Data Subject Rights

Definition

Data subject rights are the rights enshrined in Chapter III (Articles 12-23) of the General Data Protection Regulation (GDPR) that belong to natural persons whose personal data is processed. The core rights include: the right of access (Article 15), the right to rectification (Article 16), the right to erasure or the right to be forgotten (Article 17), the right to restriction of processing (Article 18), the right to data portability (Article 20), and the right to object (Article 21).

The controller is obligated to respond to data subject requests without undue delay, and in any event within one month of receiving the request (Article 12(3) GDPR). In complex cases, the deadline may be extended by a further two months, provided the data subject is informed of the extension and the reasons for it. Processing of requests must be free of charge as a general rule.

Simply Explained

Imagine you lend a friend a book. You have the right to know where your book is (right of access), to get it back (right to erasure), to have a damaged page repaired (right to rectification), or to pass the book to another friend (data portability). You have these rights because it is your book.

The same applies to your data. When a company processes your personal data, you have extensive rights: you can find out what data is stored, demand corrections, request deletion, or take your data to another provider. These rights are non-negotiable; they are yours by law, and companies must fulfill them within one month.

Why Does It Matter?

Data subject rights are the heart of the GDPR and give individuals control over their data:

• Legal Obligation: Companies must respond to data subject requests in a timely and complete manner. Violations can be punished with fines of up to 20 million euros or 4% of annual revenue.
• Increasing Requests: The number of data subject requests grows year over year. Companies that have not implemented efficient processes come under pressure when multiple requests arrive simultaneously.
• Complaints to Supervisory Authorities: If a company ignores or inadequately responds to a data subject request, the individual can file a complaint with the supervisory authority. This can trigger audits and fine proceedings.
• Foundation of Trust: Proper implementation of data subject rights demonstrates to clients and business partners that the company takes data protection seriously.
• Process Efficiency: Companies that know their data inventory and manage it in a structured way can handle data subject requests efficiently rather than conducting time-consuming and costly data searches.

Practical Example

A property management company has collected thousands of documents from tenants and property owners over the years: rental agreements, ID copies, payroll statements, and credit reports. A former tenant, whose lease ended two years ago, submits an access request under Article 15 GDPR: they want to know what data is still stored.

The management company faces a problem: the documents are scattered across various systems, including email inboxes, cloud storage, local hard drives, and paper files. It takes three weeks to compile all the data. The tenant then requests deletion of all data under Article 17 GDPR.

The company must now determine which data can actually be deleted and which must still be retained due to statutory retention periods. Without a structured system and a deletion policy, this process becomes a nightmare.

Had the company used a centralized, structured platform for document exchange from the start, the access and deletion request could have been processed in minutes rather than weeks.

How SendMeSafe Implements This

SendMeSafe supports businesses in the efficient implementation of data subject rights:

• Centralized Data Management: All files received via upload links and shared via share links are managed centrally in one platform. This significantly simplifies responding to access requests.
• Client Overview: Every client in SendMeSafe has their own profile with all associated files, links, and activities. For an access request, all relevant data can be identified at a glance.
• Complete Deletion: Organizations can completely delete all data associated with a client, including all uploaded files, associated metadata in the database, and files in S3 storage.
• Audit Trail: Complete logging of all activities makes it possible to precisely document who accessed which data and when, which is invaluable for responding to access requests.
• Automatic Expiration Dates: By configuring files and links with expiration dates, data minimization is promoted and the volume of stored data is automatically reduced.
• Export Capabilities: Data can be exported for responding to access requests or implementing data portability.

Frequently Asked Questions

Must I respond to every access request?

Yes, as a general rule, every access request must be answered within one month. There are only limited exceptions: if the request is manifestly unfounded or excessive (e.g., repeated identical requests within a short time), the controller may charge a reasonable fee or refuse to act. The burden of proof for the excessive nature lies with the company.

Do I need to verify the requester's identity?

Yes, before responding to a data subject request, you must ensure that the requesting person is actually the data subject. This protects against unauthorized disclosure of data. Identity verification should be proportionate, for example by cross-referencing with known contact details or by follow-up through a verified communication channel.

Can I refuse deletion requests?

In certain cases, yes. Article 17(3) GDPR lists exceptions, including statutory retention obligations (e.g., tax retention periods), assertion of legal claims, and exercise of the right to freedom of expression. If an exception applies, you must inform the data subject of the reasons for refusal and their right to lodge a complaint with the supervisory authority.

What is the difference between the right of access and data portability?

The right of access (Article 15) gives data subjects the right to know what data is being processed and to receive a copy. Data portability (Article 20) goes further: the data subject can request that their data be provided in a structured, commonly used, and machine-readable format, or be transmitted directly to another controller. Data portability applies only to data processed on the basis of consent or contract and by automated means.