GDPR Data Subject Rights: How to Stay Compliant

In December 2024, the Irish Data Protection Commission fined Meta €251 million following two inquiries into a 2018 data breach affecting approximately 29 million Facebook accounts globally. The violations found—related to breach notification obligations and data protection by design and default—not whether Meta had a privacy policy, but whether its systems met their legal obligations in practice.

This enforcement pattern is emerging across both EU and US regulatory actions. Regulators are focusing less on whether organizations have documented policies and more on whether their systems can reliably execute legal obligations in practice. For many organizations, the real compliance gap lies between publishing a policy and operationally fulfilling data subject requests across complex, interconnected systems.

General Data Protection Regulation (GDPR) Chapter 3, Articles 12 through 23, codifies eight distinct rights. Each one translates into a concrete operational requirement: find the data, act on it within a defined timeline, propagate that action across every relevant system, and prove you did it.

What are data subject rights under GDPR?

GDPR data subject rights are enforceable legal rights that give individuals within the European Economic Area control over how organizations collect, use, store, and share their personal data. These rights apply to customers, employees, website visitors, app users, and any identifiable individual whose data is processed.

The regulation defines personal data broadly: including names, email addresses, IP addresses, cookie identifiers, location data, biometric records, health information, and behavioral profiles.

Under Chapter 3 of GDPR, Articles 12–23 establish eight core rights: the right to be informed, access, rectification, erasure, restriction of processing, data portability, objection, and protections related to automated decision-making and profiling. Organizations must be able to receive, validate, and fulfill these requests, usually within one month.

These obligations are enforceable which means regulators assess whether organizations can operationally execute requests across all systems handling personal data. A single request may involve CRMs, analytics platforms, marketing tools, data warehouses, processors, backups, and logs. Organizations that consistently meet GDPR requirements are typically those with infrastructure capable of orchestrating and verifying requests across interconnected systems, rather than relying on manual workflows alone.

The eight GDPR data subject rights

Each right originates from GDPR Chapter 3, Articles 12 through 23. The table below maps each to its article, response deadline, key exceptions, and the system-level action required to fulfill it.

Note: All rights are also subject to Article 23 derogations, which allow EU and Member State law to restrict their scope for purposes including national security, defense, public security, criminal investigations, and other specified public interests.

Right to be informed (Articles 13 and 14)

This right requires organizations to explain how personal data is collected and used before or at the point of collection. When data is collected directly, Article 13 requires disclosure of the controller’s identity, processing purposes, legal basis, recipients, retention periods, and available rights. When data is obtained indirectly, Article 14 requires the same disclosures within one month.

Every collection point, including web forms, mobile apps, APIs, and offline processes, must provide accurate disclosures in plain language. Outdated retention periods or missing recipient categories can create compliance violations.

Right of access (Article 15)

Article 15 gives individuals the right to confirm whether their data is being processed and to receive a copy along with details about processing purposes, categories of data, recipients, retention periods, and data sources.

Organizations have one month to respond. A single request may require searches across CRMs, marketing systems, analytics databases, support platforms, HR systems, payment processors, and third-party vendors. Responses must include all relevant systems.

A February 2025 ruling by the Court of Justice of the European Union in Case C-203/22 (Dun & Bradstreet Austria) clarified that when automated decision-making is involved, organizations must provide an intelligible, individual-specific explanation of the logic used. Generic algorithm descriptions are insufficient.

Right to rectification (Article 16)

Article 16 requires organizations to correct inaccurate personal data and complete incomplete records without undue delay. Corrections must be applied across every system containing the data.

Article 19 also requires organizations to notify third-party recipients of the correction unless doing so is impossible or disproportionate. If data exists in CRMs, marketing tools, warehouses, and processor environments, updates must propagate across all of them.

Right to erasure (Article 17)

The right to erasure applies when data is no longer necessary, consent is withdrawn, processing is unlawful, or an objection overrides the organization’s legal basis for processing, among other grounds.

Article 17 includes exceptions for legal obligations, freedom of expression, public health, archiving in the public interest, and legal claims. These exceptions must be evaluated individually.

Deleting records from a primary database is not enough if copies remain in backups, analytics systems, data lakes, or third-party processors. Article 17(2) also requires controllers to take reasonable steps to inform other controllers processing publicly shared data about the erasure request.

AI systems add further complexity. When personal data is used to train models, traces of that data may persist in model weights after source records are deleted. Regulators are examining how erasure obligations apply to trained models and machine learning workflows.

Organizations must also prevent re-collection. If erased data is later collected again through connected systems or recurring workflows, the erasure request has not been fully implemented.

Right to restrict processing (Article 18)

Article 18 allows individuals to restrict processing when data accuracy is contested, processing is unlawful but erasure is refused, the controller no longer needs the data but the individual requires it for legal claims, or an objection under Article 21 is under review.

Restricted data may still be stored but cannot be actively processed. Systems must be able to flag restricted records and enforce those restrictions across workflows, analytics jobs, and third-party sharing environments.

Right to data portability (Article 20)

Article 20 gives individuals the right to receive their personal data in a structured, commonly used, machine-readable format. This right applies only to data processed under consent or contract and only to data provided by the individual.

“Provided by” includes both submitted information and data generated through service usage, such as activity logs and transaction histories. Individuals may also request direct transfer to another controller where technically feasible.

Organizations must provide interoperable exports. Proprietary formats that require reconstruction by the receiving party may fail portability requirements.

