SkarpSkarp

Chapter 6 of 13

Data Subject Rights: Access, Erasure and Beyond

Walk through the rights catalogue from a data subject’s perspective—access, rectification, erasure, portability and more—and see how deadlines, exemptions and balancing tests play out in exam‑style cases.

15 min readen

Step 1 – Big Picture: Data Subject Rights Under the GDPR

Why Data Subject Rights Matter

Data subject rights are how individuals control their personal data under the GDPR. They turn abstract principles like lawfulness and fairness into concrete powers people can actually use.

Legal Framework (May 2026)

The main law is still the EU GDPR (Regulation (EU) 2016/679). National laws and, in some areas, the Law Enforcement Directive implementations complement it. We focus on EU GDPR for exams.

The Rights We Cover

We will cover transparency and notices (Arts 12–14), access, rectification, erasure, restriction, portability, objection, and rights about automated decision-making, including profiling.

Three Cross-Cutting Themes

Always ask: is the controller transparent, do they meet the 1‑month deadline (plus possible extension), and have they balanced this right against legal duties and others' rights?

Step 2 – Transparency and Privacy Notices (Articles 12–14)

Article 12: Style Rules

Article 12 requires information to be concise, transparent, intelligible and easily accessible, in clear and plain language. Controllers must actively facilitate the exercise of rights.

Article 13: Direct Collection

When data comes directly from the person, Article 13 info must be given at the time of collection: who the controller is, purposes, legal bases, recipients, retention, rights, and more.

Article 14: Indirect Collection

When data comes from elsewhere, Article 14 info must be given within 1 month or at first contact/disclosure. It adds categories of data and the source, including if it is public.

Exemptions and Effort

For some archiving or research uses, giving Article 14 info may be impossible or disproportionate. Then limited exemptions apply, but controllers must use appropriate safeguards.

Step 3 – Example: Direct vs Indirect Collection in Practice

Scenario A: Direct Collection

Ana signs up on UniTest’s platform and enters her details. UniTest collects data directly, so Article 13 applies and Ana must see a privacy notice during signup.

Scenario B: Indirect Collection

UniTest buys a list with Ana’s data from a marketing firm. This is indirect collection. Article 14 applies, and Ana must be informed within 1 month or at first contact.

Extra Article 14 Information

In Scenario B, UniTest’s notice must add categories of data and the source, including that it came from a marketing firm using public alumni registers.

Exam Checklist

In any scenario, ask: direct or indirect collection? Article 13 or 14? Was the timing respected? Do any narrow Article 14 exemptions really apply?

Step 4 – Core Mechanics: Deadlines, Identity Checks, Fees (Article 12)

Deadlines

Controllers must respond to rights requests within 1 month. They may extend by up to 2 more months for complex or numerous requests, but must notify the person within the first month.

Fees and Abuse

Requests are free. Only if a request is manifestly unfounded or excessive may a controller charge a reasonable fee or refuse. The controller must prove that this is the case.

Identity Verification

If there are reasonable doubts about identity, controllers may ask for extra information, but only what is necessary. Less intrusive methods should be preferred.

How to Respond

Responses are usually in writing and often electronic. For access, a copy of personal data must be provided, and extra copies can incur a reasonable fee.

Checkpoint 1 – Timing and Procedure

Test your understanding of the general rules before we dive into specific rights.

A controller receives an access request on 1 March. It is straightforward. By when must it respond, and can it charge a fee for the first copy?

  1. By 1 April, and it can charge a reasonable fee for the first copy.
  2. By 1 April, and it must provide the first copy free of charge.
  3. By 1 June, because it can always take 3 months, and the first copy must be free.
Show Answer

Answer: B) By 1 April, and it must provide the first copy free of charge.

Article 12(3) sets a 1‑month deadline, extendable only if necessary. For a straightforward request, the controller should respond by 1 April. Article 15(3) requires the first copy to be provided free of charge; only additional copies may incur a reasonable fee.

Step 5 – Access, Rectification and Erasure (Articles 15–17)

Right of Access

Article 15 lets people know whether their data is processed and obtain a copy plus key information on purposes, recipients, retention, source, and any automated decision-making.

Limits to Access

Access is not absolute. Controllers may restrict parts to protect the rights and freedoms of others, such as trade secrets or the privacy of third parties, often via redaction.

