the data subject must receive a faithful and intelligible reproduction of all personal data held. That right can extend to copies of extracts from documents, entire documents, or database extracts where necessary to give the individual access to their data in a comprehensible form. Controllers cannot provide a curated or summarised selection.

The EDPB Guidelines 01/2022 on the Right of Access (version 2.0, April 2023) further confirm that controllers cannot limit replies to data they consider "relevant" or "important." Access must cover all personal data held.

CEF 2024 Findings on Right of Access

The EDPB published its CEF 2024 report on the right of access in January 2025, following a coordinated action in which 31 DPAs participated. Recurring challenges included: lack of internal procedures for handling requests; incomplete responses; and overly burdensome identity verification requirements that deterred legitimate requesters.

Right to Rectification (Article 16)

Article 16 gives individuals the right to have inaccurate personal data corrected without undue delay. Individuals can also request that incomplete data be completed, including by providing a supplementary statement.

Scope and Practical Examples

This right applies whenever factual personal data held by an organisation is incorrect or incomplete. Common examples include misspelled names, incorrect addresses, outdated phone numbers, and employment records with wrong dates. The right does not apply to assessments or opinions (a performance review rating is an opinion, not a factual inaccuracy), though individuals may request that a supplementary statement be attached to disputed subjective assessments.

Third-Party Notification Obligation

When a controller rectifies data, Article 19 of the GDPR requires notification to each recipient to whom the data was previously disclosed, unless doing so proves impossible or involves disproportionate effort. The controller must also inform the individual about those recipients if asked.

Right to Erasure / Right to Be Forgotten (Article 17)

Article 17 allows individuals to request deletion of their personal data. The right to erasure, also called the "right to be forgotten," is one of the GDPR's most prominent provisions. It is not absolute: Article 17(3) sets out the situations in which the right does not apply.

Grounds for Erasure

Erasure is required under Article 17(1) when:

• The data is no longer necessary for the purpose for which it was collected or processed
• The individual withdraws consent and no other legal basis applies
• The individual objects under Article 21 and there are no overriding legitimate grounds for the controller
• The data was unlawfully processed
• Erasure is required to comply with an EU or Member State legal obligation
• The data was collected from a child in connection with information society services (Article 8)

Grounds for Refusing Erasure

Under Article 17(3), controllers may refuse erasure when processing is necessary for:

• Exercising the right to freedom of expression and information
• Compliance with a legal obligation (for example, statutory tax record retention)
• Public health purposes in the public interest (Article 9(2)(h) and (i))
• Archiving in the public interest, scientific research, or statistical purposes where erasure would seriously impair the objective
• Establishing, exercising, or defending legal claims

Watch out: The legal claims exemption is frequently misapplied. Organisations sometimes invoke it pre-emptively to avoid erasure obligations. The exemption requires that legal proceedings are actually pending, threatened, or reasonably anticipated, not that the controller might theoretically face a future claim.

Search Engine Erasure

The right to erasure has particular significance for search engines. Following the Google Spain ruling (Case C-131/12, 2014), individuals may request that search engines delist results about them. The EDPB Guidelines 5/2019 set out the criteria DPAs apply when evaluating delisting requests.

CEF 2025: Challenges in Implementing the Right to Erasure

The EDPB published its CEF 2025 report on the right to erasure in February 2026. Thirty-two DPAs participated across 2025, with nine initiating formal investigations and 23 conducting fact-finding. Seven recurring implementation challenges were identified:

• Organisations relying on inefficient anonymisation techniques as a substitute for deletion
• Inconsistent practices around erasure in backup systems
• Difficulty in determining retention periods and then acting on them
• Controllers struggling to apply the balancing tests under Article 17(3)
• Lack of internal procedures, mirroring the access findings from 2024
• Insufficient information provided to individuals about outcomes of erasure requests
• Inadequate notification to third-party recipients following erasure

Right to Restriction of Processing (Article 18)

Article 18 allows individuals to ask an organisation to retain their data but stop actively using it. When restriction is in place, the controller may store the data but cannot process it unless the individual consents, or the processing is necessary for legal claims, protecting another person's rights, or important public interest reasons.

