# Data Subject Rights (DSR) The GDPR reaffirms the rights of individuals, introduces **data portability** and strengthens the obligations of the **data controller**. Individuals must **retain control** of their data, and the controller must **clearly explain** how to exercise those rights. * **Response time**: 1 month from receipt (extendable by **2 months** for complex or numerous requests — notify the extension within the first month). * **Free of charge**: no fees, except for manifestly **unfounded** or **excessive** requests (in which case, justify the refusal or charge reasonable fees). * **Traceability**: record requests and responses (proof of compliance). *** ### ✅ Two major obligations for the data controller 1. **Inform** data subjects (purposes, legal bases, retention periods, recipients, rights, transfers, DPO contact, etc.). 2. **Notify the execution** of operations in compliance with the exercise of rights (rectification, erasure, restriction) or **justify** a refusal. *** ### 🧭 Common operational rules (all rights) * **Deadline**: 1 month (up to +2 months if necessary, with notice within 1 month). * **Identity verification** proportionate to the risk (avoid requesting more than necessary). * **Intake channels**: dedicated email, online form, customer portal, postal mail. * **Logging**: date of receipt, verified identity, scope, decision, closure date. * **Exemptions / limits**: third-party rights, trade secrets, legal retention obligations, security, fraud prevention… (document). *** ### 📜 Right to information (Arts. 13 & 14) To be provided **at the time of collection** (direct) or **within 1 month** (indirect): controller identity, purposes, legal bases, recipients, transfers, retention periods, rights, DPO contact, source (if indirect), automated decision-making/profiling where applicable. > Support: form notices, privacy policy, cookie banner, signage (CCTV), call centre scripts, etc. *** ### 🔎 Right of access (Art. 15) The individual may obtain: * **confirmation** that data is being processed, * **access** to the data and associated information (purposes, categories, recipients, retention periods…), * a **copy** of the data (free for the first copy). **Modalities**: * **Written** (postal or email), **on-site** (if appropriate), or **online** (secure portal). * Responses must be **understandable** (explanation of codes, acronyms, scores). **Limits / refusal**: abusive requests, impact on third-party rights, no data held → respond regardless to confirm. *** ### 🧯 Right to rectification (Art. 16) Correct without delay **inaccurate data** and complete **incomplete data** (via supplementary statement). Inform recipients of the rectifications where applicable. *** ### 🗑️ Right to erasure (Art. 17) Erase data when: * it is no longer necessary, * consent is withdrawn, * a founded objection is raised and there is no compelling legitimate ground, * processing is unlawful, * there is a legal obligation to erase, * data was collected from children (information society services). **Exceptions**: legal retention obligation, exercise/defence of rights in legal proceedings, public interest (health, research), freedom of expression and information. Inform recipients where applicable. *** ### 🚦 Right to restriction (Art. 18) Temporarily suspend processing (except storage) if: * accuracy is contested, * processing is unlawful (the individual requests restriction rather than erasure), * data is needed for **the exercise/defence of rights**, * an objection is pending verification. *** ### 🔁 Right to object (Art. 21) The individual may object: * **at any time** to direct marketing (including related profiling) → **obligation to cease** without delay; * for reasons specific to their situation, to processing based on **legitimate interests** → accept unless there are compelling legitimate grounds. > Provide **simple opt-out mechanisms** (unsubscribe link in emails, account preference, checkbox…). *** ### 📦 Right to data portability (Art. 20) * Receive **data provided** to the controller in a **structured, commonly used and machine-readable format**, * and **transmit it to another controller** (where technically feasible). Applies when processing is based on **consent** or **contract** and carried out by **automated means**. *** ### 🤖 Automated individual decision-making & profiling (Art. 22) Right **not to be subject** to a decision based **solely on automated processing** that produces **legal effects** or similarly significant effects (exceptions: contract necessity, legal authorisation, explicit consent — with **safeguards**). Obligations: **clear information**, **human intervention**, **ability to contest** and express a view. *** ### 🧪 Consent (Arts. 6, 7) Consent must be **freely given, specific, informed and unambiguous** (positive action, **not pre-ticked**). Withdrawal must be **as easy as giving** consent. Examples: sensitive data, electronic prospecting, cookies (depending on purposes). *** ### 🧰 Operational playbook (template) #### Intake channels * Web form (authenticated if possible), dedicated email (privacy@…), customer portal, postal mail. #### Identity verification * Proportionate (confirmation email, one-time code, ID document if genuine risk). * Avoid increasing the risk (do not request more than necessary). #### SLA & workflow 1. **Acknowledgement of receipt** (72h) with case number and target deadline, 2. **Qualification** of the right requested and scope (systems, subsidiaries, processors), 3. **Collection** and internal review (business/IT/legal/DPO), 4. **Response** within 1 month (+ notification if extended), 5. **Proof**: file documents and decision, notify relevant recipients (rectification/erasure/restriction). #### Evidence to retain * Request, verified identity, searches conducted, reasoned decision, date of sending, notification logs, data transmitted to the individual. *** ### 🧩 Managing rights in Dastra * **Collection & tracking**: create a DSR case, assign it, set the deadline, track the status (awaiting information, in progress, closed). * **Verification & proof**: log identities, searches and decisions; store supporting documents in the **document management** module. * **Automation**: response templates, recurring tasks, reminders, notifications, integrations (helpdesk/CRM). * **Reporting**: response times, volumes, refusal reasons, trends by right type. *** ### 📌 Key takeaways * Deadline **1 month** (up to +2), **free of charge** except for abuse, **traceability** is mandatory. * Implement **standardised processes and evidence trails**. * Provide **simple** opt-out and portability mechanisms. * Centralise request management in **Dastra** to secure, prove and monitor compliance. *** ### 📘 For more information {% content-ref url="/pages/-M31ydu73LeeHMZQ4ECM" %} [Data subject right request](/en/features/gerer-les-exercices-des-droits.md) {% endcontent-ref %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://doc.dastra.eu/en/useful-reminders/gdpr-key-concepts/data-subject-rights.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.