GDPR Data Subject Rights: Access, Erasure, and Portability

Chapter III of the GDPR (Articles 12-22) establishes a comprehensive framework of rights that give data subjects control over their personal data. These rights are a defining feature of the GDPR and represent a significant expansion over the rights available under Directive 95/46/EC.

Article 12 establishes the general conditions for exercising rights. Controllers must facilitate the exercise of data subject rights, provide information in a concise, transparent, intelligible, and easily accessible form using clear and plain language, and act on requests without undue delay and in any event within one month of receipt. The one-month deadline may be extended by a further two months where necessary, taking into account the complexity and number of requests — but the controller must inform the data subject of the extension and reasons within the first month.

Data subject rights requests must be fulfilled free of charge. A controller may charge a reasonable fee based on administrative costs only where requests are manifestly unfounded or excessive, particularly where they are repetitive. In such cases, the controller may alternatively refuse to act on the request. The burden of demonstrating that a request is manifestly unfounded or excessive rests on the controller. Controllers must verify the identity of the data subject making the request, but identity verification measures must not be excessive and must not result in additional personal data being collected solely for verification purposes.

Article 15 grants data subjects the right to obtain from the controller confirmation as to whether personal data concerning them are being processed and, where that is the case, access to the personal data along with specified information. This right is the most frequently exercised data subject right and the foundation for exercising other rights such as rectification or erasure.

When personal data is being processed, the controller must provide: the purposes of the processing; the categories of personal data concerned; the recipients or categories of recipients to whom the data have been or will be disclosed, particularly recipients in third countries or international organisations; where possible, the envisaged period for which the data will be stored, or the criteria used to determine that period; the existence of the right to request rectification, erasure, restriction, or to object; the right to lodge a complaint with a supervisory authority; where data was not collected from the data subject, any available information as to its source; and the existence of automated decision-making including profiling, with meaningful information about the logic involved, significance, and envisaged consequences.

The controller must provide a copy of the personal data undergoing processing free of charge. For any further copies requested, the controller may charge a reasonable fee based on administrative costs. Where the request is made by electronic means, the information shall be provided in a commonly used electronic form, unless otherwise requested. The right to obtain a copy must not adversely affect the rights and freedoms of others, including trade secrets or intellectual property — but this exception must be narrowly interpreted and cannot be used as a blanket refusal.

Article 16 gives the data subject the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject also has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Controllers must have processes in place to receive and act on rectification requests efficiently. Where personal data has been disclosed to recipients (other processors, third parties, etc.), the controller must communicate the rectification to each recipient to whom the data has been disclosed, unless this proves impossible or involves disproportionate effort (Article 19). The controller must inform the data subject about those recipients if the data subject requests it.

In practice, rectification requires controllers to maintain accurate records of data flows and recipients so that corrections can be propagated. This is particularly important in complex processing environments involving multiple processors, cloud services, and analytics platforms. Organisations should implement automated mechanisms for propagating corrections across systems where technically feasible.

Article 17 establishes the right to erasure, colloquially known as the 'right to be forgotten.' The data subject has the right to obtain from the controller the erasure of personal data without undue delay where one of six grounds applies: the data is no longer necessary for the purposes for which it was collected or processed; the data subject withdraws consent and there is no other legal basis; the data subject objects under Article 21(1) and there are no overriding legitimate grounds, or objects to direct marketing under Article 21(2); the data has been unlawfully processed; the data must be erased to comply with a legal obligation; or the data was collected in relation to the offer of information society services to a child under Article 8(1).

Where the controller has made the personal data public, it must take reasonable steps, taking into account available technology and implementation costs, to inform controllers processing that data that the data subject has requested erasure of any links to, copies, or replications of that personal data (Article 17(2)). This provision has particular relevance for search engines and social media platforms.

Critically, the right to erasure is not absolute. Article 17(3) provides exceptions where processing is necessary for: exercising the right of freedom of expression and information; compliance with a legal obligation or performance of a task in the public interest; reasons of public interest in the area of public health (Articles 9(2)(h) and (i), 9(3)); archiving in the public interest, scientific or historical research, or statistical purposes under Article 89(1) where erasure would seriously impair the objectives; and the establishment, exercise, or defence of legal claims.

