GDPR | Data Subject Rights (DSAR)

Overview of data subject rights and how to implement them.

---

Rights Overview

Article	Right	Description
Art. 13/14	RIGHT TO INFORMATION	At data collection: who, why, how long
Art. 15	RIGHT OF ACCESS	Copy of all personal data
Art. 16	RIGHT TO RECTIFICATION	Correction of inaccurate data
Art. 17	RIGHT TO ERASURE (“right to be forgotten”)	Deletion of personal data
Art. 18	RIGHT TO RESTRICTION	Suspension of processing
Art. 20	RIGHT TO DATA PORTABILITY	Export of data in machine-readable format
Art. 21	RIGHT TO OBJECT	Objection to processing
Art. 22	RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING	Human review of AI decisions

---

Detailed Rights Overview

Art. 15 --- Right of Access

Aspect	Detail
What	Copy of all personal data + metadata
When	Upon request from the data subject
SLA	30 days (extension max +2 months)
Format	Electronically if request is electronic
Fee	Free (first copy), additional at cost

What you must provide:

• Categories of data processed
• Purposes of processing
• Recipients of data
• Retention period
• Rights of the data subject
• Source of data (if not from the subject)
• Automated decision-making (if used)

Art. 16 --- Right to Rectification

Aspect	Detail
What	Correction of inaccurate or incomplete data
SLA	30 days
Evidence	Subject should provide correct data
Propagation	Inform recipients of the correction

Art. 17 --- Right to Erasure

Aspect	Detail
What	Deletion of personal data
SLA	30 days (“without undue delay”)
Scope	All systems including backups
Propagation	Inform recipients of the deletion

When you CANNOT erase:

• Legal obligation for retention (accounting, tax)
• Defence of legal claims
• Archiving in the public interest
• Scientific/historical research
• Exercise of freedom of expression

Art. 18 --- Right to Restriction

Aspect	Detail
What	Suspension of processing (data remains)
When	During accuracy verification, during objection
SLA	30 days
What is allowed	Storage only, no processing

Art. 20 --- Right to Data Portability

Aspect	Detail
What	Export of data in machine-readable format
When	If legal basis = consent or contract
SLA	30 days
Format	JSON, XML, CSV
Direct transfer	If technically feasible

Art. 21 --- Right to Object

Aspect	Detail
What	Objection to processing
When	For legitimate interest or public interest processing
SLA	Immediately (direct marketing), otherwise 30 days
Consequence	You must stop, unless you have compelling grounds

Art. 22 --- Automated Decision-Making

Aspect	Detail
What	Right not to be subject to purely automated decisions
When	If the decision has legal or similarly significant effect
Rights	Human review, expression of views, challenge the decision
Exceptions	Contract, law, explicit consent

---

DSAR Workflow

Request Processing

---

Implementation

Technical Requirements

System	Requirement
Production DB	Export user data
CRM	Export customer data, delete capability
Marketing	Unsubscribe, delete, export
Analytics	Anonymisation or delete
Logs	Retention policy, pseudonymisation
Backups	Deletion after retention period
Third-party	DPA, cooperation agreement

Data Subject Portal (Recommended)

Self-service portal for data subjects:

DATA SUBJECT PORTAL

Log in to manage your data

Action	Description
DOWNLOAD MY DATA	Export all personal data
EDIT MY DATA	Correct inaccurate data
DELETE MY ACCOUNT	Right to erasure
MANAGE CONSENTS	Manage given consents
CONTACT DPO	Contact the Data Protection Officer

---

Response Templates

Access Request (Art. 15)

Subject: Response to personal data access request [DSAR-XXXX]

Dear [NAME],

Please find attached a copy of your personal data:

1. DATA CATEGORIES
   - Identification: [list]
   - Contact: [list]
   - Transactional: [list]

2. PURPOSES OF PROCESSING
   [list of purposes]

3. RECIPIENTS OF DATA
   [list of recipients]

4. RETENTION PERIOD
   [retention periods]

5. YOUR RIGHTS
   You have the right to rectification, erasure, restriction of processing
   and portability.
   You have the right to lodge a complaint with the supervisory authority.

Attachment: [file.zip]
Password sent separately.

Kind regards,
[DPO]

Erasure Confirmation (Art. 17)

Subject: Confirmation of personal data erasure [DSAR-XXXX]

Dear [NAME],

We confirm the deletion of your personal data:

DELETED DATA:
- Account and profile
- Transaction history
- Communications

RETAINED DATA (legal obligation):
- Accounting records (10 years by law)

DATA DELETED FROM:
- Production database: [DATE]
- Backups: by [DATE]
- Third-party: [list]

Kind regards,
[DPO]

---

Exceptions and Refusal

When You Can Refuse

Reason	Example
Cannot verify identity	Subject did not provide sufficient evidence
Manifestly unfounded	Vexatious repeated requests
Excessive request	Too frequent, too extensive
Legal restriction	Legal claims, investigation

Obligations When Refusing

1. Inform the subject of the reasons
2. Inform about the right to complain to the supervisory authority
3. Inform about the right to judicial remedy
4. Document the decision

---

DSAR Register

DSAR ID	Date received	Subject	Type	Status	Deadline	Response
DSAR-2026-001			Access
DSAR-2026-002			Erasure

---

KPIs

Metric	Target
Average response time	<20 days
Compliance rate (within 30 days)	100%
Rejection rate	<5%
Customer satisfaction	>80%

---

Next Steps

1. Subject rights understood
2. Compliance checklist
3. Implement DSAR workflow
4. DSAR template

---

Disclaimer

This content is for informational purposes only and does not constitute legal advice. For your organisation’s specific situation, we recommend consulting a qualified lawyer.

What’s next?

Need help with implementation? We offer a free 15-minute consultation.

Book a consultation -> | Test your readiness -> | Self-Assessment ->