GDPR Data Subject Rights: Access, Deletion, Rectification (30-Day Deadline)
What you need to know: GDPR Data Subject Rights: Access, Deletion, Rectification (30-Day Deadline)
Individuals have the right to request access to their personal data, have it corrected, or deleted — and you must respond within 30 calendar days. This guide explains each right, what triggers your obligation, and how to respond on time.
Individuals have the right to request access to their personal data, have it corrected, or deleted — and you must respond within 30 calendar days. These are called data subject rights under GDPR Articles 15–22. Failing to respond on time can result in fines of up to €10 million or 2% of annual revenue, plus formal enforcement action from your Data Protection Authority.
This guide explains each right, what triggers your obligation, and the process for responding correctly.
The Law: GDPR Article 12 (Response Timeline)
"The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request."
Your deadline is 30 calendar days from receipt, not 30 business days. A request received on 3 June must be responded to by 3 July.
Extension Rule (Article 12(3))
You may extend by two additional months (60 days total) if the request is complex or if you receive multiple requests simultaneously. But you must notify the data subject within the first 30 days, explaining the reason for the delay. Missing this notification removes your right to extend.
The Five Core Data Subject Rights
Article 15: Right of Access
"The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and where that is the case, access to the personal data."
The right of access means an individual can ask you to confirm whether you process their personal data, and if so, to provide a copy.
What you must provide:
- Confirmation that you hold (or do not hold) personal data about them
- A copy of all personal data you process about them, in a commonly used and machine-readable format (CSV, JSON, or PDF)
- The purposes of processing
- The categories of recipients (who you share the data with)
- The planned retention period
- Information about their other rights (rectification, erasure, restriction, portability)
- Where data was not collected directly from them, information about the source
Cost: The first copy must be provided free of charge. For subsequent requests that are manifestly unfounded or excessive, you may charge a reasonable administrative fee.
Example: A customer emails: "Can I get all the personal data you hold about me?" That is a valid Article 15 request. Respond within 30 days with a downloadable file of their data and a covering letter explaining your processing.
Article 16: Right to Rectification
"The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her."
Individuals can demand correction of factually inaccurate personal data.
What counts as inaccurate:
- Wrong email address, phone number, or postal address
- Misspelled name
- Incorrect date of birth
- Outdated job title still stored in your system after a data subject informed you of the change
What does not count:
- Opinion-based assessments (e.g., a credit risk score is your judgement, not a factual error even if the individual disagrees)
- Data that was accurate when collected but is no longer current (though the individual may ask you to complete incomplete data under Article 16's second sentence)
Your obligation: Correct the data, confirm the correction to the individual, and notify any third parties to whom you have disclosed the inaccurate data.
Article 17: Right to Erasure ("Right to Be Forgotten")
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay."
Individuals can request deletion of their personal data. This right applies in specific circumstances.
You must delete when:
- The data is no longer necessary for the purpose it was collected for
- The individual withdraws their consent and consent is your only lawful basis
- The individual objects to processing under Article 21 and you have no overriding legitimate grounds
- The data was unlawfully processed
- Erasure is required to comply with EU or Member State law
You may refuse to delete when:
- You have a legal obligation to retain the data (e.g., tax records for 7 years under EU VAT rules)
- You need the data to exercise or defend legal claims
- The processing is necessary for reasons of public interest in public health (Article 9(2)(i))
- The processing is necessary for archiving, research, or statistical purposes where erasure would seriously impair those purposes
When you refuse, you must explain the legal basis for refusal. You cannot simply ignore the request.
Example of a must-delete scenario: A customer closes their account and requests erasure of all their data. If you have no legal obligation to retain it (no ongoing orders, no tax record requirement), you must delete within 30 days and confirm.
Example of a partial refusal: The same customer has outstanding billing records you must retain for 7 years under tax law. You delete everything else and explain: "We have deleted your profile data. We retain billing records for 7 years as required by EU VAT Directive 2006/112/EC."
Article 18: Right to Restriction of Processing
"The data subject shall have the right to obtain from the controller restriction of processing."
Restriction means you keep the data but stop using it (other than to store it) until the restriction is lifted.
When individuals can request restriction:
- They contest the accuracy of the data (restriction applies while you verify)
- The processing is unlawful but they prefer restriction to deletion
- You no longer need the data, but they need it to establish, exercise, or defend a legal claim
- They have objected under Article 21 and you are verifying whether your legitimate grounds override their objection
What restriction means in practice:
- Mark the data as restricted in your system
- Do not process it for any purpose other than storage
- Do not share it with third parties or use it for analytics
- You may still process it if the individual consents, or to establish or defend legal claims, or to protect the rights of another person, or for important public interest reasons
Article 20: Right to Data Portability
"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format."
Portability applies only to data processed by automated means on the basis of consent or contract. It gives individuals the right to take their data to another service.
What you must provide:
- Personal data the individual themselves provided (not data you inferred or derived)
- In a structured, machine-readable format — CSV or JSON, not a PDF printout
- Where technically feasible, transferred directly to another controller on request
What you do not have to provide:
- Data you generated or inferred from their data (e.g., a risk score derived from transaction history)
- Data about other people that is incidentally linked to theirs
- Copyrighted content or data protected by trade secrets
Identifying a Data Subject Request
Data subject requests do not need to cite GDPR or use legal language. The obligation is triggered by the substance of the request, not its form.
Any of the following trigger your 30-day obligation:
- Email: "Can I get my data?"
- Chat message: "Delete my account please"
- Contact form: "I want to know what information you have about me"
- Formal letter citing Articles 15–22
- Verbal request (for which you should obtain written confirmation)
- Request from an authorised representative acting on someone's behalf
Even informal requests are legally binding. "Delete my account" via a chat window is a valid Article 17 request.