When Restriction Applies

Individuals may request restriction in four circumstances:

1. They contest the accuracy of the data, and restriction applies while the controller verifies accuracy
2. The processing is unlawful but the individual prefers restriction over erasure
3. The controller no longer needs the data but the individual needs it to establish, exercise, or defend legal claims
4. The individual has objected under Article 21, and the outcome of the balancing exercise is pending

Practical Effect

Restriction is effectively a "pause" on active processing. The controller must inform the individual before lifting any restriction. This right serves as a middle ground between full erasure and unrestricted processing, and is particularly useful in contested factual disputes or during litigation.

Right to Data Portability (Article 20)

Article 20 gives individuals the right to receive personal data they provided to a controller in a structured, commonly used, and machine-readable format, and to have that data transmitted directly to another controller where technically feasible. The right is designed to reduce vendor lock-in and support switching between competing services.

Conditions for Portability

The right to data portability applies only when two conditions are both met:

1. Processing is based on consent (Article 6(1)(a) or Article 9(2)(a)) or on a contract with the individual (Article 6(1)(b))
2. Processing is carried out by automated means

Data processed under legitimate interests, legal obligation, or public interest does not attract the portability right.

What Data Is Covered

Portability covers data the individual "provided to" the controller. This includes data actively submitted (form entries, uploaded documents, profile information) and data generated through use of a service (transaction history, usage logs, location data from app use). It does not include inferred or derived data such as risk scores, customer segments, or algorithmic profiling outputs, as these are generated by the controller rather than provided by the individual.

Format Requirements

The data must be provided in a structured, commonly used, and machine-readable format. CSV, JSON, and XML are widely accepted formats. Where technically feasible and at the individual's request, the controller must transmit the data directly to another named controller.

Right to Object (Article 21)

Article 21 allows individuals to object to processing in two distinct scenarios with markedly different legal consequences.

Objection to Legitimate Interest or Public Interest Processing

When processing is based on legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e)), individuals may object on "grounds relating to their particular situation." The controller must stop processing unless it can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms, or the processing is necessary for legal claims.

The burden rests with the controller to conduct a genuine balancing exercise specific to the individual's stated circumstances, not a generic assertion that its interests are weighty.

Absolute Right to Object to Direct Marketing

The right to object to processing for direct marketing is unconditional. Article 21(2) and (3) state that when an individual objects to processing for direct marketing, the controller must stop immediately, for that purpose and for any related profiling. No balancing test applies and no legitimate grounds can override it.

Objection to Research Processing

Individuals may also object to processing for scientific, historical, or statistical research purposes on grounds relating to their particular situation, unless the processing is necessary for a task in the public interest.

Rights Related to Automated Decision-Making and Profiling (Article 22)

Article 22 provides that individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects on them.

The Core Protection

Three conditions must all be present for Article 22 to be engaged:

1. The decision is based solely on automated processing (no meaningful human involvement)
2. The processing includes profiling (analysis of personal aspects to evaluate, predict, or categorise the individual)
3. The decision produces a legal effect (denial of credit, visa, or employment) or a similarly significant effect (denial of insurance, exclusion from services, severe financial or social consequences)

Permitted Exceptions

Article 22(2) permits solely automated decisions with legal or similarly significant effects in three circumstances:

• The decision is necessary for entering into or performing a contract with the individual
• It is authorised by EU or Member State law with suitable safeguards
• It is based on the individual's explicit consent

Mandatory Safeguards

Where an exception applies, the controller must implement suitable measures to protect the individual's rights. At minimum, the individual must have the right to:

• Obtain human intervention in the decision
• Express their point of view before or after the decision is made
• Contest the decision

The controller must also provide meaningful information about the logic involved in the automated system and the significance and envisaged consequences of the decision for the individual.

Interaction with the EU AI Act

The EU AI Act (Regulation (EU) 2024/1689, in force from August 2024 with core provisions applying from August 2026) introduces overlapping obligations for high-risk AI systems. High-risk AI systems listed in Annex III, covering credit scoring, employment decisions, access to essential services, and migration, must meet transparency, human oversight, and accuracy requirements under the AI Act in addition to any Article 22 GDPR obligations. Where both regimes apply, both sets of obligations must be satisfied. The EDPB and the EU AI Office are expected to provide coordinated guidance on the interaction of Article 22 and the AI Act as the Act's provisions come into full force during 2026.

