GDPR Data Subject Rights Checklist — Articles 15–22 DSR Handling

Data subjects may submit DSRs through any reasonable channel: email, web form, postal mail, telephone, or in-person. Organisations cannot require use of a specific form — Article 12(2) requires facilitation of rights without obstruction. Designate a central inbox or ticketing system to capture all DSRs regardless of channel. Assign a specific team member or DPO responsibility for initial triage. Log every request with a unique reference number and receipt timestamp on the day it arrives.

Article 12(3) sets a mandatory one-month response deadline from the day the request is received — not from when identity is verified. For complex or numerous requests, a one-time extension of two additional months is permitted, but you must notify the data subject within the original one-month window with the reason for delay. The clock does not pause during identity verification unless the identity is genuinely unclear. Missing the deadline without notification is a standalone GDPR violation.

Article 12(6) permits requesting additional information to confirm identity when there is reasonable doubt, but this must be proportionate and must not demand unnecessary documentation. For low-risk contexts (e.g., a data subject providing their email address to retrieve their own data), confirming via reply to their registered email is generally sufficient. Do not routinely require government-issued ID for straightforward requests — supervisory authorities have sanctioned this practice as an obstruction. Document your identity verification standards in your DSR procedure.

Article 15 entitles data subjects to a copy of their personal data and processing information. The response must cover all personal data held — including email archives, CCTV footage, physical records, and unstructured files, not just structured databases. It must also include: processing purposes, data categories, recipients, retention periods, and data source if not collected directly. Conduct a full data mapping exercise so SAR searches cover every system. Partial responses are a compliance risk even if unintentional.

Article 17 requires erasure without undue delay when: data is no longer necessary, consent is withdrawn with no other lawful basis, the data subject objects with no overriding grounds, data was processed unlawfully, or law requires erasure. Erasure must cascade to processors and third parties who received the data (Article 17(2)). Map all downstream recipients. Log erasure actions. Apply exemptions correctly — do not refuse valid requests by citing exemptions that do not apply on the specific facts.

Article 20 applies to data processed by automated means on the basis of consent or contract. The controller must provide data in a commonly used, machine-readable format (CSV, JSON, XML — not PDF). The data subject may also request direct transfer to another controller where technically feasible. Portability applies to data actively provided by the data subject — not derived or inferred data. Build export functionality from your primary systems and test that exported files are complete, accurate, and genuinely machine-readable.

Article 18 requires restriction of processing (data may be stored but not otherwise used) when: accuracy is contested, processing is unlawful but the data subject opposes erasure, the controller no longer needs the data but the data subject needs it for legal claims, or an Article 21 objection is pending. During restriction, data may only be processed with the data subject's consent, for legal claims, protection of another person's rights, or public interest. Implement a technical flag or quarantine mechanism to enforce restriction in all processing systems.

Article 21(1) gives data subjects the right to object to processing based on legitimate interests or public tasks on grounds relating to their particular situation. The controller must cease processing unless it can demonstrate compelling legitimate grounds that override the individual's interests. Article 21(2) provides an unconditional right to object to direct marketing — no balancing test applies, and processing must stop immediately. Document your assessment when overriding an Article 21(1) objection. Respond within one month.

Article 22 prohibits solely automated decisions (including profiling) that produce legal or similarly significant effects unless: the decision is necessary for a contract, authorised by law, or based on explicit consent. Where such processing occurs, data subjects must be able to obtain human review, express their point of view, and contest the decision. Document which automated processes fall under Article 22. Implement a human review workflow. Disclose automated processing clearly in your Privacy Notice.

Article 12(5) requires DSR responses to be provided free of charge. A reasonable fee may only be charged for manifestly unfounded or excessive requests — and even then, the controller may alternatively refuse the request. "Excessive" relates to the data subject's conduct (e.g., repetitive identical requests), not to processing burden. Document and retain evidence before applying the fee or manifestly unfounded exception. Many supervisory authorities require strong evidence and are sceptical of this defence.

Article 12(1) requires information to be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language — particularly where the response is addressed to a child. Avoid legal jargon in SAR response letters. Use headings and summaries where the data provided is extensive. For children, use age-appropriate language. Where the data subject's first language is known, providing at least a summary in that language is best practice.

Article 17(2) requires controllers to inform third parties who have received the erased data, so they can also erase links to, copies of, or replications of that data where technically feasible. This includes cloud processors, analytics providers, advertising platforms, data resellers, and backup systems. Maintain a current data flow map listing all downstream recipients for each data category. Include erasure cascade obligations in your Data Processing Agreements.

Create and maintain a register of all DSRs received: date received, type of request, data subject identity (pseudonymised where possible), date of response, outcome (fulfilled, refused, extended), basis for any refusal, and exemptions applied. This register is essential evidence for supervisory authority investigations and demonstrates accountability under Article 5(2). Review periodically to identify patterns, such as recurring erasure requests that may indicate a systemic data retention issue.

DSRs do not need to be labelled as such or cite GDPR to be valid. A customer email saying "please delete all my data" is an erasure request. A social media message asking "what information do you have about me" is a SAR. Train customer service, sales, legal, HR, and IT staff to recognise DSR language and escalate immediately. A delay caused by an unrecognised request still counts from the date of receipt. Document training attendance annually.

GDPR Article 17(3) and national implementations provide narrow exemptions to the right of erasure (legal claims, freedom of expression, scientific research, public health). These must be applicable on the specific facts. Do not use legal claims exemptions as a blanket refusal for any litigious-sounding request. Document the specific exemption, its legal basis, and the factual justification for each refusal. Supervisory authorities have penalised blanket reliance on exemptions without factual analysis.

Article 16 entitles data subjects to rectification of inaccurate data without undue delay. Upon receiving a rectification request, verify the accuracy claim, correct data in all systems, and notify all recipients of the original data under Article 19 (except where disproportionate or impossible). Confirm rectification to the data subject. Where accuracy is genuinely disputed, implement a restriction flag while the dispute is assessed.

GDPR applies to HR data in full — employees, job applicants, contractors, and former staff all have the same rights as customers. SARs from employees may be extensive (email correspondence, performance records, CCTV, payroll data). Develop a separate HR DSR procedure that coordinates with legal counsel, given the potential for employment disputes. Pay particular attention to third-party data included in employee records — it may need to be redacted before disclosure.