5.3 Your Rights Under GDPR

One of the most powerful aspects of the GDPR is that it dös not merely regulate what organisations can do with your data — it gives you concrete, enforceable rights over that data. These rights belong to you from the moment an organisation holds personal information about you.

Right of access (Art. 15)

You have the right to ask any organisation whether it holds personal data about you, and if so, to receive a copy. The response — called a Subject Access Request (SAR) — must include what data is held, why it is being processed, who it is shared with, and how long it will be kept. Organisations must respond within one month. The first copy must be provided free of charge.

Right to rectification (Art. 16)

If data held about you is inaccurate or incomplete, you have the right to have it corrected. The organisation must act without undue delay.

Right to erasure / 'right to be forgotten' (Art. 17)

You can request that your personal data be deleted. This right applies when data is no longer needed for the original purpose, you withdraw consent (and there is no other lawful basis), you object and the controller has no compelling grounds to continue, or the data was unlawfully processed. This right is not absolute — it dös not override legal obligations, freedom of expression, or public interest processing.

Right to restriction of processing (Art. 18)

In certain circumstances, you can ask an organisation to pause processing your data — for example, while accuracy is disputed, or while an objection is being considered. Data can be stored but not actively processed during this period.

Right to data portability (Art. 20)

Where processing is based on consent or contract and carried out by automated means, you can request your data in a machine-readable format (such as CSV or JSON) and have it transferred to another service provider. This right supports competition and the ability to switch providers without losing your data history.

Right to object (Art. 21)

You can object to processing based on legitimate interests or public task. The organisation must stop processing unless it can demonstrate compelling legitimate grounds that override your interests. You also have an unconditional right to object to processing for direct marketing — the organisation must stop immediately.

Right not to be subject to automated decision-making (Art. 22)

You have the right not to be subject to decisions that are based solely on automated processing — including profiling — if those decisions produce significant legal or similarly significant effects on you (such as a loan refusal or job application rejection). You have the right to request human review, express your point of view, and contest the decision.

Response times and refusals

Organisations must respond to rights requests within one month (extendable by two further months for complex cases, with notification). If they refuse a request, they must explain why in writing and inform you of your right to complain to a supervisory authority (your national Data Protection Authority) and to seek a judicial remedy.

Your takeaway

These rights are not theoretical — they are legally enforceable. If an organisation ignores, delays, or unjustifiably refuses your request, you can complain to your national DPA. Module 9 provides detailed practical guidance on exercising every one of these rights step by step.