How Data Subject Access Requests (DSARs) Work in Practice

Article 12 provides the procedural framework that governs responses to all data subject rights requests.

Making a Request

Individuals do not need to use specific legal language or reference any GDPR article. Any clear communication that identifies what the individual wants is sufficient. Requests may be made by email, web form, letter, telephone, or any other channel the controller operates.

The One-Month Deadline

Controllers must respond within one calendar month from the day after the request is received. The EDPB confirms that this means a calendar month (a request received on 5 March must be responded to by 5 April). If the last day falls on a weekend or public holiday in the controller's jurisdiction, the deadline extends to the next working day.

Extensions

For complex requests, or where an individual has submitted numerous requests simultaneously, the deadline may be extended by a further two months (three months total). To use the extension, the controller must notify the individual within the first calendar month and explain the reason for the extension. Failure to send the extension notice within the first month means the controller cannot rely on the extension.

Fees

The first response to any rights request must be provided free of charge. A reasonable administrative fee may be charged only for manifestly unfounded or excessive requests, particularly those that are repetitive. The controller bears the burden of demonstrating that a request meets this threshold. The bar is high; a routine request from an individual who has not previously made the same request is not excessive.

Identity Verification

Controllers may request information to verify the identity of the requester, but only where genuine doubt exists. Verification measures must be proportionate. Controllers may not impose disproportionate verification hurdles as a deterrent. For online accounts, asking the user to authenticate through existing account credentials is generally sufficient. Requesting passport copies or government ID is typically disproportionate unless the data at issue is particularly sensitive or the circumstances specifically warrant it.

When Requests Can Be Refused

Controllers may decline to act on requests that are manifestly unfounded or excessive. If a request is refused, the controller must inform the individual of:

• The reasons for the refusal
• Their right to lodge a complaint with a supervisory authority
• Their right to seek a judicial remedy

The controller cannot ignore the request. Even a refusal must be communicated within the one-month deadline.

Filing a Complaint

Every EU Member State has a national data protection authority where individuals may file complaints free of charge. The EDPB maintains a full list of all national supervisory authorities with their contact details. Prominent authorities include the CNIL (France), the BfDI (Germany), the DPC (Ireland, which supervises many US-headquartered tech companies with EU bases in Ireland), and the APD/GBA (Belgium).

Exemptions and Limits on Data Subject Rights

Data subject rights are not unlimited. Recital 73 and several articles of the GDPR permit Member States to restrict rights by legislation where necessary to safeguard:

• National security, public security, and defence
• Prevention, investigation, and prosecution of criminal offences
• Other important public interest objectives of the EU or a Member State, including public health, social protection, and taxation
• Protection of judicial independence
• Enforcement of civil law claims
• The rights and freedoms of other individuals

Organisations operating across multiple EU Member States must identify whether any applicable Member State derogations apply to their processing in each jurisdiction.

Recent Developments (2024 to 2026)

EDPB Coordinated Enforcement: Systemic Gaps Across All Rights

The EDPB's annual Coordinated Enforcement Framework actions have now covered the right of access (2024) and the right to erasure (2025). Both reports identified the same systemic deficiencies: organisations lack internal procedures for handling rights requests; responses are incomplete or delayed; verification requirements are disproportionate; and notification to third-party recipients of corrections or deletions is inconsistently applied.

The 2026 action focuses on Articles 12 to 14 (transparency and information). Given the pattern of previous years, the EDPB anticipates systemic gaps in the quality and accessibility of privacy notices. Enforcement outcomes across the 25 participating DPAs are expected by late 2026.

CJEU: Narrowing Controllers' Discretion

The CJEU's access jurisprudence has consistently narrowed controllers' room to limit compliance. Case C-154/21 (January 2023) requires disclosure of actual recipient identities where identifiable. Case C-487/21 (May 2023) requires a full and faithful copy of all personal data. Subject access responses that were common practice until 2022 (summary tables, category-only descriptions, curated selections) are now non-compliant.

