Data Subject Rights: A Complete Guide to Privacy Rights Under GDPR, CCPA, and Beyond
Complete overview of all data subject rights under GDPR, CCPA, PIPEDA, and other privacy laws. What each right means, how they work, and what businesses must do.
Last updated: 2026-03-09
What Are Data Subject Rights?
Data subject rights are the legal rights individuals have over their personal data. Every major privacy law — GDPR, CCPA, PIPEDA, UK GDPR, and the growing list of US state privacy laws — gives people a set of rights they can exercise against any organization that holds their personal data.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
These rights exist to give individuals control and transparency. The specifics vary by jurisdiction, but the core idea is consistent: if you hold personal data about someone, they have rights over that data, and you have obligations to honor those rights.
This guide walks through every major data subject right under GDPR, CCPA, PIPEDA, and UK GDPR — what each right means, how they interact, and what your business needs to do when someone exercises one.
GDPR Data Subject Rights (EU)
The General Data Protection Regulation provides the most comprehensive set of data subject rights. They are found in Articles 12 through 22 and represent the global benchmark that most other privacy laws are measured against.
Right to Be Informed (Articles 13 and 14)
Individuals have the right to know how you collect and use their personal data before or at the time of collection. This is a proactive obligation — you must provide this information without being asked.
What you must disclose:
- Your identity and contact details (and your DPO's, if you have one)
- The purposes and legal basis for processing
- Categories of personal data collected
- Recipients or categories of recipients
- Transfers to third countries and the safeguards in place
- Retention periods
- The existence of each of the other rights listed below
- The right to withdraw consent (if consent is the legal basis)
- The right to lodge a complaint with a supervisory authority
- Whether providing data is a statutory or contractual requirement
- The existence of automated decision-making, including profiling
This is typically fulfilled through your privacy notice or privacy policy.
Right of Access (Article 15)
The right most commonly exercised — this is the DSAR. Individuals can request confirmation that you process their data and, if so, obtain a copy of that data along with supplementary information (purposes, categories, recipients, retention periods, source of the data, and information about automated decision-making).
Deadline: One calendar month, extendable by up to two further months for complex or numerous requests (GDPR Article 12(3)).
Cost: The first copy must be provided free of charge. You may charge a "reasonable fee" for additional copies (Article 15(3)).
Right to Rectification (Article 16)
Individuals can require you to correct inaccurate personal data and complete incomplete personal data. If someone's address has changed, or their name is misspelled in your records, they can ask you to fix it.
Deadline: One calendar month (same as access requests — Article 12(3)).
Obligation to notify third parties: Under Article 19, if you have shared the inaccurate data with third parties, you must inform each recipient of the rectification, unless this proves impossible or involves disproportionate effort.
Right to Erasure — "Right to Be Forgotten" (Article 17)
Individuals can request deletion of their personal data in specific circumstances. This is not an absolute right — it applies when the data is no longer necessary, consent has been withdrawn, the individual objects to processing, or the data was unlawfully processed, among other grounds.
For a full operational guide, see our right-to-erasure guide.
Exceptions include: legal obligations to retain data, the establishment or defense of legal claims, freedom of expression, public health, and archiving in the public interest.
Deadline: One calendar month.
Right to Restriction of Processing (Article 18)
Individuals can request that you stop processing their data (but keep holding it) in certain situations — for example, while you verify the accuracy of data they have contested, or while you assess whether your legitimate interests override their objection.
In practice, this is less commonly exercised than access or erasure, but you still need a process for handling it. Restricted data should be stored but not actively processed (except with consent, for legal claims, or for the protection of another person's rights).
Deadline: One calendar month to respond to the request.
Right to Data Portability (Article 20)
Individuals can request their personal data in a structured, commonly used, machine-readable format so they can transfer it to another controller. This right applies only when processing is based on consent or a contract and is carried out by automated means.
What this means in practice: if a customer wants to move from your service to a competitor, they can ask for their data in a format like CSV or JSON so they can import it elsewhere. Where technically feasible, they can also ask you to transmit the data directly to another controller.
Scope limitation: This right covers only data the individual has provided to you — not data you have derived, inferred, or generated through processing.
Deadline: One calendar month.
Right to Object (Article 21)
Individuals can object to processing based on legitimate interests or public interest grounds. You must stop processing unless you can demonstrate "compelling legitimate grounds" that override the individual's interests.
Direct marketing exception: When someone objects to processing for direct marketing purposes, you must stop immediately. There are no exceptions and no balancing test. This is an absolute right.
Deadline: You must respond without undue delay and, for direct marketing objections, stop processing immediately upon receipt.
