Data Subject Rights
Data subject rights are the legally enforceable entitlements that individuals hold over personal data processed about them. This reference provides lookup specifications for rights under the General Data Protection Regulation (GDPR) and equivalent frameworks, covering response requirements, exemptions, and verification procedures. For rights specific to survivors in protection contexts, see Survivor Data Rights.
Rights Enumeration
- Right of access
- The entitlement to obtain confirmation of whether personal data is being processed and, if so, to receive a copy of that data along with supplementary information about the processing.
- Right to rectification
- The entitlement to have inaccurate personal data corrected and incomplete data completed.
- Right to erasure
- The entitlement to have personal data deleted when specific conditions are met, commonly known as the “right to be forgotten”.
- Right to restriction
- The entitlement to limit processing of personal data to storage only, suspending other processing activities.
- Right to data portability
- The entitlement to receive personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.
- Right to object
- The entitlement to prevent processing based on legitimate interests, direct marketing, or research and statistics.
- Rights related to automated decision-making
- The entitlement not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, and to obtain human intervention.
GDPR Rights Specifications
| Right | GDPR Article | Trigger conditions | Response deadline | Extension permitted |
|---|---|---|---|---|
| Access | Art. 15 | Any request for personal data | 1 calendar month | +2 months if complex |
| Rectification | Art. 16 | Data is inaccurate or incomplete | 1 calendar month | +2 months if complex |
| Erasure | Art. 17 | One of six grounds applies | 1 calendar month | +2 months if complex |
| Restriction | Art. 18 | One of four grounds applies | 1 calendar month | +2 months if complex |
| Portability | Art. 20 | Processing is automated and based on consent or contract | 1 calendar month | +2 months if complex |
| Object | Art. 21 | Processing based on legitimate interests or direct marketing | Without undue delay | None for direct marketing |
| Automated decisions | Art. 22 | Decision is solely automated with legal/significant effect | 1 calendar month | +2 months if complex |
Equivalent Framework Comparison
Organisations operating across multiple jurisdictions encounter variations in rights frameworks. The following table maps GDPR rights to equivalent provisions in other major data protection laws.
| Right | UK GDPR | Brazil LGPD | South Africa POPIA | Kenya DPA 2019 | California CCPA/CPRA |
|---|---|---|---|---|---|
| Access | Art. 15 | Art. 18(II) | Sec. 23 | Sec. 26 | §1798.100 |
| Rectification | Art. 16 | Art. 18(III) | Sec. 24 | Sec. 27 | §1798.106 |
| Erasure | Art. 17 | Art. 18(VI) | Sec. 24 | Sec. 28 | §1798.105 |
| Restriction | Art. 18 | Art. 18(IV) | Not explicit | Not explicit | Limited |
| Portability | Art. 20 | Art. 18(V) | Sec. 24 | Sec. 29 | §1798.130 |
| Object | Art. 21 | Art. 18(IV) | Sec. 11(3) | Sec. 30 | Opt-out only |
| Automated decisions | Art. 22 | Art. 20 | Sec. 71 | Sec. 31 | §1798.185 |
Response deadlines by jurisdiction:
| Jurisdiction | Standard deadline | Maximum with extension | Extension notification |
|---|---|---|---|
| EU GDPR | 1 month | 3 months | Within 1 month |
| UK GDPR | 1 month | 3 months | Within 1 month |
| Brazil LGPD | 15 days | Not specified | Not specified |
| South Africa POPIA | 30 days | Not specified | Not specified |
| Kenya DPA | 30 days | 60 days | Reasonable time |
| California CCPA/CPRA | 45 days | 90 days | Within 45 days |
Response Requirements
The response to a data subject request must satisfy both content and format requirements. Content requirements define what information the response must include. Format requirements specify how that information must be delivered.
