The 8 rights at a glance
The GDPR (General Data Protection Regulation) gives every person whose data you process - customers, employees, website visitors - a set of rights. As a business owner, you are required to take every request seriously and handle it correctly.
These are the 8 rights:
- Right to information - know which data you process and why
- Right of access - receive a copy of their data
- Right to rectification - have incorrect data corrected
- Right to erasure - have data deleted (“right to be forgotten”)
- Right to restriction - temporarily stop processing
- Right to data portability - receive data in a readable format
- Right to object - object to certain types of processing
- Right regarding automated decision-making - not be subject to purely automated decisions
Before you start: the ground rules
Regardless of which right someone invokes, the same ground rules always apply:
Deadline: you have a maximum of one month to respond. For complex requests, you may extend this once by two months, but you must inform the requester within the first month about the delay and the reason.
Costs: the first request is always free. You may only charge a reasonable fee if the request is manifestly unfounded or excessive (think of someone submitting the same request every week).
Identity verification: always verify the requester’s identity before providing or modifying data. Ask for a copy of an ID document, but redact the national ID number and photo - you don’t need that information.
Registration: keep a register of all received requests, the date, the type of right, and how you handled them. The supervisory authority can request this register.
1. Right to information
What it means: people have the right to know which data you process, why, how long you retain it, who you share it with, and what rights they have. This right is “proactive” - you must actively provide this information, not just when someone asks.
How to arrange this:
- Publish a clear privacy policy on your website
- Inform customers when collecting data (signup forms, contracts)
- Always mention: the purpose, the legal basis, the retention period, and the rights of the data subject
Common mistake: a privacy policy that nobody understands. Write in plain language, not legal jargon.
2. Right of access
What it means: someone can ask you for a copy of all personal data you process about them. This is the most common request, known as a “subject access request” or DSAR (Data Subject Access Request).
How to respond:
- Verify the requester’s identity
- Collect all data you have about this person, across all systems (CRM, email, accounting, HR)
- Send an overview with: which data, for what purpose, from whom received, with whom shared, how long retained
- Deliver this in an understandable format (e.g. PDF)
Deadline: within one month.
Note: you must not include data of other persons. If a file also contains data about third parties, redact it.
3. Right to rectification
What it means: if personal data is inaccurate or incomplete, the data subject can request correction or completion.
How to respond:
- Check whether the data is indeed inaccurate
- Correct it in all your systems
- Have you shared the data with third parties (e.g. a processor)? Inform them about the change as well
- Confirm the correction in writing to the requester
Practical tip: many systems allow customers to update their own data (think of an account page). That is the easiest route.
4. Right to erasure (“right to be forgotten”)
What it means: people can ask you to delete their personal data. This is not an absolute right - there are exceptions.
When you must delete:
- The data is no longer needed for the original purpose
- The data subject withdraws consent (and there is no other legal basis)
- The data subject rightfully objects
- The data was processed unlawfully
When you may refuse:
- The data is needed for a legal obligation (e.g. fiscal retention requirement of 7 years)
- For exercising the right to freedom of expression
- For establishing or exercising legal claims
How to respond:
- Verify the identity
- Assess whether an exception applies
- Delete the data from all systems, including backups (where reasonable)
- Inform any recipients of the data
- Confirm the deletion or explain why you refuse
5. Right to restriction of processing
What it means: the data subject can ask you to temporarily stop processing. This is a kind of “pause button” - you keep the data but may no longer actively use it.
When this right applies:
- The accuracy of the data is disputed (during verification)
- The processing is unlawful, but the data subject does not want deletion
- You no longer need the data, but the data subject does (for a lawsuit)
- The data subject has objected and you are assessing whether your grounds outweigh theirs
In practice: mark the data as “restricted” in your system. You may only process it with the data subject’s consent, or for legal claims.
6. Right to data portability
What it means: the data subject can request the data they provided themselves in a structured, commonly used, and machine-readable format, and to transfer that data to another organisation.
When this right applies:
- The processing is based on consent or a contract
- The processing is automated (not on paper)
Format: use a common format such as CSV, JSON, or XML. Not PDF - that is not machine-readable.
Note: this right only applies to data that the data subject themselves provided. Derived data (analyses, scores, profiles) is not covered.
7. Right to object
What it means: the data subject can object to the processing of data, particularly when you process on the basis of legitimate interest or for direct marketing.
For direct marketing: the objection is always valid. You must immediately stop processing data for marketing purposes. No discussion possible.
For legitimate interest: you must assess whether your interests outweigh the rights of the data subject. If not, you must stop the processing.
How to respond:
- Is it about direct marketing? Stop immediately
- Is it about legitimate interest? Make an assessment and document it
- Inform the data subject about your decision
8. Right regarding automated decision-making and profiling
What it means: people have the right not to be subject to a decision based solely on automated processing (including profiling) if that decision significantly affects them.
When this is relevant:
- You use an algorithm to automatically reject credit applications
- You make automatic price discrimination based on profiles
- You automatically select applicants without human assessment
For most SME business owners: this right is rarely relevant. If you don’t make fully automated decisions that significantly affect people, you don’t need to worry about this much.
If it is relevant: ensure there is always an option for human intervention, and inform data subjects that they have this right.
Response templates
We have created ready-to-use email templates for the most common requests. Copy them, adjust your company details, and send.
- Template: access request confirmation
- Template: deletion confirmation
- Template: deletion refusal
- Template: rectification confirmation
What should you do now?
A checklist to get your obligations in order:
- Ensure your privacy policy is up to date and mentions all rights
- Set up a procedure for receiving and handling requests
- Appoint someone responsible for handling requests
- Use our response templates as the basis for your own responses
- Set up a register for received requests
- Train your employees - they must know how to recognise a request and forward it
- Test your procedure: how quickly can you retrieve all data about one person from all your systems?
GDPRWise scans your website and maps out which personal data you collect, who you share it with, and what rights your visitors have. So you know exactly what to answer when you receive a request.