Rights Related to Automated Decision-Making and Profiling (Article 22)
Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significantly affects them. They can request human intervention, express their point of view, and contest the decision.
Exceptions: This right does not apply when the automated decision is necessary for a contract, authorized by EU or member state law, or based on explicit consent.
CCPA Data Subject Rights (California)
The California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), provides a different but overlapping set of rights for California residents.
Right to Know (Cal. Civ. Code § 1798.100)
Consumers can request that you disclose the categories and specific pieces of personal information you have collected, the categories of sources, the business purpose for collecting, and the categories of third parties with whom you share it.
Lookback period: Businesses must disclose personal information collected during the 12-month period preceding the request (extendable under CPRA).
Deadline: 45 calendar days, extendable by an additional 45 days (90 days total) with notice.
Right to Delete (Cal. Civ. Code § 1798.105)
Consumers can request deletion of their personal information. Similar to GDPR's right to erasure, but with its own set of exceptions — including completing transactions, security, exercising free speech, complying with legal obligations, and internal uses reasonably aligned with consumer expectations.
For a comparison with GDPR deletion rights, see our CCPA vs GDPR right-to-delete guide.
Deadline: 45 calendar days (extendable to 90).
Right to Correct (Cal. Civ. Code § 1798.106)
Added by CPRA, consumers can request correction of inaccurate personal information. Businesses must use commercially reasonable efforts to correct the data.
Deadline: 45 calendar days (extendable to 90).
Right to Opt-Out of Sale or Sharing (Cal. Civ. Code § 1798.120)
Consumers can direct a business to stop selling or sharing their personal information. "Sharing" was added by CPRA and covers cross-context behavioral advertising.
Businesses that sell or share personal information must provide a clear "Do Not Sell or Share My Personal Information" link on their website.
Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code § 1798.121)
Added by CPRA, consumers can direct a business to limit the use of their sensitive personal information to purposes necessary to perform the services or provide the goods reasonably expected by the consumer.
Right to Non-Discrimination (Cal. Civ. Code § 1798.125)
Businesses cannot discriminate against consumers for exercising their CCPA rights — no denying goods or services, charging different prices, providing a different quality of service, or suggesting any of the above.
PIPEDA Data Subject Rights (Canada)
Canada's Personal Information Protection and Electronic Documents Act is built around 10 fair information principles. The individual rights are embedded within these principles.
Right of Access (Principle 9 — Individual Access)
Individuals can request access to their personal information held by an organization and challenge its accuracy and completeness. The organization must respond within 30 days and provide the information at minimal or no cost.
Right to Challenge Compliance (Principle 10 — Challenging Compliance)
Individuals can challenge an organization's compliance with any of the 10 principles by contacting the organization's designated privacy officer. If the complaint is not resolved, they can file a complaint with the Office of the Privacy Commissioner of Canada.
Right to Consent and Withdrawal (Principle 3 — Consent)
Individuals must provide meaningful consent for the collection, use, and disclosure of their personal information. They can withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The organization must inform the individual of the consequences of withdrawing consent.
Right to Accuracy (Principle 6 — Accuracy)
Personal information must be as accurate, complete, and up-to-date as necessary for the purposes for which it is used. Individuals can request corrections.
UK GDPR Rights
The UK GDPR retains the same set of rights as EU GDPR. The Data Protection Act 2018 supplements these with additional provisions, including rights related to law enforcement processing (Part 3) and intelligence services processing (Part 4), but the core individual rights mirror the EU framework:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
Deadlines and procedures are the same as EU GDPR. The ICO provides guidance on each right.
Rights Comparison Across Jurisdictions
| Right | GDPR (EU) | UK GDPR | CCPA/CPRA | PIPEDA |
|---|---|---|---|---|
| Right to be informed | Yes (Arts 13-14) | Yes (Arts 13-14) | Yes (§ 1798.100) | Yes (Principle 8) |
| Right of access | Yes (Art 15) | Yes (Art 15) | Yes (§ 1798.100) | Yes (Principle 9) |
| Right to rectification / correction | Yes (Art 16) | Yes (Art 16) | Yes (§ 1798.106) | Yes (Principle 6) |
| Right to erasure / deletion | Yes (Art 17) | Yes (Art 17) | Yes (§ 1798.105) | Limited |
| Right to restrict processing | Yes (Art 18) | Yes (Art 18) | Limit sensitive PI (§ 1798.121) | No direct equivalent |
| Right to data portability | Yes (Art 20) | Yes (Art 20) | No direct equivalent | No direct equivalent |
| Right to object | Yes (Art 21) | Yes (Art 21) | Opt-out of sale/sharing (§ 1798.120) | Consent withdrawal (Principle 3) |
| Automated decision-making rights | Yes (Art 22) | Yes (Art 22) | No direct equivalent | No direct equivalent |
| Right to non-discrimination | Implicit | Implicit | Yes (§ 1798.125) | Implicit |
How Rights Interact
Data subject rights do not exist in isolation. People often exercise multiple rights at once, and understanding how they interact helps you handle requests efficiently.
