Data Subject Rights: Overview and Handling Requests
The GDPR grants individuals control through rights to be informed, access, rectification, erasure, restriction, portability, objection, and freedom from automated decision-making. Controllers must respond within one month (extendable to three) and generally cannot charge a fee.
A cornerstone of the GDPR is giving individuals control over their personal data. The Data subject rights are: to be informed, of access, to rectification, to erasure, to restrict processing, to data portability, to object, and not to be subject to automated decision-making.
Controllers must respond within one month of receipt (or, where necessary, within three months), in writing or orally if requested. They should verify identity by reasonable means such as photo ID. Generally they cannot charge a fee, but may charge to cover administrative costs for requests that are manifestly unfounded or excessive, or for additional copies.
A controller may refuse to act on a request where an exemption exists, or where the request is manifestly unfounded or excessive.