Article 18 gives data subjects the right to obtain restriction of processing in four circumstances: when the data subject contests the accuracy of the data, for a period enabling the controller to verify accuracy; when the processing is unlawful and the data subject opposes erasure and requests restriction instead; when the controller no longer needs the data but the data subject requires it for the establishment, exercise, or defence of legal claims; and when the data subject has objected under Article 21(1) pending verification of whether the controller's legitimate grounds override those of the data subject.

When processing is restricted, personal data may only be stored and not otherwise processed unless the data subject consents, or it is necessary for the establishment, exercise, or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest (Article 18(2)). The controller must inform the data subject before lifting a restriction.

Restriction of processing presents implementation challenges. Controllers must be able to technically restrict processing — which may involve flagging data in systems, moving it to separate storage, temporarily removing it from active systems, or making it inaccessible to automated processing. The controller must also communicate the restriction to each recipient to whom the data has been disclosed under Article 19.

Article 20 introduces a novel right not present in Directive 95/46/EC: the right to data portability. The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from the original controller.

The right to data portability is subject to three conditions. First, it applies only to personal data that the data subject has 'provided' to the controller — which the EDPB interprets broadly to include both actively provided data (form submissions, content uploads) and observed data (usage history, activity logs, location data) but not inferred or derived data (analytics results, profiling scores). Second, the processing must be carried out by automated means (excluding manual filing systems). Third, the processing must be based on consent (Article 6(1)(a) or Article 9(2)(a)) or on the performance of a contract (Article 6(1)(b)) — it does not apply to processing based on legitimate interests, legal obligation, or public interest.

Where technically feasible, the data subject has the right to have the personal data transmitted directly from one controller to another (Article 20(2)). The controller must not create technical or contractual barriers to portability. The right to data portability must not adversely affect the rights and freedoms of others (Article 20(4)) — for example, transmitting data that contains personal data of other individuals may require appropriate measures to protect those third parties' rights.

Article 21 grants data subjects the right to object, on grounds relating to their particular situation, to processing of their personal data based on Article 6(1)(e) (public interest) or Article 6(1)(f) (legitimate interests), including profiling based on those provisions. Upon objection, the controller must cease processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defence of legal claims (Article 21(1)).

The right to object to direct marketing processing is absolute and unconditional. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time, and upon objection, the personal data must no longer be processed for that purpose (Article 21(2)-(3)). This absolute right extends to profiling to the extent that it is related to direct marketing. The right to object to direct marketing must be explicitly brought to the data subject's attention at the latest at the time of first communication, presented clearly and separately from other information.

For processing carried out for scientific or historical research purposes or statistical purposes under Article 89(1), the data subject has the right to object on grounds relating to their particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest (Article 21(6)).

Article 22 establishes a general prohibition on decisions based solely on automated processing, including profiling, which produce legal effects concerning the data subject or similarly significantly affect them. This provision addresses algorithmic decision-making in contexts such as credit scoring, automated recruitment screening, insurance risk assessment, and online content personalisation that materially affects access to services.

The prohibition is subject to three exceptions: the decision is necessary for entering into or performance of a contract between the data subject and controller (Article 22(2)(a)); the decision is authorised by Union or member state law with suitable safeguards (Article 22(2)(b)); or the decision is based on the data subject's explicit consent (Article 22(2)(c)). Where these exceptions apply, the controller must implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, including at least the right to obtain human intervention, to express their point of view, and to contest the decision.

The distinction between 'solely automated' and 'human-in-the-loop' decision-making is significant. Article 22 only applies where the decision is based solely on automated processing — if meaningful human review occurs before the decision takes effect, Article 22 is not triggered. However, the EDPB has clarified that the human involvement must be genuine and influential, not merely a rubber-stamp of an automated output. A human who systematically follows an automated recommendation without genuinely assessing the individual case does not constitute meaningful human intervention.