GDPR Data Subject Rights Checklist — Articles 15–22 DSR Handling

Individuals must be able to exercise their rights without difficulty. Provide at least one accessible submission mechanism (dedicated email address, web form, or in-app request). The submission channel must be described in your Article 13/14 Privacy Notice. Do not require individuals to use a format that creates barriers — a written request by email is sufficient regardless of whether you provide a form.

Article 12(6) allows controllers to request additional information to confirm identity when in doubt — but the verification burden must be proportionate. For low-sensitivity requests, email confirmation or account login may be sufficient. For high-sensitivity data (health, financial), more rigorous verification is appropriate. Do not use excessive verification requirements as a tool to deter DSR requests — supervisory authorities treat disproportionate verification as an obstacle to exercise of rights.

Article 12(3) requires a response 'without undue delay and in any event within one month' of receipt. Send an acknowledgment within 3-5 business days confirming receipt. The one-month period begins from the date of receipt, not the date of verification. If you cannot respond within one month due to complexity or volume, notify the individual within the original one-month period and extend by up to two additional months.

An Article 15 SAR response must include: confirmation of whether personal data is processed, copies of all personal data, the purposes of processing, the categories of data, the recipients or categories of recipients, the retention period, the right to rectification/erasure/restriction/objection, the right to lodge a complaint with the supervisory authority, source of data if not collected from the individual, and any automated decision-making logic including profiling.

The first copy of personal data must be provided free of charge. Article 15(3) requires that if the request is made electronically, the information must be provided in a commonly used electronic format, unless the individual requests otherwise. PDF is acceptable; proprietary formats requiring specific software are not. For subsequent copies requested by the same individual, a reasonable administrative fee may be charged (but must be disclosed upfront).

When an individual requests correction of inaccurate personal data, you must correct it without undue delay. If you cannot immediately verify accuracy, you may restrict processing while you investigate. Inform the individual of the outcome of rectification or of any inability to rectify with a clear reason. Propagate corrections to all processors who received the inaccurate data (Article 19 notification obligation).

Article 17 erasure applies when: consent is withdrawn and no other lawful basis exists, data is no longer necessary for the purpose collected, the individual objects and there is no overriding legitimate ground, data was unlawfully processed, or erasure is required by law. Erasure must extend to all systems: CRM, email platforms, analytics, backups, and third-party processors. Document your backup erasure schedule — supervisory authorities accept that backup deletion can be deferred to the next scheduled backup cycle if you suppress the data in live systems immediately.

Restriction must be technically implemented so that restricted data is not used for processing while the restriction is in place — it may only be stored. Flag restricted records in all systems. Restricted processing may continue only with the individual's consent, for legal claims, to protect others' rights, or for public interest. Notify the individual before lifting a restriction.

Article 20 portability applies only to data processed by automated means on the basis of consent (Article 6(1)(a)) or contract (Article 6(1)(b)). The data must be provided in a structured, commonly used, machine-readable format (CSV or JSON are standard). Where technically feasible and requested, data must be transmitted directly to another controller. Portability does not include derived data or inferred data — only data 'provided by the data subject.'

Article 21(2) provides an absolute right to object to processing for direct marketing. This right cannot be weighed against your legitimate interests — you must stop processing for marketing purposes immediately upon receipt of an objection. Update suppression lists across all marketing systems. The right to object to other processing under Article 21(1) (based on legitimate interests) requires a balancing assessment.

Article 12(4) requires that where you do not act on a request, you must notify the individual within one month with the reasons and their right to complain to the supervisory authority or seek a judicial remedy. Document every DSR request in a register: date received, type of right, identity verified, outcome, date responded, exemption applied (if any). This register is essential for demonstrating compliance under Article 5(2) accountability.

Article 22 restricts solely automated decisions that produce legal or similarly significant effects. Such decisions require: explicit consent, contract necessity, or legal authorisation — and the individual must have the right to human review, express their point of view, and contest the decision. If you use automated credit scoring, automated hiring decisions, risk profiling, or ad personalisation that affects significant interests, document the logic, significance, and envisaged consequences under Article 15(1)(h).

When you rectify, erase, or restrict processing of personal data, you must notify each recipient to whom the data was disclosed under Article 19 — unless notification is impossible or involves disproportionate effort, in which case document the reason. 'Recipients' include processors and any third parties who received the data. Maintain a record of disclosures sufficient to identify who must be notified for each data category.