Individual rights under GDPR: a complete guide to data subject rights

A practical guide to the eight individual rights under UK GDPR — the right to be informed, the right of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making — including how the DUAA 2025 changed the rules.

UK GDPR gives individuals — described as "data subjects" in the regulation — eight specific rights over the personal data that organisations hold about them. These rights are the practical mechanism by which the data protection principles are made real. They are also the most common interface between an organisation and the people whose data it processes.

This guide covers each of the eight rights, how to handle requests in practice, and the changes brought in by the Data (Use and Access) Act 2025 — including a new statutory right to complain directly to controllers.

The 8 rights at a glance

The eight rights under UK GDPR are:

1. The right to be informed — Articles 13 and 14.
2. The right of access — Article 15. The basis for Subject Access Requests (SARs or DSARs).
3. The right to rectification — Article 16.
4. The right to erasure, often called the "right to be forgotten" — Article 17.
5. The right to restrict processing — Article 18.
6. The right to data portability — Article 20.
7. The right to object — Article 21. Includes an absolute right to opt out of direct marketing.
8. Rights related to automated decision-making and profiling — Articles 22A to 22D, as rewritten by the DUAA.

Article 19 also requires controllers to notify recipients of personal data when rectification, erasure, or restriction has been applied — a quieter obligation that often gets missed.

The rights are not absolute. Most are qualified, with exemptions set out in UK GDPR itself or in Schedule 2 of the Data Protection Act 2018. The detail of what applies depends on the right and the context.

1. The right to be informed

Articles 13 and 14 give individuals the right to know what is being done with their personal data. The mechanism is the privacy notice.

Article 13 applies when personal data is collected directly from the individual. Article 14 applies when personal data is obtained from another source — bought lists, referrals, scraped public information, data shared by a partner organisation. The content requirements overlap heavily, with one key addition: Article 14 also requires the controller to identify the source of the data.

The privacy notice must include: the identity and contact details of the controller, the purposes and lawful basis for processing, the legitimate interests pursued (if relevant), the categories of recipients, international transfers and safeguards, retention periods, the rights individuals have (including the right to complain to the ICO), whether providing the data is statutory or contractual, and information about any automated decision-making.

Timing matters. For Article 13 data (collected directly), the privacy notice must be provided at the point of collection. For Article 14 data (obtained from another source), it must be provided within a reasonable period — and no later than one month — after obtaining the data.

For more on what the privacy notice must contain and how to structure it, see our privacy notices guide.

2. The right of access (DSAR / SAR)

Article 15 gives individuals the right to obtain a copy of the personal data a controller holds about them, along with supplementary information about how the data is being processed.

Subject access requests (SARs, sometimes DSARs) are the most frequent way the right of access is exercised. A request:

• Can be verbal or in writing, including via social media.
• Can be submitted to any part of the organisation, not just a dedicated address.
• Does not have to use the phrase "subject access request" — it just needs to be clear that the individual is asking for their own data.
• Can be made by a third party with the right to act on the individual's behalf (a solicitor, family member, or representative).

The default response deadline is one calendar month from receipt. This can be extended by up to two further months for complex or numerous requests, with the controller required to explain the delay within the original month.

The Data (Use and Access) Act 2025 codified two practical concepts that had previously been ICO guidance only:

• "Stop the clock" — the response time can be paused when the controller is reasonably waiting for clarification information from the requester. The clock resumes when the information is received.
• Reasonable and proportionate search — the controller is required to conduct a reasonable and proportionate search, but is not required to search every possible location regardless of cost or effort.

A few specific points often missed:

• The right of access is to the data, not to the documents in which the data sits. A controller can extract the personal data and provide it, rather than handing over original documents.
• Third-party personal data within the response must be redacted unless the third party consents, the third party is the source and disclosure is reasonable, or another exemption applies.
• The first copy is free. A "reasonable fee based on administrative costs" can be charged for additional copies, or for requests that are manifestly unfounded or excessive.
• Refusing a request is allowed only where an exemption applies (Schedule 2 of the DPA 2018) or the request is manifestly unfounded or excessive — and the threshold for both is high.