Access Request Response Content
A response to an access request under GDPR Article 15 must include all of the following elements when applicable to the processing activities:
| Element | Description | Source |
|---|---|---|
| Confirmation | Statement confirming whether personal data is processed | Art. 15(1) |
| Copy of data | The personal data undergoing processing | Art. 15(3) |
| Processing purposes | Each purpose for which data is processed | Art. 15(1)(a) |
| Data categories | Types of personal data processed | Art. 15(1)(b) |
| Recipients | Organisations to whom data has been or will be disclosed | Art. 15(1)(c) |
| Retention period | How long data will be stored, or criteria used to determine this | Art. 15(1)(d) |
| Rights notification | Information about rectification, erasure, restriction, and objection rights | Art. 15(1)(e) |
| Complaint right | Right to lodge complaint with supervisory authority | Art. 15(1)(f) |
| Source information | Where data was not collected from the individual, the source | Art. 15(1)(g) |
| Automated decision logic | Meaningful information about logic, significance, and consequences | Art. 15(1)(h) |
| Transfer safeguards | For international transfers, the safeguards applied | Art. 15(2) |
Response Format Specifications
| Delivery method | When required | Format specification |
|---|---|---|
| Electronic | Request submitted electronically | Common electronic form (PDF, structured data) |
| Paper | Request submitted on paper or individual preference | Printed copy, posted to verified address |
| Verbal | Individual requests verbal explanation | In-person or telephone, with identity verification |
| Machine-readable | Portability requests | JSON, XML, CSV, or equivalent structured format |
For portability requests specifically, the format must be structured, commonly used, and machine-readable. Acceptable formats include JSON, XML, and CSV. Proprietary formats that require specific software to read do not satisfy the requirement.
Fee and Charging Rules
The default position is that responses are provided free of charge. Fees are permitted only in specific circumstances.
| Circumstance | Fee permitted | Maximum amount |
|---|---|---|
| First request | No | N/A |
| Manifestly unfounded request | Yes | Reasonable administrative cost |
| Excessive requests | Yes | Reasonable administrative cost |
| Additional copies (access) | Yes | Reasonable administrative cost |
| Portability request | No | N/A |
Manifestly unfounded applies when the individual has no intention of exercising their rights, such as requests intended solely to cause disruption. Mere inconvenience to the organisation does not qualify.
Excessive requests applies when an individual submits requests more frequently than reasonable. The threshold depends on context: monthly requests for slowly-changing data are excessive, while monthly requests during an active dispute are not.
Reasonable administrative cost means the direct cost of providing the response, including staff time and materials. Organisations must be prepared to justify any fee charged. A worked example: if providing a second copy requires 2 hours of staff time at £25/hour plus £5 for secure postage, a fee of £55 is justifiable.
Exemptions and Limitations
Not all requests must be fulfilled. Legal exemptions limit or disapply certain rights in specific circumstances. Organisations must assess each request against applicable exemptions and document the justification when an exemption is applied.
GDPR Exemptions by Right
| Right | Exemption category | Condition | Effect |
|---|---|---|---|
| Access | Legal professional privilege | Data covered by legal privilege | Complete exemption |
| Access | Third-party data | Response would disclose another person’s data | Redaction or refusal |
| Access | Repetitive requests | Same information recently provided | May refuse or charge |
| Erasure | Legal obligation | Retention required by law | Complete exemption |
| Erasure | Legal claims | Data needed for legal proceedings | Complete exemption |
| Erasure | Public interest archiving | Archiving in public interest, research, statistics | Complete exemption |
| Erasure | Freedom of expression | Journalism, academic, artistic, literary purposes | Requires balancing test |
| Portability | Technical infeasibility | Not technically possible to provide format | Limited exemption |
| Object | Compelling legitimate grounds | Controller demonstrates overriding interests | Overrides objection |
| Object | Legal claims | Processing necessary for legal claims | Overrides objection |
UK-Specific Exemptions
The UK Data Protection Act 2018 provides additional exemptions not present in the GDPR:
| Exemption | Schedule | Rights affected | Application |
|---|---|---|---|
| Crime prevention | Sch. 2, Part 1 | Access, rectification, erasure | Prejudice to crime prevention/detection |
| Immigration | Sch. 2, Part 1 | Access | Prejudice to immigration control |
| Legal professional privilege | Sch. 2, Part 4 | Access | Communications with legal advisers |
| Management forecasts | Sch. 2, Part 5 | Access | Prejudice to management planning |
| Negotiations | Sch. 2, Part 5 | Access | Prejudice to negotiations with individual |
| Confidential references | Sch. 2, Part 5 | Access | References given by controller |
| Exam scripts | Sch. 2, Part 5 | Access | Until results published |
| Research | Sch. 2, Part 6 | Access, rectification, restriction, object | Research purposes with safeguards |
Humanitarian and NGO-Specific Considerations
Organisations operating in humanitarian contexts encounter circumstances where standard exemption analysis requires additional considerations.
Safeguarding investigations: During active safeguarding investigations, access requests from subjects of complaints may be restricted to prevent prejudice to the investigation. The restriction applies only for the duration of active investigation and must be documented. Once the investigation concludes, the exemption no longer applies.
