GDPR Data Subject Rights: Access, Erasure, Portability, and How to Exercise Them

160,000 Complaints Filed in Five Years: GDPR's Rights in Practice

Since the General Data Protection Regulation came into force on May 25, 2018, European data protection authorities have received over 160,000 complaints from individuals invoking their rights—more than any other category of GDPR enforcement. These rights are not aspirational; they are legally enforceable entitlements that companies face fines up to €20 million or 4% of global turnover for ignoring. Understanding what each right covers, how to trigger it, and what controllers must do in response is essential for anyone who interacts with digital services—which is nearly everyone.

The Eight Core Rights at a Glance

GDPR Articles 15–22 enumerate eight distinct rights that apply to any natural person whose personal data is processed by a controller established in the EU or targeting EU residents.

Right of Access: The Foundation

Article 15 gives individuals the right to know whether their data is being processed, obtain a copy, and receive a detailed account of: purposes, categories of data, recipients, retention periods, the existence of automated decision-making, and information about transfers to third countries. Controllers must provide the first copy free of charge; subsequent copies may carry a reasonable fee. "Manifestly unfounded or excessive" requests can be refused or charged—but regulators interpret this narrowly, and companies frequently misjudge what qualifies.

A subject access request (SAR) requires no specific form—an email is sufficient. The one-month clock starts when the controller receives the request, extendable by two additional months for complex or numerous requests if the individual is notified within the first month.

Erasure and the Right to Be Forgotten

Article 17 permits deletion of personal data when: it is no longer necessary for its original purpose; consent is withdrawn and no other legal basis applies; a valid objection is lodged under Article 21; the data was unlawfully processed; a legal obligation requires deletion; or the data was collected from a child in relation to information society services. Crucially, erasure is not absolute—controllers may refuse when the data is needed for legal claims, freedom of expression, public interest, or compliance with law.

The Google Spain ruling (C-131/12, 2014) established that erasure can extend to search engine results, requiring delisting of links to outdated or irrelevant information. As of 2024, Google has evaluated over 7 million delisting requests under this principle, approving roughly 50% of URLs submitted.

Data Portability: Moving Your Digital Life

Article 20 is uniquely powerful: it allows individuals to receive their personal data in a "structured, commonly used, machine-readable format" and transmit it directly to another controller—a competitor, a new service provider, or simply their own storage. This right applies only where processing is based on consent or contract and is carried out by automated means. It does not apply to data processed under legal obligation or public interest.

• Facebook must export your posts, photos, messages, and ad preferences in JSON or ZIP format.
• Google Takeout provides data portability for Gmail, Drive, YouTube, Maps history, and over 50 other services.
• Banks in the EU increasingly fulfil portability through PSD2-aligned open banking APIs.
• Healthcare providers must supply medical records portably under GDPR when processing is contract-based.

The Right to Object: Stopping Unwanted Processing

Article 21 allows individuals to object to processing based on legitimate interests (Art. 6(1)(f)) or public interest (Art. 6(1)(e)). The controller must stop unless it can demonstrate compelling legitimate grounds that override the individual's interests. However, for direct marketing purposes, objection is absolute—no override is permitted, and processing must cease immediately with no balancing test required. This is the fastest and most effective right for stopping unwanted marketing emails, cold calls, or retargeted advertising.

Automated Decision-Making and Profiling

Article 22 restricts decisions based solely on automated processing—including profiling—that produce legal or similarly significant effects. Credit scoring, insurance risk assessment, automated hiring filters, and targeted pricing all potentially fall within scope.

How to Exercise Your Rights: Step-by-Step

• Identify the data controller—usually the company you have an account with or whose website you visit.
• Locate the privacy policy's "contact us" or "data protection officer" section for the submission address.
• Send a written request via email or the controller's official rights portal, stating your identity and the specific right you are invoking.
• The controller must respond within one month; silence or refusal can be escalated to the relevant supervisory authority (e.g., the ICO in the UK, CNIL in France, BfDI in Germany).
• Supervisory authorities offer free complaint mechanisms; courts provide an additional avenue for compensation.

GDPR enforcement has accelerated sharply: the total value of fines issued by EU/EEA authorities exceeded €4.5 billion between 2018 and 2024, with Meta, Google, and Amazon among the largest recipients. Individuals who suffered material or non-material damage due to rights violations can claim compensation under Article 82—a right increasingly tested in collective actions across the EU.

Legal Disclaimer: This article is for general informational purposes only and does not constitute legal advice. GDPR interpretation evolves through regulatory guidance and court decisions. Individuals and organisations seeking specific compliance guidance should consult a qualified data protection attorney or their national supervisory authority.