GDPR Guide for Privacy Teams

GDPR Data Subject Rights Explained . What Every Privacy Team Needs to Know (and Operationalize)

Updated 2026-05-18
Key Takeaways: Priverion is a Swiss-hosted GRC platform that helps multi-entity organizations automate all 8 GDPR data subject rights and DSAR workflows.

Managing data subject requests across multiple entities and jurisdictions? You're not alone. 68% of organizations say DSARs are their most resource-intensive GDPR obligation. This guide breaks down all 8 rights in plain language , and shows you how leading privacy teams handle them without the chaos.

Source: IAPP-EY Annual Privacy Governance Report, 2023

Download the Free DSAR Response Checklist

Trusted by privacy teams managing 50+ entities across Europe

Swiss-hosted ISO 27001 SOC 2 Type II GDPR-compliant by design
Trusted by 50+ privacy teams across 14 countries
Healthcare
Aviation
Energy
Legal
Technology
Zurzach logo
AXA logo
Open Medical logo
Glencore logo
Pilatus logo
Liferay logo
CareerFairy logo
Voicepoint logo
Kellerhals Carrard logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Liferay logo
CareerFairy logo
Zurzach logo
Voicepoint logo
Open Medical logo
Kellerhals Carrard logo
AXA logo
Aclaris logo
Avantec logo
Diakonie Bethanien logo
Why DSARs Break at Scale

Why Data Subject Rights Create Operational Nightmares for Growing Organizations

The 30-day response clock starts ticking the moment a request lands. Across multiple entities, manual workflows, and disconnected systems, that deadline becomes a liability.

72%

Increase in DSARs across European markets since 2020 , based on DPA annual report analysis

Request Volume Is Exploding

Every customer, employee, and vendor who interacts with your organization can exercise their rights at any time. Awareness is rising faster than most teams can staff for , and each request triggers a legally binding clock.

Result: Aircraft manufacturer automated recertification across all subsidiaries in their first 6 months, freeing their DPO from request-chasing to focus on strategic privacy work.

Aircraft manufacturer , first 6 months post-deployment

30 days

GDPR Article 12(3) , maximum response window before enforcement risk escalates

The Clock Is Unforgiving Across Entities

A single DSAR in a multi-entity group can require coordination across 5+ teams and 3+ legal entities. Who owns the response? Where does the data live? Which entity is the controller? Shared inboxes and spreadsheets cannot answer these questions at speed.

€4,000–€6,000

Estimated average cost to fulfill a single DSAR manually , Gartner privacy operations research, directional estimate

Manual Processes Become a Compliance Liability

78% of multi-entity organizations still manage Records of Processing Activities in spreadsheets. When the same fragmented approach is applied to DSARs , locating data, redacting third-party information, verifying identities , one missed field can trigger a supervisory authority complaint.

Result: AXA reached 100% ROPA recertification rate with full automation , building the data mapping foundation that makes DSAR fulfillment fast and defensible.

AXA , fully automated recertification

Recent enforcement confirms the risk: the Swedish DPA fined a municipality for failing to respond to access requests within the statutory deadline. The Italian Garante has issued multiple sanctions for incomplete or delayed DSAR responses. These aren't edge cases , they're the new normal for under-resourced privacy teams.

Sources: Swedish Authority for Privacy Protection (IMY) and Italian Garante per la protezione dei dati personali , public enforcement decisions, 2022–2024

200+

Hours saved on ROPA management

Medtec redirected 200+ hours from manual ROPA and ISO 27001 documentation prep to strategic privacy work in their first year

60%

Lower cost vs. legacy platforms

Based on published pricing comparisons with OneTrust for mid-market organizations managing 10+ entities. No per-user or per-module expansion fees.

3 mo

Ahead of schedule on ISO 27001

Medtec completed ISO 27001 audit preparation three months ahead of their projected timeline using Priverion's integrated evidence packages

All 8 GDPR Data Subject Rights

Every GDPR Data Subject Right . What It Means, When It Applies, and How to Operationalize It

Articles 15–22 of the GDPR grant individuals eight distinct rights over their personal data. Each carries specific obligations, exceptions, and operational complexities , especially for organizations managing requests across multiple entities.

Right 1 of 8

Right of Access

GDPR Article 15

Data subjects can request confirmation of whether their personal data is being processed, and if so, access to that data along with supplementary information about how and why it's processed. This is by far the most commonly exercised right , and the most operationally demanding for multi-entity organizations where data may be spread across subsidiaries, systems, and jurisdictions.