Right to Rectification

Article 16 allows correction of inaccurate data and completion of incomplete data without undue delay. Distinguish factual inaccuracies from opinions in exam scenarios.

Right to Erasure

Article 17 requires erasure when conditions apply, such as no longer needing data, withdrawal of consent, unlawful processing, or to comply with a legal obligation.

When Erasure Can Be Refused

Erasure may be refused when processing is needed for expression and information, legal obligations, public health, research/archiving, or legal claims.

Search Engine De-Listing

The 'right to be forgotten' often means de-listing search results for a person’s name. Search engines must balance privacy with freedom of expression and public interest.

Step 6 – Apply It: Access vs Erasure vs Rectification

Work through these mini-scenarios. Decide which right is most appropriate and what the controller should do.

  1. Old address in bank records
  • Maria sees that her bank still lists her old address, even though she moved 2 years ago.
  • Question: Which right fits best?
  • Hint: The data is factually wrong, not necessarily unnecessary.
  1. Embarrassing news article in search results
  • A 45-year-old man was convicted of a minor offence 20 years ago. He has had no issues since. Searching his name on a major search engine still shows an old news article about the case.
  • Question: Which right should he use against the search engine?
  • Hint: Think about visibility via name-based searches and balancing tests.
  1. Unknown data in a marketing file
  • A person receives a targeted ad from a company they have never heard of. They suspect the company holds a detailed profile about them.
  • Question: Which right should they exercise first to understand what is going on?
  • Hint: Before you can ask for erasure or restriction, you need to see what is there.

Pause and answer for yourself, then check the suggested solutions below.

Suggested answers

  1. Maria should use the right to rectification (Article 16) to correct her address. If the old address is no longer needed for any purpose, she could in theory invoke erasure, but rectification is the cleanest match.
  1. The man should request de-listing from the search engine under Article 17, as interpreted by CJEU case law (often called the "right to be forgotten"). The search engine must balance his privacy and rehabilitation against the public interest in accessing the information.
  1. The person should start with a right of access request (Article 15) to see what data is held, where it came from, and for what purposes. After seeing the data, they might then use erasure, restriction, or objection.

Step 7 – Restriction, Portability, Objection and Automated Decisions

Restriction of Processing

Restriction marks data so it can be used only in limited ways, e.g., when accuracy is contested or processing is unlawful but the person prefers restriction over erasure.

Portability Basics

Portability applies to data processed by automated means on the basis of consent or contract. It lets people obtain or transfer their data in a machine-readable format.

What Data Is Portable?

It covers data the person provided, including observed data from their use of a service, but not inferred or derived data such as scores or profiles created by the controller.

Right to Object

People can object to processing based on legitimate interests or public task. Controllers must stop unless they show compelling overriding grounds. For direct marketing, they must stop immediately.

Automated Decisions (Article 22)

Article 22 protects against solely automated decisions with legal or similarly significant effects, unless narrow exceptions apply and safeguards like human review are provided.

Checkpoint 2 – Choosing the Right Right

Decide which right best fits the scenario.

An online music service processes your listening history under a contract. You want to move to a competitor and take your playlists and play history with you in a machine-readable file. Which right do you rely on?

  1. Right of access (Article 15)
  2. Right to data portability (Article 20)
  3. Right to restriction of processing (Article 18)
Show Answer

Answer: B) Right to data portability (Article 20)

This is a classic portability scenario: automated processing based on a contract, and the user wants data in a structured, commonly used, machine-readable format to move to another provider. That is Article 20.

Step 8 – Exemptions, Derogations and Balancing Tests

Article 23 Restrictions

EU and national laws may restrict rights like access and erasure when necessary and proportionate to protect security, criminal investigations, key public interests, or judicial processes.

Legal Obligation vs Erasure

If the law requires retention (e.g., tax rules), controllers can refuse erasure for those records, relying on Article 17(3) and relevant national provisions.

Protecting Others in Access

Access can be limited to protect third parties’ data or trade secrets. Controllers may redact or summarise rather than give full unredacted documents.

Research, Archiving, Expression

Research and archiving, and freedom of expression activities, may justify derogations from some rights if national law provides safeguards and the restrictions are proportionate.