Protection data: Data processed for protection purposes (child protection, GBV response, trafficking) may engage exemptions where disclosure would endanger the data subject or third parties. This requires case-by-case assessment. See Protection Data Principles for the framework.
Whistleblower identity: Access requests must not result in disclosure of whistleblower identities. When the only way to provide meaningful access would reveal a whistleblower, the access right is restricted to the extent necessary to protect the whistleblower.
Third-party safety: In protection contexts, disclosure of certain information may endanger third parties (perpetrators learning of safe house locations through a subject access request, for example). The exemption for third-party data extends to safety considerations, not merely privacy.
Verification Requirements
Before responding to any data subject request, the organisation must verify the identity of the requester. Verification must be proportionate to the sensitivity of the data and the nature of the request.
Verification Methods
| Method | Suitable for | Verification strength | Implementation |
|---|---|---|---|
| Account authentication | Existing users with verified accounts | High | Request through authenticated portal |
| Knowledge-based | Low-sensitivity data | Medium | Questions only the individual could answer |
| Document verification | High-sensitivity data, no existing account | High | Government ID plus proof of address |
| In-person | Very high sensitivity, complex situations | Highest | Face-to-face with document check |
| Video verification | High-sensitivity, remote individuals | High | Live video call with document presentation |
Proportionality Assessment
The level of verification required depends on three factors: the sensitivity of the data, the nature of the request, and the risk of impersonation.
For access requests: Verification must be sufficient to prevent unauthorised disclosure. For routine HR data, account authentication suffices. For protection case files, enhanced verification including document checks is appropriate.
For erasure requests: Verification must prevent malicious deletion. The consequence of incorrect erasure (permanent loss of records) justifies stronger verification than access requests for the same data.
For rectification requests: Verification must confirm both identity and the accuracy of the claimed correction. The individual must demonstrate both that they are who they claim and that the data is indeed inaccurate.
Verification for Authorised Representatives
Requests submitted on behalf of data subjects require verification of both the representative’s identity and their authority to act. Acceptable authority documentation includes:
| Representative type | Authority documentation | Additional verification |
|---|---|---|
| Legal representative (minor) | Birth certificate, court order | Representative ID |
| Legal representative (incapacitated adult) | Power of attorney, court order | Representative ID |
| Solicitor | Letter of instruction on firm letterhead | Confirm with Law Society register |
| Other authorised person | Signed mandate from data subject | Contact data subject to confirm |
| Parent (child under 13) | Birth certificate | Representative ID |
| Parent (child 13-17) | Signed consent from child | Confirm child’s understanding |
For children’s data, the child’s own capacity to make requests develops with age. Children aged 13 and over generally have sufficient understanding to make their own requests under UK and EU guidance. Parental requests for children over 13 require the child’s consent unless the child lacks capacity.
Request Handling Process
This section provides an overview of the request handling workflow. For detailed procedural steps, see operational documentation in your service management system.
Timeline Calculation
The response deadline runs from the day after receipt of a valid request. A request is valid when it clearly identifies the requestor and specifies the right being exercised. Requests requiring clarification do not start the clock until clarification is received.
Worked example:
- Request received: 15 March 2024
- Clarification requested: 18 March 2024
- Clarification received: 22 March 2024
- Clock starts: 23 March 2024
- Response due: 22 April 2024
If the deadline falls on a weekend or public holiday, it extends to the next working day. Calendar months are used, not 30-day periods: a request received on 31 January is due by 28/29 February, not 2/3 March.
Extension Procedure
Extensions are permitted when requests are complex or numerous. The extension decision must be communicated within the original one-month period and must explain why the extension is necessary.
| Extension trigger | Documentation required | Maximum extension |
|---|---|---|
| Request complexity | Explanation of specific complexity | 2 months |
| Volume of requests | Count of concurrent requests | 2 months |
| Technical retrieval difficulties | Explanation of technical challenges | 2 months |
Extensions cannot be applied routinely. An organisation processing a steady volume of requests cannot claim extension for each one based on general workload. The complexity must be specific to the individual request.