What you must provide

  • Copy of the personal data being processed
  • Purposes of the processing
  • Categories of data concerned
  • Recipients or categories of recipients
  • Retention periods or criteria for determining them
  • Existence of their other rights (erasure, rectification, etc.)

Key exceptions and nuances

  • Must not adversely affect the rights and freedoms of others (redact third-party data)
  • First copy is free; reasonable fee permitted for additional copies
  • Can refuse or charge for manifestly unfounded or excessive requests
  • 30-day deadline, extendable by 2 months for complex requests

Operational reality for multi-entity teams

A single access request can touch HR systems, CRM, procurement platforms, and archives across multiple legal entities. Without cross-entity data mapping, teams spend days locating data that should take minutes. Priverion's cross-entity data mapping provides group-wide visibility so your team can identify all relevant processing activities and respond within the statutory deadline.

Right 2 of 8

Right to Rectification

GDPR Article 16

Data subjects have the right to obtain the correction of inaccurate personal data and, taking into account the purposes of the processing, the completion of incomplete personal data. While often simpler than access requests, rectification across multiple systems and entities can create cascading update requirements.

What you must do

  • Correct inaccurate data without undue delay
  • Complete incomplete data where relevant to the processing purpose
  • Notify all recipients who received the data (Article 19)
  • Inform the data subject about those recipients if requested

Key exceptions and nuances

  • No blanket exemptions , applies to all processing activities
  • Notification to recipients may be waived if disproportionate effort
  • Must be balanced against freedom of expression for journalistic purposes
  • 30-day response deadline applies

Operational reality for multi-entity teams

When a customer corrects their address, that change may need to propagate across billing, CRM, and HR systems in three different subsidiaries. Priverion's ROPA management with automated recertification ensures your data inventory stays current , so you know exactly which systems hold the data that needs updating.

Right 3 of 8

Right to Erasure (Right to Be Forgotten)

GDPR Article 17

Data subjects can request the deletion of their personal data when it's no longer necessary for its original purpose, when consent is withdrawn, or when processing is unlawful. This is the right that generates the most complexity , and the most enforcement activity , because it intersects with retention obligations, legal holds, and legitimate interests across every entity in your group.

When erasure applies

  • Data no longer necessary for original purpose
  • Consent withdrawn and no other legal basis exists
  • Data subject objects and no overriding legitimate grounds
  • Data was unlawfully processed
  • Legal obligation requires erasure
  • Data collected in relation to offering services to a child

Key exceptions

  • Exercising freedom of expression and information
  • Compliance with a legal obligation requiring processing
  • Public health purposes in the public interest
  • Archiving in the public interest, scientific or historical research
  • Establishment, exercise, or defense of legal claims

Operational reality for multi-entity teams

Erasure requests are where spreadsheet-based privacy programs fail catastrophically. You need to identify every system holding the individual's data, determine whether any exception applies per entity, execute the deletion, and document the entire process for audit purposes. Priverion's cross-entity data mapping combined with vendor risk assessments gives you visibility into both internal systems and third-party processors holding the data.

Right 4 of 8

Right to Restriction of Processing

GDPR Article 18

Data subjects can request that processing be restricted , essentially frozen in place , while the accuracy of data is contested, while the lawfulness of processing is determined, or while the controller assesses whether their legitimate grounds override those of the data subject. The data is stored but not actively processed.

When restriction applies

  • Data subject contests accuracy (restriction for verification period)
  • Processing is unlawful but data subject prefers restriction over erasure
  • Controller no longer needs data but data subject needs it for legal claims
  • Data subject has objected (restriction pending verification of grounds)

What you can still do with restricted data

  • Store the data
  • Process with data subject's consent
  • Process for legal claims
  • Process for protection of another person's rights
  • Process for important public interest reasons

Operational reality for multi-entity teams

Restriction is operationally tricky because you need to flag data across every system without deleting it , and ensure no team in any subsidiary accidentally processes it during the restriction period. Priverion's incident management workflows and cross-entity visibility help you enforce restrictions consistently across your entire group.

Right 5 of 8

Right to Data Portability

GDPR Article 20

Data subjects can receive their personal data in a structured, commonly used, and machine-readable format , and have it transmitted directly to another controller where technically feasible. This right only applies to data processed by automated means based on consent or contract performance.

