At a glance
GDPR isn’t just rules about what businesses can do with personal data, it’s also a set of rights that give individuals control over their own information.
The regulations gives individuals eight specific rights over their personal data. You have one month to respond to most requests. Set up a process before you get your first one, and don’t panic when it arrives.
As a website owner or business, you’re required to know what these rights are, honour them when they’re exercised, and respond within the required timeframes. The good news: most requests are straightforward, and you’ve got a reasonable amount of time to deal with them.
1: The right to be informed
What it means: People have the right to know what you’re doing with their data before you do it.
This is the most foundational right, and it’s also proactive: you don’t wait for someone to ask. You tell them upfront, via your privacy policy, your cookie banner, and any consent notices on forms.
The right to be informed covers:
- What data you collect.
- Why you collect it (your legal basis).
- Who you share it with.
- How long you keep it.
- What rights they have. Yes, one of the rights is the right to know their rights.
Have you noticed you get lots of emails these days saying “we’re updating our terms and conditions!” – those are as a result of your right to be informed.
Watch out
Part of the right to be informed is that people are informed in a way they can access and understand easily. You can’t hide your privacy policy deep in the bowels of your website or fill it with language that requires a law degree to understand.
2: The right of access
What it means: Anyone can request a copy of the personal data you hold about them — this is called a Data Subject Access Request, or DSAR.
How to handle a DSAR:
- Verify identity: Before handing over personal data, confirm the person is who they say they are. Don’t ask for more information than you need to do this – usually the email address the request came from is enough.
- Compile all personal data: This means everything: your CRM, your email marketing tool, your analytics platform, your payment processor records. Check everywhere you might hold data about this person.
- Respond within one month: For complex requests, you can extend this to three months — but you must notify the person within the first month and explain why you need the extra time.
- Provide it in a usable format: A commonly used electronic format — not a printout or PDFs. Also include: the purposes of processing, who you share it with, how long you keep it, and information about their other rights.
3: The right to rectification
What it means: If you’re holding any incorrect information about someone, they can ask you to correct it.
Users can ask you to correct inaccurate personal data or complete incomplete data. This links directly to the accuracy principle – you shouldn’t be making decisions based on data you know isn’t correct.
If you’ve shared the inaccurate data with third parties, you need to let them know about the correction too.
4: The right to erasure (the “right to be forgotten”)
What it means: Users can ask you to delete their personal data. This is one of the most commonly exercised rights, and it’s the one most people have heard of. It’s also the easiest to remember for fans of Arnold Schwarzenegger movies. The right to erasure applies when:
- The data is no longer necessary for its original purpose.
- The user withdraws consent and that was the only legal basis for processing.
- The user objects to processing and there’s no overriding legitimate interest.
- The data was processed unlawfully.
- Deletion is required to comply with a legal obligation.
When you can refuse: if you have a legal obligation to retain the data (tax records, for example), if you need it to defend or establish legal claims, or in very specific public interest scenarios.
Watch out
Deleting data from your main database isn’t enough. You need to delete it from everywhere: email marketing lists, CRM systems, analytics tools, and backups (where legally possible). This is harder than it sounds, which is why having a data inventory and defined process is so important.
5: The right to restrict processing
What it means: This right is like a pause button for processing, not a delete button. A user can exercise this right when:
- The accuracy of the data is being disputed (pause while you investigate).
- The processing is unlawful but the user doesn’t want deletion.
- You no longer need the data but the user needs it for a legal claim.
- You’re considering an objection to processing.
During restriction, you can store the data but can’t process it further, except with the user’s consent, for legal claims, or to protect someone else’s rights.
6: The right to data portability
What it means: You can’t lock your users into your service by refusing to give them their data, or giving it to them in a useless format.
This right only applies when these conditions are met:
- The data was provided by the user themselves,
- The processing is based on consent or contract, and
- It’s carried out by automated means.
The format must be machine-readable (CSV, JSON, XML etc.). Most small websites won’t get many data portability requests. But if you run a SaaS product where users generate significant data within your platform – analytics platforms are a great example – you should have an export function ready.
7: The right to object
What it means: Users can object to you processing their data for certain purposes.
This is particularly relevant for marketing people. If someone says “stop marketing to me,” you stop immediately. There are no exceptions, and no overriding legitimate interests. This includes profiling for marketing purposes.
Roleplay time
Imagine you signed up to a Lisbon-based travel newsletter three years ago to plan a romantic getaway to Portugal. You had a great trip but you’re not interested in receiving the newsletter any more.
You click unsubscribe, and you’re sent to a page that says “Wait, don’t go! Tell us why you’re leaving” with six reasons to choose from. Then a button labelled “I still want to leave” (maybe it’s smaller and greyed out, so you can’t spot it easily).
Then a confirmation email arrives, which has a promotional offer.
The person running this newsletter has done two things wrong:
- They made you work to process the unsubscribe (it should be a single click).
- They tried to “win you back” with a promo after you’d specifically opted-out.
8: Rights around automated decision-making
What it means: People have the right not to be subject to decisions made purely by automated systems (systems without any human involvement) that significantly affect them. This usually means things like:
- Automated credit scoring.
- Algorithmic CV screening and hiring decisions.
- Insurance pricing based purely on profiling.
- Automated loan applications.
For most businesses this won’t apply unless you’re making significant, life-affecting decisions about individuals using algorithms. But if you are doing this – or if you use AI-driven personalisation that affects what products someone sees, or what prices they’re offered – you need to review this right carefully and allow for human intervention and appeals.
Response Timeline Summary
| Right | Response deadline | Can you extend? | Can you refuse? |
|---|---|---|---|
| Access | 1 month | Yes, to 3 months if complex | If manifestly unfounded or excessive |
| Rectification | 1 month | Yes, to 3 months | Very limited grounds |
| Erasure | 1 month | Yes, to 3 months | Yes, in specific circumstances |
| Restriction | 1 month | Yes, to 3 months | Very limited grounds |
| Portability | 1 month | Yes, to 3 months | If basis isn’t consent or contract |
| Objection (general) | Without undue delay | N/A | Only if you have compelling legitimate grounds |
| Objection (marketing) | Immediately | N/A | Nope, never |
Handling requests
Set up a process before you get your first request. The time to think about how you’ll respond is not when you’re staring at an email that’s already arrived.
- Designate a person responsible for handling DSARs – even if it’s just you.
- Create a dedicated email address (e.g. privacy@yourcompany.com) and check it regularly, or forward it to your normal address.
- Keep a log of all requests received and your responses, with timestamps. This is your accountability evidence. Remember principle seven!
- Know your data – you can’t respond properly to an access request if you don’t know what data you hold and where it lives. This is where scattered website and martech stacks often fall down.
Inevitable sales pitch!
If you’re struggling to make sense of your GDPR obligations for your website, add Etiquetta to make yourself instantly compliant.
We combine website analytics, performance monitoring, session replays and plenty more with zero cookies or PII involved. If you add third-party cookies or PII collection, our cookie and consent management function gives you a timestamped, auditable log of when each visitor consented, and the ability to export user data (and remove it) in one click, so you can demonstrate compliance when it matters.