3. The right to rectification

Article 16 gives individuals the right to have inaccurate personal data corrected, and to have incomplete data completed.

The right is most straightforward where the data is factual — a name spelled wrong, an address that has changed, a date of birth that is incorrect. Controllers should correct without delay.

It gets harder where the data is an opinion or assessment. A performance review note that the individual disputes is still the controller's professional judgement. The right to rectification doesn't generally extend to requiring the controller to change opinions, but it does extend to having the individual's challenge recorded alongside the original record.

Where rectification applies, Article 19 requires the controller to notify each recipient of the personal data of the change — unless this proves impossible or involves disproportionate effort.

4. The right to erasure ("right to be forgotten")

Article 17 gives individuals the right to have personal data erased in specific circumstances. The right is not absolute; it applies where:

• The data is no longer necessary for the purposes for which it was collected.
• The individual withdraws consent, where consent was the lawful basis, and no other basis applies.
• The individual objects under Article 21 and there are no overriding legitimate grounds.
• The data has been unlawfully processed.
• Erasure is required to comply with a legal obligation.
• The data was collected from a child in connection with information society services.

The right does not apply where the controller needs the data to:

• Exercise the right of freedom of expression and information.
• Comply with a legal obligation (so customer tax records cannot be erased while the HMRC retention period still applies).
• Carry out a task in the public interest.
• Use the data for public health reasons in line with Article 9.
• Use the data for archiving, scientific research, or statistical purposes.
• Establish, exercise, or defend legal claims.

The misconception that the right to erasure is absolute — that anyone can demand deletion of any data at any time — is one of the most common in this area. It is not. It applies in specific circumstances, with explicit exemptions.

For data that should be erased, the controller must take reasonable steps to inform other controllers that have received the data of the erasure request, including links to or copies of the data. Erasure must also extend to backups, where reasonable; if it cannot, the data must be "put beyond use" while the backup cycle runs. See our retention guide for the practical detail.

5. The right to restrict processing

Article 18 gives individuals the right to restrict the processing of their personal data in specific situations:

• While the accuracy of contested data is being verified.
• Where processing is unlawful but the individual opposes erasure and requests restriction instead.
• Where the controller no longer needs the data but the individual needs it for legal claims.
• Where the individual has objected under Article 21, pending verification of overriding grounds.

Restriction means the data can be stored but not otherwise processed. Restricted data should be marked clearly so it is not used inadvertently. The restriction can be lifted only after specific conditions are met, and the individual must be informed before the restriction is lifted.

This right is most often invoked alongside rectification or objection requests, as an interim measure while the substantive issue is resolved.

6. The right to data portability

Article 20 gives individuals the right to receive the personal data they have provided to a controller in a structured, commonly used, machine-readable format — and, where technically feasible, to have the data transmitted directly to another controller.

The right applies only where:

• The lawful basis for processing is consent or contract, and
• The processing is carried out by automated means.

This is one of the narrowest rights in scope. Most processing under legitimate interests, legal obligation, or public task is outside it. The right also covers only the data the individual has provided to the controller — not inferred or derived data created by the controller.

Common examples: moving banking transaction history to a new provider under Open Banking, transferring contact lists between email platforms, exporting fitness tracking data from one app to another.

7. The right to object

Article 21 gives individuals the right to object to processing in two main situations:

• Processing based on legitimate interests or public task. The objection succeeds unless the controller can demonstrate compelling legitimate grounds that override the individual's interests, rights, and freedoms — or unless the processing is for the establishment, exercise, or defence of legal claims.
• Direct marketing. This is an absolute right. Once the individual objects to processing for direct marketing, the controller must stop, no balancing test applies, and there are no exemptions.

The direct marketing absolute right is the most-used part of Article 21 in practice. Every direct marketing message must include a clear way to object, and the objection must be honoured promptly.

A subtler application: objection to processing for scientific or historical research is also available, but qualified by public-interest exceptions.