Response Documentation
Every request requires documentation regardless of outcome. The documentation serves three purposes: demonstrating compliance to regulators, enabling internal review, and providing evidence in disputes.
| Documentation element | Retention period | Storage location |
|---|---|---|
| Original request | Duration of retention period + 1 year | Secure document store |
| Identity verification records | Duration of retention period + 1 year | Secure document store |
| Search records | 3 years | Case management system |
| Response sent | 6 years | Secure document store |
| Extension justification (if applicable) | 6 years | Case management system |
| Exemption justification (if applicable) | 6 years | Case management system |
Cross-Border Considerations
Requests involving personal data transferred across borders or processed in multiple jurisdictions require additional analysis.
Determining Applicable Law
The applicable data protection law depends on the establishment of the controller, not the location of the data subject. An organisation established in the UK is subject to UK GDPR regardless of where the data subject resides. An organisation established in Kenya processing data about EU residents is subject to Kenya DPA for local processing and GDPR for processing related to offering services to EU residents.
| Scenario | Applicable law | Supervisory authority |
|---|---|---|
| UK organisation, UK data subject | UK GDPR | ICO |
| UK organisation, EU data subject | UK GDPR + GDPR | ICO + EU DPA |
| EU organisation, UK data subject | GDPR + UK GDPR | EU DPA + ICO |
| Kenya organisation, Kenya data subject | Kenya DPA | ODPC Kenya |
| Kenya organisation, EU data subject (services offered to EU) | Kenya DPA + GDPR | ODPC Kenya + EU DPA |
Multi-Jurisdiction Requests
When a data subject submits requests under multiple frameworks, the organisation must respond to each applicable framework. In practice, responding to the most stringent framework typically satisfies all applicable frameworks.
Worked example: A UK-based NGO with EU operations receives an access request from a German national who interacted with both UK and EU operations. The request engages both UK GDPR (through the UK establishment) and GDPR (through the EU establishment). Responding within 1 month with all Article 15 content satisfies both frameworks.
Transfer Safeguards Information
Access request responses must include information about safeguards applied to international transfers. This requirement applies whenever personal data has been or will be transferred outside the jurisdiction providing protection.
| Transfer mechanism | Information to provide |
|---|---|
| Adequacy decision | Reference to adequacy decision and destination country |
| Standard contractual clauses | Confirmation SCCs are in place, copy available on request |
| Binding corporate rules | Confirmation BCRs approved, copy available on request |
| Explicit consent | Confirmation consent obtained for specific transfer |
| Derogations | Specific derogation relied upon |
Practical Reference Tables
Quick Reference: Response Requirements by Right
| Right | Maximum response time | Refusal permitted | Fee permitted | Format requirements |
|---|---|---|---|---|
| Access | 1 month (+2 if complex) | If manifestly unfounded/excessive | For additional copies only | Electronic if electronic request |
| Rectification | 1 month (+2 if complex) | If data is accurate | No | Notification to recipients |
| Erasure | 1 month (+2 if complex) | If exemption applies | No | Notification to recipients |
| Restriction | 1 month (+2 if complex) | If no grounds apply | No | Mark data as restricted |
| Portability | 1 month (+2 if complex) | If not consent/contract basis | No | Structured, machine-readable |
| Object (legitimate interests) | Without undue delay | If compelling grounds exist | No | Cease processing immediately |
| Object (direct marketing) | Without undue delay | Never | No | Cease processing immediately |
| Automated decisions | 1 month (+2 if complex) | If necessary for contract + safeguards | No | Human review of decision |
Quick Reference: Common Scenarios
| Scenario | Right engaged | Key considerations |
|---|---|---|
| Former employee requests all data | Access | Include HR, IT, email, CCTV; redact third-party data |
| Donor asks to be forgotten | Erasure | Financial records may have legal retention requirements |
| Beneficiary requests case file | Access | Consider protection implications; may need redaction |
| Job applicant requests interview notes | Access | Notes are personal data; legal privilege may apply |
| Partner organisation requests data shared with them | None | Partners are controllers; subject must request from partner |
| Family member requests deceased’s data | None | GDPR does not cover deceased; check local law |
| Regulator requests data about subject | None | Regulatory disclosure, not data subject request |
Quick Reference: Exemption Checklist
For each request where an exemption may apply, assess:
| Assessment step | Documentation required |
|---|---|
| Identify applicable exemption | Cite specific legal provision |
| Confirm conditions are met | Evidence that conditions apply |
| Consider partial compliance | What can be provided without engaging exemption |
| Apply proportionality | Exemption applied to minimum extent necessary |
| Record decision | Written justification with reviewer sign-off |
| Communicate to requestor | Inform of exemption (unless doing so would undermine purpose) |