Step-by-Step Response Process
Step 1 — Receive and log (Day 0)
Record the request with: date and time received, the individual's identity and contact details, the type of request (access, erasure, rectification, restriction, portability), and the response deadline.
Step 2 — Verify identity (Days 0–3)
Confirm the requester is who they claim to be. For sensitive categories of data (health, financial), ask for proof of identity. For less sensitive data, email confirmation is usually sufficient. You may not charge a fee merely for verifying identity — only for manifestly unfounded or repetitive requests.
Step 3 — Assess validity (Days 0–7)
Is this a valid data subject right under Articles 15–22? Do you actually hold personal data about this individual? Is there a basis for refusal (legal obligation to retain, ongoing contract)? Are you dealing with a manifestly unfounded or repetitive request (which you may refuse or charge for)?
Step 4 — Prepare the response (Days 7–28)
Retrieve all relevant personal data from all systems: primary databases, backups, email archives, marketing platforms, analytics tools, third-party processors. Format the data appropriately. For access requests: a downloadable file and covering letter. For erasure: a deletion confirmation. For rectification: an update confirmation. Review with your legal team or DPO before sending.
Step 5 — Send and confirm (Day 29 at the latest)
Respond by email or secure method. Include the data, confirmation, or explanation of refusal. Keep proof of delivery. If you are refusing any part of the request, explain the legal basis clearly. Log the action taken.
Step 6 — Document for compliance purposes
Keep records of the request, the identity verification, the action taken, and the date of response for a minimum of three years. This documentation is your evidence of compliance if the DPA investigates.
Template: Article 17 Erasure Response — Accepted
Subject: Your GDPR Erasure Request — Completed
Dear [Name],
Thank you for your request dated [date] to erase your personal data. We have now completed this request.
Data deleted: Account profile, email address, contact information, purchase history, support history.
Data retained (legal obligation): Billing records are retained for 7 years under EU VAT Directive 2006/112/EC. These are held separately and used solely for tax compliance purposes.
We have also notified our data processors to delete your data from their systems.
If you have questions, please contact our Data Protection Officer at [[email protected]].
[Name / Company]
Template: Article 17 Erasure Response — Partial Refusal
Subject: Your GDPR Erasure Request — Partial Response
Dear [Name],
Thank you for your request dated [date]. We have partially fulfilled your request.
Data deleted: [list items].
Data we are retaining: Billing and transaction records (legal obligation: EU VAT Directive, Article [X], 7-year retention). Contract records (legal obligation: [applicable national contract law]).
Legal basis for retention: GDPR Article 17(3)(b) — retention is necessary to comply with a legal obligation.
You have the right to lodge a complaint with your national data protection authority if you believe this refusal is unjustified.
[Name / Company]
Common Mistakes
Ignoring informal requests. "Delete my account" via chat is a valid erasure request. Respond within 30 days or face enforcement.
Charging for identity verification. You may ask for proof of identity, but you cannot charge for the verification step. Fees apply only to manifestly unfounded or repetitive requests.
Silently deleting without confirmation. Individuals are entitled to know their request was actioned. Always send a written confirmation.
Sending sensitive data over unencrypted email. For large or sensitive data sets, use an encrypted email service, a secure portal, or password-protected files.
Missing the 30-day deadline without notice. If you need more time, notify the individual within the first 30 days with a reason. Failing to send this notice forfeits your right to the two-month extension.
Refusing without explanation. Every refusal must cite the specific legal basis. "We cannot delete your data" is not sufficient; "We retain your billing records for 7 years under EU VAT Directive 2006/112/EC, Article 242" is.
Systems Readiness
To respond on time, your organisation needs:
- A data inventory mapping all personal data to its storage location
- A retrieval procedure capable of extracting all data about an individual from all systems within your response window
- An export capability that generates data in a machine-readable format (CSV or JSON) for access and portability requests
- A deletion procedure that removes data from primary databases, backups, archives, and third-party processors
- Pre-written templates for each type of response (acceptance, refusal, extension notice)
- A request tracking log with deadline alerts
- A defined identity verification process for each category of data sensitivity
Key Takeaways
- 30 calendar days from receipt — your deadline. Extension to 60 days is available only if you notify the individual within the first 30 days.
- Five core rights — Access (Article 15), Rectification (Article 16), Erasure (Article 17), Restriction (Article 18), Portability (Article 20).
- Informal requests are binding — "delete my account" via chat is a legally valid Article 17 request.
- Verify identity reasonably — but do not charge for doing so.
- Refusal requires explanation — cite the specific legal basis (e.g., Article 17(3)(b) for retention obligations).
- First response is free — you may charge only for manifestly unfounded or repetitive requests.
- Document everything — keep records of requests, verification, actions taken, and deadlines met, for a minimum of three years.
For informational purposes only. This article does not constitute legal advice. Consult your Data Protection Officer, legal counsel, or a GDPR compliance specialist for advice specific to your organisation.
Key takeaways: GDPR Data Subject Rights: Access, Deletion, Rectification (30-Day Deadline)
This article covers: The Law: GDPR Article 12 (Response Timeline), The Five Core Data Subject Rights, Identifying a Data Subject Request.
- The Law: GDPR Article 12 (Response Timeline)
- The Five Core Data Subject Rights
- Identifying a Data Subject Request
- Step-by-Step Response Process
- Template: Article 17 Erasure Response — Accepted
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.
Get the weekly EU compliance briefing — 2 minutes, every Thursday.
Related Regulation
GDPR
Official EuroComply guide to GDPR