8. Rights related to automated decision-making

This is the area most reshaped by the Data (Use and Access) Act 2025. The old Article 22 of the UK GDPR has been repealed and replaced by Articles 22A to 22D, with materially different rules.

Under the new framework:

• Solely automated decisions that produce legal or similarly significant effects on an individual are permitted under any UK GDPR lawful basis, including legitimate interests — except where the decision involves processing special category data (where the old restrictions broadly remain).
• The controller must implement safeguards, including:

- Providing the individual with information about the decision. - Enabling the individual to make representations about it. - Enabling the individual to obtain human intervention. - Enabling the individual to contest the decision.

These are the most significant change the DUAA introduced. The previous Article 22 effectively prohibited solely automated significant decisions outside narrow exceptions; the new framework permits them, with safeguards, across a much broader range of activities. It is also the largest single divergence between UK GDPR and EU GDPR — the EU has not made the equivalent change.

The ICO has indicated it will issue updated guidance on automated decision-making. Controllers using AI or algorithmic decision tools should review their lawful basis, safeguards, and documentation against the new requirements.

How to handle a rights request

The basic process for any incoming rights request:

1. Recognise it as a request. A rights request doesn't have to use formal language — an email asking "what information do you have on me?" is a SAR.
2. Acknowledge promptly. The DUAA introduced a new requirement, in force from June 2026, that controllers acknowledge data protection complaints within 30 days. The same operational discipline applies to rights requests.
3. Verify the requester's identity. Article 12(6) allows the controller to ask for additional information to confirm identity, but only the minimum necessary. The clock can be paused while waiting for ID under the DUAA's stop-the-clock rule.
4. Conduct the search. A reasonable and proportionate search, not an exhaustive search of every possible location.
5. Apply any exemptions. Schedule 2 of the DPA 2018 lists the exemptions. They are not generous — most rely on specific tests like "would seriously prejudice" or "manifestly unfounded".
6. Respond within the deadline. One calendar month from receipt, with a possible two-month extension for complex or numerous requests. Notify the individual of any extension within the original month.
7. Notify other recipients of the data, where the request triggered rectification, erasure, or restriction (Article 19).
8. Record the request and the response. The accountability principle requires you to be able to demonstrate how you handled it.

The DUAA also introduced a new statutory right for individuals to complain directly to a controller about how their personal data is being handled, separate from their existing right to complain to the ICO. Controllers must take steps to make this complaint route accessible — typically through an online form — and must acknowledge complaints within 30 days. This obligation is in force from June 2026.

Frequently asked questions

How long do I have to respond to a SAR?

One calendar month from receipt. You can extend by up to two further months for complex or numerous requests, but you must tell the individual within the original month.

Can I charge a fee for a SAR?

The first copy is free. A reasonable fee based on administrative costs can be charged for additional copies, or where a request is manifestly unfounded or excessive — though both thresholds are high.

What is the right to be forgotten?

The right to erasure under Article 17 — the right to have personal data deleted in specific circumstances. It is sometimes called the "right to be forgotten", but it is not absolute. Exemptions apply, including where the data is needed to comply with a legal obligation or to defend legal claims.

Does the right to erasure always apply?

No. It applies in defined circumstances and is subject to a list of exemptions, including legal obligation, public interest, public health, archiving, and the establishment or defence of legal claims.

Can I refuse a SAR?

Only where an exemption applies or the request is manifestly unfounded or excessive. The thresholds are high; refusals attract regulatory attention.

What's changed under the DUAA for individual rights?

Three main changes: a "stop the clock" rule for SARs while waiting for clarification; a new statutory right to complain directly to controllers from June 2026; and a substantial rewrite of the automated decision-making rules under Articles 22A–22D, permitting solely automated significant decisions under any lawful basis (subject to safeguards) where special category data is not involved.

How do I make a SAR?

You can make a SAR in writing, by email, or verbally — to any part of the organisation. There is no required form. You only need to be clear that you are asking for your own data, and to provide enough information to allow the controller to verify your identity.