GDPR Individual Rights Violations
Last updated: 2026-07-05 — ComplianceStack Editorial Team
GDPR individual rights violations — also called data subject rights violations — occur when organizations fail to honor requests from EU residents to access, rectify, erase, port, or restrict processing of their personal data. These rights are codified in Articles 12–22 of the GDPR and include the right of access (Art. 15), right to rectification (Art. 16), right to erasure (Art. 17), right to data portability (Art. 20), and right to object (Art. 21). Supervisory authorities across the EU have issued significant fines for systematic failures to handle these requests within the 30-day deadline.
Penalty Tier Breakdown
Systematic Failure to Respond to DSARs (Art. 12)
Up to EUR 20M or 4% global turnoverOrganizations that fail to respond to data subject access requests (DSARs) within one month, fail to verify identity without disproportionate effort, or charge fees for DSAR fulfillment. Supervisory authorities treat systematic DSAR failures as a core principle violation under Art. 5(1)(a) — lawfulness, fairness, transparency.
Right to Erasure Violations (Art. 17)
Up to EUR 20M or 4% global turnoverFailure to erase personal data when the subject exercises the right, failure to notify third parties who have received the data, failure to honor the right where data is no longer necessary, or failure to delete data subject to legitimate objection.
Data Portability Violations (Art. 20)
Up to EUR 20M or 4% global turnoverFailing to provide personal data in a structured, machine-readable format (CSV, JSON) when requested, failing to transmit directly to another controller when technically feasible, or charging for data portability.
How Penalties Are Calculated
GDPR Article 83(5) penalties apply per violation — organizations can face multiple separate Article 83(5) fines for different rights violations simultaneously. The 4% global annual turnover cap applies to the total of all fines in a single proceeding, but multiple proceedings can run in parallel across different EU member states.
Recent Enforcement Actions
Understand Your GDPR Penalty Exposure
Use ComplianceStack's free tools to identify gaps before regulators do.
Take the Quiz → Gap Analyzer →Get enforcement alerts before they hit the news
Weekly enforcement actions, penalty updates, and regulatory changes for GDPR. Free, no spam, unsubscribe anytime.
Frequently Asked Questions
Can we charge for data subject access requests?
No — under Article 12(5), information and communications to the data subject must be provided free of charge. Organizations may only charge a "reasonable fee based on administrative costs" or refuse to act on requests where the data subject makes excessive, repetitive, or manifestly unfounded requests — but this must be demonstrated and the data subject must be notified within one month.
How long does an organization have to respond to a DSAR?
One month from receipt, extendable by two additional months where requests are complex or numerous — but the data subject must be informed of the extension within the first month. Failure to respond within 3 months constitutes a formal GDPR violation that DPAs treat seriously.
More GDPR Resources
- Complete GDPR Framework Guide
- GDPR for SaaS Companies
- GDPR Tier 1 Fines 2026: Up to €10M or 2% Global Revenue
- GDPR Tier 2 Violations 2026: Full List of €20M/4% Fines (Meta, Amazon, Instagram)
- GDPR Data Mapping Checklist 2026: Article 30 Records Checklist
- GDPR Consent Management Checklist 2026 (18 Items) Checklist
- GDPR Breach Notification Checklist 2026 (17 Items) Checklist
- Upcoming GDPR Compliance Deadlines
- Free 5-Minute Compliance Quiz
- GDPR Remediation Action Plan ($79)
- Find a GDPR Compliance Consultant
- Get Weekly Compliance Intelligence Briefs