Exam Strategy

When a request is refused, ask: what legal basis for restriction, is there a clear law, is it necessary and proportionate, and did the controller explain and minimise the restriction?

Step 9 – Flashcard Review of Key Rights

Flip through these cards to reinforce the main rights and rules.

Article 12 – Core procedural rules
Sets style (concise, transparent, plain language), 1‑month deadline (plus possible 2‑month extension), free of charge principle, conditions for fees/refusal, and identity verification rules.
Article 13 vs Article 14
Article 13: information when data is collected directly from the person, given at collection. Article 14: when data comes from other sources, info given within 1 month or at first contact/disclosure, with extra details on source and categories.
Right of access (Article 15)
Lets individuals know if their data is processed, obtain a copy, and receive detailed information on purposes, recipients, retention, source, and automated processing.
Right to rectification (Article 16)
Allows individuals to correct inaccurate data and complete incomplete data without undue delay. Often used for wrong addresses, misspellings, or outdated factual information.
Right to erasure (Article 17)
Requires deletion when conditions apply (e.g., no longer necessary, consent withdrawn, unlawful processing), but includes exceptions for legal obligations, public interest, research, expression, and legal claims.
Restriction of processing (Article 18)
Temporarily limits how data is used, e.g., while accuracy is checked, instead of erasing it. Data can then only be used for narrow purposes like legal claims or with consent.
Data portability (Article 20)
Applies to data processed by automated means on the basis of consent or contract. Provides data in a structured, commonly used, machine-readable format or transfers it to another controller.
Right to object (Article 21)
Allows people to object to processing based on legitimate interests or public task (subject to balancing) and to direct marketing (no balancing: controller must stop marketing).
Automated decisions and profiling (Article 22)
Protects against solely automated decisions with legal or similarly significant effects, unless narrow exceptions apply and safeguards like human review and contestation are provided.
Article 23 – Restrictions of rights
Allows EU or Member State laws to restrict rights when necessary and proportionate for aims like national security, crime prevention, public interests, judicial independence, or regulatory functions.

Step 10 – Final Exam-Style Question

Put everything together in a scenario similar to what you might see on an exam.

A ride‑sharing app processes location data to perform a contract (rides) and also to build analytics for improving its service under legitimate interests. A user sends one email saying: (1) 'Send me all data you have about me,' (2) 'Delete my account and all my data,' and (3) 'Stop using my past trips for your analytics.' Which combination of rights best corresponds to (1), (2), and (3)?

  1. (1) Access, (2) Erasure, (3) Objection
  2. (1) Portability, (2) Erasure, (3) Restriction
  3. (1) Access, (2) Restriction, (3) Rectification
Show Answer

Answer: A) (1) Access, (2) Erasure, (3) Objection

Request (1) is a classic right of access (Article 15). Request (2) is a right to erasure (Article 17), subject to limits such as legal retention duties. Request (3) is an objection to processing based on legitimate interests (Article 21(1)) for analytics; the controller must show compelling grounds or stop that analytics use.

Key Terms

Profiling
Any form of automated processing that uses personal data to evaluate personal aspects, such as performance at work, economic situation, health, preferences, or behaviour.
Controller
The entity that determines the purposes and means of processing personal data.
De-listing
Removal of specific search results for a person’s name from a search engine index, often linked to the 'right to be forgotten'.
Derogation
A lawful limitation or restriction of a GDPR right under specific conditions, usually set out in EU or Member State law.
Data subject
An identified or identifiable natural person whose personal data is processed.
Transparency
Obligation to provide clear, accessible information about how personal data is processed, mainly through privacy notices.
Right of access
The right to obtain confirmation of processing and a copy of personal data plus detailed information about the processing.
Right to object
The right to oppose certain processing, especially that based on legitimate interests or public task, and to stop direct marketing.
Right to erasure
The right to have personal data deleted when specific grounds apply, subject to important exceptions.
Right to rectification
The right to have inaccurate personal data corrected and incomplete data completed.
Automated decision-making
Decisions made solely by automated means without human involvement that produce legal or similarly significant effects on an individual.
Right to data portability
The right to receive personal data in a structured, commonly used, machine-readable format and transmit it to another controller when conditions are met.
Right to restriction of processing
The right to limit the way personal data is used, typically while a dispute over accuracy or lawfulness is resolved.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself