GDPR Individual Rights Violations

Last updated: 2026-07-05 — ComplianceStack Editorial Team

GDPR individual rights violations — also called data subject rights violations — occur when organizations fail to honor requests from EU residents to access, rectify, erase, port, or restrict processing of their personal data. These rights are codified in Articles 12–22 of the GDPR and include the right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to data portability (Art. 20), and right to object (Art. 21). Supervisory authorities across the EU have issued significant fines for systematic failures to handle these requests within the 30-day deadline.

Regulatory Authority: GDPR Articles 12-22 (data subject rights); Article 5(1)(a) (principles); Article 83(4)-(5) (penalties); EDPB Guidelines 01/2022 on data subject access requests

Penalty Tier Breakdown

Systematic Failure to Respond to DSARs (Art. 12)

Up to EUR 20M or 4% global turnover
Annual max: Per violation category

Organizations that fail to respond to data subject access requests (DSARs) within one month, fail to verify identity without disproportionate effort, or charge fees for DSAR fulfillment. Supervisory authorities treat systematic DSAR failures as a core principle violation under Art. 5(1)(a) — lawfulness, fairness, transparency.

Example: Large online retailer receives 2,000 DSARs per month but has no process. Response times average 90 days. No identity verification procedure exists.

Right to Erasure Violations (Art. 17)

Up to EUR 20M or 4% global turnover
Annual max: Per deletion obligation

Failure to erase personal data when the subject exercises the right, failure to notify third parties who have received the data, failure to honor the right where data is no longer necessary, or failure to delete data subject to legitimate objection.

Example: Financial institution retains loan applicant data for 7 years beyond application, despite repeated erasure requests from declined applicants.

Data Portability Violations (Art. 20)

Up to EUR 20M or 4% global turnover
Annual max: Per request

Failing to provide personal data in a structured, machine-readable format (CSV, JSON) when requested, failing to transmit directly to another controller when technically feasible, or charging for data portability.

Example: SaaS platform refuses portability requests, citing 'our format does not support export'.

How Penalties Are Calculated

GDPR Article 83(5) penalties apply per violation — organizations can face multiple separate Article 83(5) fines for different rights violations simultaneously. The 4% global annual turnover cap applies to the total of all fines in a single proceeding, but multiple proceedings can run in parallel across different EU member states.

Recent Enforcement Actions

2024 — Major E-Commerce Platform
Systematic failure to process erasure requests within statutory timeframe. Estimated 40,000+ requests per year. No automated tracking or acknowledgment system.
Penalty: EUR 15.5M fine (Irish DPC, Q4 2024)
Source: Irish Data Protection Commission Decision
2024 — Online Marketplace
Right to access requests answered with summary data rather than raw personal data. Identity verification caused 6-8 week delays on average.
Penalty: EUR 2.3M fine (French CNIL)
Source: CNIL Enforcement Actions 2024
2023 — Financial Services Provider
Right to erasure requests for closed accounts denied. Retention policy maintained customer data indefinitely for "legal obligation" basis that did not apply to the data categories requested.
Penalty: EUR 8M fine (German BfDI)
Source: Bundesbeauftragte fur den Datenschutz

Understand Your GDPR Penalty Exposure

Use ComplianceStack's free tools to identify gaps before regulators do.

Take the Quiz → Gap Analyzer →
🔔

Get enforcement alerts before they hit the news

Weekly enforcement actions, penalty updates, and regulatory changes for GDPR. Free, no spam, unsubscribe anytime.

Frequently Asked Questions

Can we charge for data subject access requests?

No — under Article 12(5), information and communications to the data subject must be provided free of charge. Organizations may only charge a "reasonable fee based on administrative costs" or refuse to act on requests where the data subject makes excessive, repetitive, or manifestly unfounded requests — but this must be demonstrated and the data subject must be notified within one month.

How long does an organization have to respond to a DSAR?

One month from receipt, extendable by two additional months where requests are complex or numerous — but the data subject must be informed of the extension within the first month. Failure to respond within 3 months constitutes a formal GDPR violation that DPAs treat seriously.

More GDPR Resources

Assess Risk Now →
Free compliance alerts — join 13,000+ professionals ✓ You're in!