Data subject rights are one of the most practical aspects of GDPR — and one of the most operationally challenging. Requests do not arrive as formal legal documents. They arrive as ordinary emails, contact form submissions, customer service messages, sometimes even social media direct messages. The form is irrelevant. What matters is the intent: if an individual is asking about their personal data, GDPR obligations are immediately triggered.

The most common failure in handling data subject requests is not a legal one — it is operational. Requests are not recognised as formal GDPR requests. They are not registered. Nobody owns them. Deadlines pass unnoticed. And when the supervisory authority asks for evidence of how a request was handled, the organisation has nothing to show.

What rights do individuals have under GDPR

GDPR grants individuals a broad set of rights in relation to their personal data. Each right can be exercised through a request — regardless of how that request is phrased or submitted.

Right of access (Article 15 GDPR)

An individual can request confirmation of whether their personal data is being processed, and if so — what data, for what purpose, on what legal basis, for how long, and to whom it is disclosed. The controller must provide a copy of the personal data being processed.

This is one of the most frequently exercised rights and one of the most demanding to fulfil — it requires locating all data across every system in which the individual may appear.

Right to rectification (Article 16 GDPR)

An individual can request correction of inaccurate personal data or completion of incomplete data. The controller must act without undue delay.

Right to erasure — the right to be forgotten (Article 17 GDPR)

An individual can request deletion of their personal data where: the data is no longer necessary for the purpose it was collected, consent has been withdrawn and no other legal basis applies, a valid objection has been raised, or the data has been unlawfully processed.

The right is not absolute. The controller may refuse where processing is necessary to comply with a legal obligation or to establish, exercise or defend legal claims.

Right to restriction of processing (Article 18 GDPR)

An individual can request that processing be restricted — for example, while the accuracy of data is being contested, or while an objection is being assessed. During restriction, the controller may only store the data, not process it further.

Right to data portability (Article 20 GDPR)

An individual can request their personal data in a structured, commonly used, machine-readable format — and have it transmitted to another controller. This right applies only to data processed on the basis of consent or a contract, and only to processing carried out by automated means.

Right to object (Article 21 GDPR)

An individual can object to processing based on legitimate interest or for direct marketing purposes. Where the objection concerns direct marketing, the controller must stop processing immediately — with no exceptions.

Right not to be subject to automated decision-making (Article 22 GDPR)

An individual can request that decisions with legal or similarly significant effects are not made solely on the basis of automated processing, including profiling.

How long does the controller have to respond

The deadline for responding to a data subject request is one month from the date the request is received. Where requests are complex or numerous, this can be extended by a further two months — but the individual must be informed of the extension within the first month, with an explanation of the reasons.

The deadline runs from the date the request is received, regardless of its form. A missed deadline is a breach of GDPR — even where the request was ultimately fulfilled late.

How to handle a data subject request — step by step

Step 1 — Register the request

Every request — regardless of channel (email, contact form, phone call, social media message) — must be recorded with the date of receipt. The registration date starts the clock on the one-month deadline.

Step 2 — Verify the identity of the requester

The controller must be satisfied that the person making the request is who they claim to be. Where there is reasonable doubt, additional information can be requested — but the controller cannot demand identity documents without justification, and must not collect more data than is necessary for verification.

Step 3 — Assess the request

Determine whether the request can be fulfilled and whether any grounds for refusal or limitation apply. Common grounds for refusing an erasure request include: processing is required to comply with a legal obligation, or is necessary for the establishment or defence of legal claims. Any refusal must be communicated to the individual with a clear explanation and information about their right to complain to a supervisory authority.

Step 4 — Fulfil the request

Carry out the required action — erasure, rectification, preparing a copy of data, restricting processing. Importantly, data may be held across multiple systems, at sub-processors, and in archives. Fulfilment must be consistent across all locations.

Step 5 — Respond to the requester

Respond within one month in a clear, understandable format. The response should confirm what action was taken — or explain the reasons for any refusal, and inform the individual of their right to lodge a complaint with a supervisory authority.

Step 6 — Archive the handling record

Retain documentation of the entire process — the date the request was received, the actions taken, and the date the response was sent. This is the key evidence in the event of a supervisory authority inspection or a complaint from the individual.

Most common mistakes in handling data subject requests

Not recognising requests as formal GDPR requests. An email saying “please delete my account” is a data subject request under GDPR — regardless of whether the word “GDPR” was used. The intent is what matters.

Missing the deadline. The request gets forwarded between team members, sits in someone’s inbox, and the one-month window closes without a response. This is a breach of GDPR regardless of what ultimately happens.

Incomplete fulfilment. Data is deleted from the CRM but remains in the email system, backup archives, and at third-party processors. Fulfilment must cover all locations where the data is held.

Unjustified refusal. The controller refuses without a valid legal basis or fails to inform the individual of their right to complain to a supervisory authority.

Requesting excessive information for identity verification. Asking for a scan of a passport where an email address confirmation would suffice. This breaches the data minimisation principle.

Treating requests as customer support tickets. No formal registration, no assigned owner, no deadline tracking. This approach is a direct route to compliance failure.

Data subject requests in iGDPR — a fully implemented workflow

iGDPR includes a dedicated data subject request module in which the entire handling process is implemented as a workflow — from the moment a request is received through to archiving the documentation.

Every request is registered with the date of receipt, automatically starting the deadline counter. It is assigned to a responsible person, progresses through defined stages — registration, identity verification, assessment, fulfilment, response, archiving — and triggers notifications as the deadline approaches. A full history of every action is recorded. No request can be lost in an inbox, missed at a handover, or allowed to breach the deadline without a warning.

After the request is closed, the system generates documentation confirming the handling process — ready to produce during a supervisory authority inspection.

Summary

GDPR data subject rights are a daily operational reality for any organisation that processes personal data. Handling them correctly requires a process — not just awareness of the law. The one-month deadline, the consistency of fulfilment across all systems, and the ability to demonstrate what was done and when are all equally important.

Key principles:

• every request triggers GDPR obligations regardless of its form or channel,
• the deadline is one month from receipt — not from when the organisation decides to act,
• refusals must be justified and communicated with information about complaint rights,
• fulfilment must cover all systems and locations where the data is held,
• every request must be documented for accountability purposes.

Frequently asked questions about GDPR data subject rights