The Digital Omnibus Proposal (November 2025)

The European Commission published its Digital Omnibus Package on 19 November 2025, proposing targeted GDPR amendments as part of a broader simplification initiative. The proposals most relevant to data subject rights include:

• A new discretionary ground for controllers to refuse or charge for DSARs where the individual is found to be abusing rights "for purposes other than the protection of their data." This targets scenarios such as employment litigation where DSARs are used instrumentally rather than for genuine privacy protection.
• A proposed narrowing of Article 13 transparency requirements in limited circumstances: where data is collected directly from the individual, it is reasonable to assume the individual already has the information, and the controller's activity is not data-intensive. This exemption would not apply where automated processing, profiling, or data transfers are involved.
• An explicit unconditional right to object to processing of personal data for AI training.

These are proposals only. The package is in trilogue negotiations between the European Parliament, Council, and Commission. The current GDPR rights described in this article remain fully in force and unchanged until any amending regulation is published in the Official Journal.

More GDPR Guides

• What Is GDPR for a comprehensive overview of the regulation and its legal basis
• GDPR Consent Requirements for valid consent standards and how consent interacts with data subject rights
• GDPR Compliance Checklist for a step-by-step compliance implementation guide
• GDPR Fines and Penalties for enforcement data and the consequences of non-compliance
• GDPR Breach Notification 72-Hour Rule for breach reporting obligations
• EU Data Privacy Laws for the complete EU data protection overview

Disclaimer

This article provides general legal information about data subject rights under Regulation (EU) 2016/679 (GDPR). It covers EU GDPR only and does not address UK GDPR or Member State-specific derogations. The information was verified as of 19 May 2026. The GDPR is a living instrument: supervisory authority guidance, CJEU rulings, and enforcement decisions continually refine how its provisions are interpreted. This article is not a substitute for legal advice. Consult a qualified data protection lawyer or privacy professional licensed in your jurisdiction for advice specific to your situation.

About the Author

[PLACEHOLDER: author roster pending]

Authorities Cited

1. Regulation (EU) 2016/679 (GDPR): Full Official Text. https://eur-lex.europa.eu/eli/reg/2016/679/oj
2. GDPR Article 12: Transparent information, communication and modalities. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
3. EDPB Guidelines 01/2022 on the Right of Access, version 2.0 (April 2023). https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf
4. EDPB Guidelines 5/2019 on the Right to Be Forgotten in Search Engines. https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf
5. CJEU Case C-154/21, RW v Österreichische Post AG, judgment of 12 January 2023. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0154
6. CJEU Case C-487/21, F.F. v Österreichische Datenschutzbehörde and CRIF GmbH, judgment of 4 May 2023. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62021CJ0487
7. EDPB: Identifies challenges hindering full implementation of the right to erasure (February 2026). https://www.edpb.europa.eu/news/news/2026/edpb-identifies-challenges-hindering-full-implementation-right-erasure_en
8. EDPB CEF Report 2025: Implementation of the Right to Erasure. https://www.edpb.europa.eu/system/files/2026-02/edpb_cef-report_2025_right-to-erasure_en.pdf
9. EDPB: CEF 2026 launch: coordinated enforcement on transparency and information obligations. https://www.edpb.europa.eu/news/news/2026/cef-2026-edpb-launches-coordinated-enforcement-action-transparency-and-information_en
10. EDPB: CEF 2024: challenges to full implementation of the right of access (January 2025). https://www.edpb.europa.eu/news/news/2025/cef-2024-edpb-identifies-challenges-full-implementation-right-access_en
11. European Commission: Information for Individuals on GDPR Rights. https://commission.europa.eu/law/law-topic/data-protection/information-individuals_en
12. European Commission: Handling Data Subject Rights Requests. https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/dealing-citizens/how-should-requests-individuals-exercising-their-data-protection-rights-be-dealt_en
13. EDPB: National Supervisory Authorities (Members). https://edpb.europa.eu/about-edpb/about-edpb/members_en

---

Last updated: 2026-05-19. GDPR provisions cited reflect Regulation (EU) 2016/679 as in force as of 2026-05-19. The Digital Omnibus proposals (November 2025) are pending trilogue and have not amended GDPR as of this date.