How long do I have to respond to a GDPR rights request?

One calendar month from receiving the request. You can extend by up to two further months for complex or numerous requests, but you must tell the individual about the extension and why within the first month. Most routine requests, such as access, are answered free of charge.

Is the right to erasure absolute?

No. The right to erasure (right to be forgotten) applies in specific situations, such as when data is no longer necessary or consent is withdrawn. It does not apply where processing is needed for freedom of expression, a legal obligation, public-interest tasks, or the establishment or defence of legal claims.

What is a subject access request?

A subject access request (SAR) exercises the Article 15 right of access. The individual can ask for confirmation that you process their data, a copy of that data, and supplementary information such as the purposes, recipients and retention period. You must respond within one month, usually free of charge.

Which rights only apply to certain lawful bases?

Data portability (Article 20) applies only where processing is based on consent or contract and is carried out by automated means. The right to object applies mainly to legitimate-interests and public-task processing. The other rights, like access and rectification, apply across the board with their own conditions.

Does this tool record my searches?

No. The reference table and filter run entirely in your browser using JavaScript. Nothing you enter is uploaded, logged or stored.

GDPR Data Subject Rights Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

The GDPR gives individuals eight enforceable rights over their personal data, set out in Chapter 3 (Articles 15–22). Organisations must be able to recognise and act on each request — usually within one month. This reference lists all eight rights with the granting Article, what the person can ask for, and the conditions or exceptions that qualify the right.

How it works

A request can arrive in any form — email, letter, even verbally — and the clock starts when you receive it. You verify the requester’s identity, then handle the request under the relevant Article: access (a copy of their data), rectification (correct inaccurate data), erasure (delete in qualifying cases), restriction (pause processing), portability (machine-readable export for consent/contract data), objection (stop certain processing), rights around automated decisions and profiling, and the overarching right to be informed. You respond within one month, extendable by two months for complex requests, and you may refuse manifestly unfounded or excessive requests — but you must explain why.

Tips and notes

Default deadline is one calendar month from receipt of the request.
Most requests are free; you may charge or refuse only if manifestly excessive.
Erasure and objection are qualified — they have lawful exceptions.
Portability applies only to consent/contract data processed by automated means.

GDPR Data Subject Rights Reference

Email me this result

The eight GDPR data subject rights

How it works

Tips and notes