Right to object (Article 21)

Article 21 creates separate rules for direct marketing and legitimate-interest processing.

For direct marketing, processing must stop immediately after an objection. The objection must propagate across email systems, ad platforms, CRMs, segmentation tools, and third-party marketing vendors.

For legitimate-interest or public-interest processing, organizations may continue only if they demonstrate compelling grounds that override the individual’s interests or establish necessity for legal claims. Assessments must be made case by case.

Rights related to automated decision-making (Article 22)

Article 22 gives individuals the right not to be subject to decisions based solely on automated processing when those decisions produce legal or similarly significant effects. Examples include credit scoring, automated hiring, insurance underwriting, and some forms of content moderation.

Solely automated decisions are permitted only under limited exceptions, including contract necessity, legal authorization, or explicit consent. Even then, organizations must provide access to human review, allow individuals to express their views, and enable decision challenges.

The February 2025 CJEU ruling in Case C-203/22 clarified that organizations must provide meaningful, individual-specific explanations of automated decisions rather than generic descriptions of system logic.

The EU AI Act introduces overlapping obligations for high-risk AI systems. Organizations that separate GDPR Article 22 compliance from AI governance programs often duplicate operational work and create enforcement gaps.

How enforcement exposes operational weaknesses

Enforcement actions repeatedly highlight the same operational gaps:

• Incomplete access responses: Organizations have been penalized for failing to include personal data stored across all relevant systems.
• Missed response deadlines: Regulators such as the CNIL have cited delayed responses to access and erasure requests as violations.
• Failure to notify third parties of erasure: Deleting data internally without informing downstream recipients can violate Article 17(2).
• Blanket rejection of erasure requests: The European Data Protection Board has clarified that exceptions must be assessed case by case.
• Unenforced processing restrictions: Restriction requests are ineffective if data continues moving through automated systems and integrations.
• Generic explanations for automated decisions: Following the 2025 CJEU ruling, organizations must provide individual-specific explanations, not generic algorithm summaries.
• Missing audit trails: Organizations must be able to demonstrate how requests were fulfilled under regulatory review.

Best practices for managing data subject rights at scale

Managing data subject rights at scale requires more than documented policies. Organizations need systems that can execute requests consistently across complex data environments.

Automate request workflows

Manual handling slows intake, identity verification, routing, execution, and response delivery. Automated workflows reduce delays by identifying request types, locating relevant systems, triggering actions, and generating responses consistently across requests.

Maintain a live view of personal data

Static data maps become outdated as systems and integrations change. Continuous data discovery helps organizations track where personal data resides, how it moves, and which systems process it, reducing the risk of incomplete access or erasure responses.

Embed privacy controls into systems

Privacy controls must operate inside the systems processing data. Restriction flags, marketing objections, and purpose limitations should automatically propagate across workflows, integrations, and downstream platforms.

Monitor and audit all actions

Organizations must be able to demonstrate how requests were fulfilled. Audit logs should record queried systems, executed actions, third-party notifications, and response timelines to support accountability and investigations.

Data subject rights management with Ethyca

Fulfilling GDPR data subject rights at scale requires infrastructure that can discover personal data across systems, execute coordinated actions, and document every step for audit purposes. The two Ethyca products most directly relevant to DSR fulfillment are:

• Helios - Automated data discovery and classification that maintains a continuously updated view of where personal data resides and how it flows, ensuring no system is missed when a request arrives.
• Lethe - Autonomous DSR execution engine. Receives the request, identifies the individual's data across all connected systems, executes the required action, verifies completion, and generates an audit-ready record without manual intervention.

They address the two most common points of failure: incomplete data coverage and manual execution that cannot meet regulatory timelines at volume.

Across more than 200 global brands, Ethyca has processed over 4 million access requests and manages more than 744 million privacy preferences, delivering an estimated $74 million or more in operational savings. Organizations that do not have this infrastructure in place will face a widening gap between what regulators require and what their systems can deliver. The CJEU is expanding what access rights require. The EU AI Act is layering new obligations onto automated decision-making. Supervisory authorities are increasing the frequency and specificity of enforcement actions.

The rights are fixed in law, and the question is whether the systems behind them can keep pace. See how it works.

Frequently asked questions

What are data subject rights under GDPR?

Eight enforceable entitlements granted to individuals in the EEA that give them control over how organizations collect, store, use, and share their personal data, codified in GDPR Chapter 3, Articles 12 through 23.

How many data subject rights does GDPR establish?

Eight: the right to be informed, access, rectification, erasure, restriction of processing, data portability, objection, and rights related to automated decision-making. All are enforceable legal obligations.

What rights do data subjects have under GDPR regarding automated decisions?

Under Article 22, individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Where automated decision-making is permitted, organizations must provide human intervention, allow the individual to express a view, and enable contestation. Following the February 2025 CJEU ruling, organizations must also provide intelligible, individual-specific explanations of how automated decisions were reached.

What is not a data subject right under GDPR?

GDPR does not grant the right to prevent all processing. The right to erasure does not apply where retention is required for legal compliance, public health, or the establishment and defense of legal claims. Data portability applies to data the individual directly provided, or submitted information and data generated through service usage, and only where processing is based on consent or contract.

Which three rights are most operationally demanding?

Access, erasure, and objection. Access requires querying every system holding the individual's data and compiling a complete response within one month. Erasure requires deletion across all systems, suppression of re-collection, and notification to third parties. Objection to direct marketing requires immediate cessation across every relevant system. All three require coordinated, multi-system execution and auditable documentation.