Data Subject Rights (DSR)
Find out about the different rights introduced by the GDPR.
The GDPR reaffirms the rights of individuals, introduces data portability and strengthens the obligations of the data controller. Individuals must retain control of their data, and the controller must clearly explain how to exercise those rights.
Response time: 1 month from receipt (extendable by 2 months for complex or numerous requests β notify the extension within the first month).
Free of charge: no fees, except for manifestly unfounded or excessive requests (in which case, justify the refusal or charge reasonable fees).
Traceability: record requests and responses (proof of compliance).
β
Two major obligations for the data controller
Inform data subjects (purposes, legal bases, retention periods, recipients, rights, transfers, DPO contact, etc.).
Notify the execution of operations in compliance with the exercise of rights (rectification, erasure, restriction) or justify a refusal.
π§ Common operational rules (all rights)
Deadline: 1 month (up to +2 months if necessary, with notice within 1 month).
Identity verification proportionate to the risk (avoid requesting more than necessary).
Intake channels: dedicated email, online form, customer portal, postal mail.
Logging: date of receipt, verified identity, scope, decision, closure date.
Exemptions / limits: third-party rights, trade secrets, legal retention obligations, security, fraud prevention⦠(document).
π Right to information (Arts. 13 & 14)
To be provided at the time of collection (direct) or within 1 month (indirect): controller identity, purposes, legal bases, recipients, transfers, retention periods, rights, DPO contact, source (if indirect), automated decision-making/profiling where applicable.
Support: form notices, privacy policy, cookie banner, signage (CCTV), call centre scripts, etc.
π Right of access (Art. 15)
The individual may obtain:
confirmation that data is being processed,
access to the data and associated information (purposes, categories, recipients, retention periodsβ¦),
a copy of the data (free for the first copy).
Modalities:
Written (postal or email), on-site (if appropriate), or online (secure portal).
Responses must be understandable (explanation of codes, acronyms, scores).
Limits / refusal: abusive requests, impact on third-party rights, no data held β respond regardless to confirm.
π§― Right to rectification (Art. 16)
Correct without delay inaccurate data and complete incomplete data (via supplementary statement). Inform recipients of the rectifications where applicable.
ποΈ Right to erasure (Art. 17)
Erase data when:
it is no longer necessary,
consent is withdrawn,
a founded objection is raised and there is no compelling legitimate ground,
processing is unlawful,
there is a legal obligation to erase,
data was collected from children (information society services).
Exceptions: legal retention obligation, exercise/defence of rights in legal proceedings, public interest (health, research), freedom of expression and information. Inform recipients where applicable.
π¦ Right to restriction (Art. 18)
Temporarily suspend processing (except storage) if:
accuracy is contested,
processing is unlawful (the individual requests restriction rather than erasure),
data is needed for the exercise/defence of rights,
an objection is pending verification.
π Right to object (Art. 21)
The individual may object:
at any time to direct marketing (including related profiling) β obligation to cease without delay;
for reasons specific to their situation, to processing based on legitimate interests β accept unless there are compelling legitimate grounds.
Provide simple opt-out mechanisms (unsubscribe link in emails, account preference, checkboxβ¦).
π¦ Right to data portability (Art. 20)
Receive data provided to the controller in a structured, commonly used and machine-readable format,
and transmit it to another controller (where technically feasible). Applies when processing is based on consent or contract and carried out by automated means.
π€ Automated individual decision-making & profiling (Art. 22)
Right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects (exceptions: contract necessity, legal authorisation, explicit consent β with safeguards). Obligations: clear information, human intervention, ability to contest and express a view.
π§ͺ Consent (Arts. 6, 7)
Consent must be freely given, specific, informed and unambiguous (positive action, not pre-ticked). Withdrawal must be as easy as giving consent. Examples: sensitive data, electronic prospecting, cookies (depending on purposes).
π§° Operational playbook (template)
Intake channels
Web form (authenticated if possible), dedicated email (privacy@β¦), customer portal, postal mail.
Identity verification
Proportionate (confirmation email, one-time code, ID document if genuine risk).
Avoid increasing the risk (do not request more than necessary).
SLA & workflow
Acknowledgement of receipt (72h) with case number and target deadline,
Qualification of the right requested and scope (systems, subsidiaries, processors),
Collection and internal review (business/IT/legal/DPO),
Response within 1 month (+ notification if extended),
Proof: file documents and decision, notify relevant recipients (rectification/erasure/restriction).
Evidence to retain
Request, verified identity, searches conducted, reasoned decision, date of sending, notification logs, data transmitted to the individual.
𧩠Managing rights in Dastra
Collection & tracking: create a DSR case, assign it, set the deadline, track the status (awaiting information, in progress, closed).
Verification & proof: log identities, searches and decisions; store supporting documents in the document management module.
Automation: response templates, recurring tasks, reminders, notifications, integrations (helpdesk/CRM).
Reporting: response times, volumes, refusal reasons, trends by right type.
π Key takeaways
Deadline 1 month (up to +2), free of charge except for abuse, traceability is mandatory.
Implement standardised processes and evidence trails.
Provide simple opt-out and portability mechanisms.
Centralise request management in Dastra to secure, prove and monitor compliance.
π For more information
Data subject right requestLast updated
Was this helpful?