AGIDAT – Datenschutz | Informationssicherheit

Data Subject Rights

Access, erasure, objection — handling requests in a legally compliant and timely manner.

Every person whose data you process has rights — and as a company, you have an obligation to fulfill these rights. On time, in full, and without bureaucratic hurdles. That sounds self-evident, but in practice it's one of the most common weak spots.

Overview of Data Subject Rights

🔎
Right of Access
Art. 15 GDPR

Data subjects can request to find out what data you process about them, for what purpose, for how long, and to whom you disclose it. Deadline: 1 month.

✏️
Right to Rectification
Art. 16 GDPR

Inaccurate data must be corrected without undue delay upon request. Incomplete data must be completed.

🗑️
Right to Erasure
Art. 17 GDPR

The so-called "right to be forgotten". Data subjects can request erasure if the purpose no longer applies, consent has been withdrawn, or the processing was unlawful.

⏸️
Right to Restriction of Processing
Art. 18 GDPR

During a review or in the event of an objection, data subjects can request that their data only be processed to a limited extent — effectively "frozen".

📤
Data Portability
Art. 20 GDPR

Where processing is based on consent or a contract, data subjects can request their data in a machine-readable format in order to transfer it to another provider.

🚫
Right to Object
Art. 21 GDPR

Objections can be raised at any time against processing based on legitimate interest or for direct marketing purposes. Such objections must be acted upon immediately.

Deadlines and Obligations

Request Deadline Extension
Access request (Art. 15) 1 month + 2 months for complex requests (with justification)
Erasure request (Art. 17) Without undue delay No extension, but review whether exceptions apply
Rectification request (Art. 16) Without undue delay No extension
Objection to direct marketing (Art. 21) Immediately No extension — must be acted upon immediately

Building a Process for Data Subject Requests

To keep requests from descending into chaos or missing deadlines, you need a documented process. At a minimum:

1

Log receipt — when was the request submitted? The deadline starts running from this point.

2

Verify identity — is the requester really who they claim to be? (No excessive requirements, but reasonable verification for sensitive data.)

3

Clarify responsibility — who in the company answers the request?

4

Compile the data — search all systems that might hold data about the person.

5

Respond — completely, understandably, and free of charge (for access requests). Confirmation letters for erasures and rectifications.

6

Document — record the request, the review, and the response internally.

Caution: No Unjustified Refusals

Data subject rights can be restricted in certain exceptional cases — for example, when statutory retention obligations conflict with an erasure request. However, these exceptions must be justified. A simple refusal is unlawful and can lead to a complaint with the supervisory authority.