GDPR · Art. 12–22

Data Subject Rights under the GDPR

Every individual has the right to know and control what happens to their data. Requests must generally be answered within one month. SimpleAct captures data subject requests with deadline tracking and audit-proof documentation.

Start for free View GDPR compliance

Which rights do data subjects have?

The GDPR grants individuals far-reaching rights against controllers. These include the right of access, the right to rectification and erasure, the right to restriction of processing, the right to data portability and the right to object. Controllers must facilitate requests and generally respond within one month – an extension by two further months is only possible in justified exceptional cases.

The key data subject rights

Access (Art. 15)

Individuals can ask whether and which data about them is processed – including purpose, recipients and retention period.

Rectification (Art. 16)

Inaccurate or incomplete data must be corrected or completed on request.

Erasure (Art. 17)

The “right to be forgotten” – data must be deleted when the purpose no longer applies or consent is withdrawn.

Data portability (Art. 20)

Individuals can receive their data in a structured, common format or have it transferred.

Handle data subject requests compliantly

Centrally record and date every incoming request
Verify the identity of the requesting person
Classify the type of right (access, erasure, objection …)
Track the one-month deadline and document any extension
Compile relevant data and prepare the response
Document the response and measures taken in an audit-proof way
Handle restriction (Art. 18) and objection (Art. 21) separately

Frequently asked questions about data subject rights

How quickly must a request be answered?

In principle without undue delay, at the latest within one month. For complex or numerous requests, an extension of up to two further months is possible – the data subject must be informed.

Can access cost anything?

The first copy is free of charge. Only for manifestly unfounded or excessive, particularly repeated requests may a reasonable fee be charged or the request refused.

Must identity be verified for a request?

Yes. Where there are reasonable doubts about identity, additional information may – and should – be requested for confirmation, so as not to disclose data to unauthorised parties.

Does the right to erasure apply without limits?

No. Exceptions exist, for example where statutory retention obligations apply or the data is needed to establish or defend legal claims.

Manage data subject rights with SimpleAct

Capture requests, track deadlines and document responses – always available as evidence of the accountability principle.

Start for free