Access + Erasure
The most common combination. "Tell me what you have about me, then delete it." Handle the access request first (provide the data), then process the erasure. Do not delete first and then claim you have nothing to disclose. Both requests share the same deadline.
Access + Portability
Someone might request access to their data and separately ask for it in a portable format. The access response includes all personal data with supplementary information; the portability response provides only data they provided to you, in a machine-readable format. These can be fulfilled together but the scope of each is different.
Rectification + Access
After correcting inaccurate data, the individual may want to see the corrected version. You may want to proactively offer a copy after processing a rectification request.
Objection + Erasure
If someone objects to processing and you cannot demonstrate compelling legitimate grounds, they may follow up with an erasure request. The objection stops processing; the erasure removes the data.
DSARs: The Most Common Rights Exercise
The right of access — exercised through a data subject access request — is by far the most commonly used data subject right. DSARs account for the majority of rights requests that businesses receive.
Why? Because access is typically the first step. Before someone requests deletion, correction, or portability, they usually want to know what data you hold. The DSAR is the starting point for most privacy interactions.
This is why having a robust DSAR process matters so much. If you can handle access requests efficiently, you are well-positioned to handle other rights requests too. See our guide on how to respond to a DSAR for the full process.
Business Obligations When Rights Are Exercised
Regardless of which right is exercised or which law applies, your obligations follow a common pattern:
1. Recognition
Train your staff to recognize rights requests. People do not always use legal terminology — "delete my account" is a deletion request, "what info do you have on me?" is an access request. See our DSAR training guide for what to teach your team.
2. Identity Verification
You must verify the identity of the person making the request before acting on it. The level of verification should be proportionate to the sensitivity of the data. See our identity verification guide.
3. Response Timelines
| Law | Standard Deadline | Maximum Extension | Total Maximum |
|---|---|---|---|
| GDPR (EU/UK) | One calendar month | +two months (complex) | Three months |
| CCPA/CPRA | 45 calendar days | +45 days | 90 days |
| PIPEDA | 30 days | Extension possible | Varies |
For a detailed breakdown of deadlines, see our DSAR response deadlines guide.
4. Record-Keeping
Document every rights request you receive: when it arrived, what was requested, how you verified identity, what actions you took, and when you responded. This creates an audit trail that demonstrates compliance. See our guide on DSAR record-keeping and audit trails.
5. Communication
Respond in clear, plain language. GDPR Article 12(1) explicitly requires that information be provided "in a concise, transparent, intelligible and easily accessible form, using clear and plain language." Avoid legal jargon. Tell the person exactly what you did (or why you could not do what they asked) and inform them of their right to complain to a supervisory authority if they are unsatisfied.
6. Refusing a Request
You can refuse or restrict a rights request in limited circumstances — for example, if a GDPR access request is "manifestly unfounded or excessive" (Article 12(5)), or if an erasure request falls under an Article 17(3) exception. But you must still respond within the deadline, explain why you are refusing, and inform the individual of their right to complain.
See our guides on DSAR exemptions and vexatious or excessive DSARs.
Getting Started
If you do not have a process for handling data subject rights requests, start with these steps:
- Map your data — You cannot fulfill rights requests if you do not know what personal data you hold or where it lives. See our data audit guide.
- Build a DSAR workflow — Start with access requests, since they are the most common. Our DSAR workflow guide walks through the process.
- Train your team — Everyone who might receive a request needs to recognize it and know what to do. Our DSAR training guide covers the essentials.
- Prepare templates — Having response templates ready saves time and reduces errors.
- Document everything — Keep records of every request, every action, and every response. This is your evidence of compliance.
References
- General Data Protection Regulation (GDPR): Articles 12-22 — rights of the data subject. GDPR Chapter III
- California Consumer Privacy Act (CCPA/CPRA): Cal. Civ. Code §§ 1798.100-1798.125 — consumer rights. CCPA full text
- PIPEDA: Principles 3, 6, 8, 9, 10 — consent, accuracy, openness, individual access, challenging compliance. PIPEDA full text
- UK GDPR / Data Protection Act 2018: ICO guidance on individual rights. ICO individual rights guidance
Last reviewed: March 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.