Data Subject Rights
Access, erasure, objection — handling requests in a legally compliant and timely manner.
Every person whose data you process has rights — and as a company, you have an obligation to fulfill these rights. On time, in full, and without bureaucratic hurdles. That sounds self-evident, but in practice it's one of the most common weak spots.
Overview of Data Subject Rights
Data subjects can request to find out what data you process about them, for what purpose, for how long, and to whom you disclose it. Deadline: 1 month.
Inaccurate data must be corrected without undue delay upon request. Incomplete data must be completed.
The so-called "right to be forgotten". Data subjects can request erasure if the purpose no longer applies, consent has been withdrawn, or the processing was unlawful.
During a review or in the event of an objection, data subjects can request that their data only be processed to a limited extent — effectively "frozen".
Where processing is based on consent or a contract, data subjects can request their data in a machine-readable format in order to transfer it to another provider.
Objections can be raised at any time against processing based on legitimate interest or for direct marketing purposes. Such objections must be acted upon immediately.
Deadlines and Obligations
| Request | Deadline | Extension |
|---|---|---|
| Access request (Art. 15) | 1 month | + 2 months for complex requests (with justification) |
| Erasure request (Art. 17) | Without undue delay | No extension, but review whether exceptions apply |
| Rectification request (Art. 16) | Without undue delay | No extension |
| Objection to direct marketing (Art. 21) | Immediately | No extension — must be acted upon immediately |
Building a Process for Data Subject Requests
To keep requests from descending into chaos or missing deadlines, you need a documented process. At a minimum:
Log receipt — when was the request submitted? The deadline starts running from this point.
Verify identity — is the requester really who they claim to be? (No excessive requirements, but reasonable verification for sensitive data.)
Clarify responsibility — who in the company answers the request?
Compile the data — search all systems that might hold data about the person.
Respond — completely, understandably, and free of charge (for access requests). Confirmation letters for erasures and rectifications.
Document — record the request, the review, and the response internally.
Caution: No Unjustified Refusals
Data subject rights can be restricted in certain exceptional cases — for example, when statutory retention obligations conflict with an erasure request. However, these exceptions must be justified. A simple refusal is unlawful and can lead to a complaint with the supervisory authority.