3.4 Data Subject Rights (Art. 12-22)

Key Takeaways

  • The GDPR grants eight data subject rights across Articles 12–22: information, access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making
  • Controllers must respond to rights requests without undue delay and within one month (Art. 12(3)), extendable by two further months for complex or numerous requests
  • The right to erasure (Art. 17, 'right to be forgotten') is not absolute and yields to exemptions such as freedom of expression, legal obligations, and legal claims
  • Portability (Art. 20) applies only to data the subject provided, processed by automated means, on the basis of consent or contract
Last updated: June 2026

Rights Turn Principles Into Action

Quick Answer: The GDPR gives data subjects eight rights (Arts. 12–22). Controllers must facilitate them, respond within one month of the request (extendable by two further months for complex cases), and generally act free of charge. The right to information must be provided proactively; the others are exercised on request.

Exam questions usually describe a request and ask which right applies, whether an exemption defeats it, or what deadline governs. Knowing the conditions and limits of each right is far more valuable than reciting article numbers. A recurring trap is mismatching the right: candidates reach for erasure or portability when the facts actually engage restriction or objection. Read for the outcome the subject wants — "stop using my data while we argue" is restriction (Art. 18); "never market to me again" is objection (Art. 21); "give me my data to move to a competitor" is portability (Art. 20).

The Eight Rights

RightArticleEssence
Information13 & 14Be told about processing (privacy notice) — Art. 13 when data is from the subject, Art. 14 when obtained elsewhere
Access15Get confirmation, a copy of the data, and key details (purposes, recipients, retention, source)
Rectification16Correct inaccurate or incomplete data
Erasure / RTBF17Have data deleted where grounds apply
Restriction18Pause processing while a dispute (e.g., accuracy) is resolved
Portability20Receive provided data in a structured, commonly used, machine-readable format
Objection21Object to processing based on public task or legitimate interests; absolutely to direct marketing
Automated decisions22Not be subject to solely automated decisions with legal or similarly significant effects

Timing distinctions matter. Article 13 information must be given at the time of collection; Article 14 (data obtained indirectly) within a reasonable period, at most one month, or at first communication/disclosure if sooner. The right to object to direct marketing is the only absolute right in the list — there is no balancing test and no exemption; the controller must stop on request.

The One-Month Response Rule (Art. 12)

Under Article 12(3), the controller must provide information on action taken without undue delay and at the latest within one month of receiving the request. This can be extended by two further months where requests are complex or numerous, but the controller must inform the subject within the first month and explain the reasons. The clock starts on receipt, not on identity verification — though where the controller has reasonable doubts, it may request additional information to confirm identity (Art. 12(6)), which can pause the response pending verification.

More Article 12 mechanics:

  • Responses are generally free of charge (Art. 12(5)). A reasonable fee based on administrative cost, or a refusal, is allowed only where requests are manifestly unfounded or excessive (e.g., repetitive), and the controller bears the burden of proving this.
  • Information must be provided in a concise, transparent, intelligible form using clear and plain language, especially for children.
  • If the controller does not act, it must inform the subject within one month of the reasons and of the right to complain to a supervisory authority and to a judicial remedy.

A worked example: a request lands on 3 March. The default deadline is 3 April. If genuinely complex, the controller may extend to 3 June, but only if it notifies the subject by 3 April with reasons. The two-month extension is not available for the right to information (Arts. 13–14), which has its own collection-time and one-month-from-acquisition rules; the extension belongs to responsive rights such as access, rectification, erasure, and portability.

Erasure, Portability and Automated Decisions — the Tricky Limits

Right to erasure (Art. 17) — the "right to be forgotten" is not absolute. Grounds include: data no longer necessary; consent withdrawn with no other basis; successful objection; unlawful processing; or a legal-obligation to erase. But it does not apply where processing is needed for freedom of expression and information, compliance with a legal obligation, public-health reasons, archiving/research/statistics, or the establishment, exercise or defence of legal claims. Where the controller has made data public, Art.

17(2) adds a duty to take reasonable steps to inform other controllers of the erasure request (the Google Spain lineage).

Right to portability (Art. 20) is narrow: it covers only data the subject provided (actively or through observed activity), processed by automated means, and based on consent or contractnot legitimate interests or legal obligation. Data the controller derives or infers (e.g., a credit score or a risk profile) is out of scope.

Automated decisions (Art. 22) — individuals have the right not to be subject to a solely automated decision producing legal or similarly significant effects, unless it is (a) necessary for a contract, (b) authorised by Union/Member State law, or (c) based on explicit consent. Even when permitted, the controller must implement safeguards: the right to obtain human intervention, to express a point of view, and to contest the decision. Such decisions on special category data are barred unless explicit consent or substantial public interest applies plus suitable safeguards.

Test Your Knowledge

A bank declines a loan using a fully automated credit-scoring system with no human involvement, and the decision significantly affects the applicant. Which right is most directly engaged, and what does it require?

A
B
C
D
Test Your Knowledge

A controller receives a single, clear subject access request and realises that gathering the data is genuinely complex and will take longer than 30 days. What is the correct compliant action under Article 12?

A
B
C
D