What you must provide

  • Personal data the subject provided to you (not derived or inferred data)
  • Structured, commonly used, machine-readable format (CSV, JSON, XML)
  • Direct transmission to another controller if technically feasible

Key limitations

  • Only applies to data processed based on consent or contract
  • Only applies to data processed by automated means
  • Only covers data provided by the data subject (not analytics or profiles)
  • Must not adversely affect the rights and freedoms of others

Operational reality for multi-entity teams

Portability requests require you to extract data from potentially dozens of systems, filter to only data provided by the subject (not derived data), and format it consistently. Having your processing activities mapped in Priverion's ROPA means you know exactly which systems hold "provided" data , and can generate exports without manual archaeology.

Right 6 of 8

Right to Object

GDPR Article 21

Data subjects can object to processing based on legitimate interests or public interest , including profiling based on those grounds. For direct marketing, the right to object is absolute: processing must stop immediately upon request with no balancing test required.

When objection applies

  • Processing based on legitimate interests (Article 6(1)(f))
  • Processing based on public interest (Article 6(1)(e))
  • Profiling based on the above grounds
  • Direct marketing (absolute right , no exceptions)

Controller's response obligations

  • Must stop processing unless demonstrating compelling legitimate grounds
  • Compelling grounds must override interests, rights, and freedoms of the data subject
  • For direct marketing: stop immediately, no balancing test
  • Must inform data subjects of their right to object at point of first communication

Operational reality for multi-entity teams

Objections require a case-by-case legitimate interest assessment , unless it's direct marketing. Across a group with multiple marketing teams and CRM systems, ensuring an objection propagates to every entity that might contact the individual is critical. Priverion's group-wide dashboards give you the oversight to verify that objections are honored everywhere.

Right 7 of 8

Rights Related to Automated Decision-Making and Profiling

GDPR Article 22

Data subjects have the right not to be subject to decisions based solely on automated processing , including profiling , that produce legal effects or similarly significant effects on them. This right is increasingly relevant as organizations deploy AI and machine learning systems that affect hiring, credit, insurance, and service eligibility.

When this right applies

  • Decision is based solely on automated processing (no meaningful human involvement)
  • Decision produces legal effects (contract denial, benefit termination)
  • Decision produces similarly significant effects (credit scoring, job screening)

Exceptions where automated decisions are permitted

  • Necessary for entering into or performing a contract
  • Authorized by EU or Member State law with suitable safeguards
  • Based on explicit consent
  • In all exception cases: must implement suitable safeguards including human intervention

Operational reality for multi-entity teams

With the EU AI Act adding new obligations on top of GDPR Article 22, organizations deploying AI systems need clear documentation of automated decision-making across every entity. Priverion's AI Register for EU AI Act compliance readiness helps you inventory AI systems, document the level of human oversight, and demonstrate compliance at the intersection of GDPR and AI regulation.

Right 8 of 8

Right to Be Informed

GDPR Articles 13 and 14

Before or at the point of data collection, individuals must be informed about who is processing their data, why, on what legal basis, for how long, and what rights they have. This is the foundational right that enables all others , if people don't know you're processing their data, they can't exercise their rights over it.

Information you must provide (data collected directly)

  • Identity and contact details of the controller (and DPO)
  • Purposes and legal basis for processing
  • Legitimate interests pursued (if applicable)
  • Recipients or categories of recipients
  • Details of international transfers and safeguards
  • Retention periods and criteria
  • All data subject rights applicable

Additional requirements for indirectly collected data

  • Categories of personal data obtained
  • Source of the data
  • Must provide within a reasonable period (max 1 month)
  • Or at point of first communication with the individual
  • Or when data is first disclosed to another recipient

Operational reality for multi-entity teams

Each entity in your group likely has its own privacy notice , but the information must be accurate and consistent with your actual processing activities. When your ROPA is out of date, your privacy notices are automatically wrong. Priverion's automated ROPA recertification ensures the processing inventory that feeds your transparency obligations stays accurate across every subsidiary.

Competitor-Aware

What changes when you switch from OneTrust to Priverion

Enterprise platforms weren't built for mid-market privacy teams. You end up paying for complexity you'll never use , and still duct-taping the parts that actually matter for group-wide compliance.

The OneTrust experience

Per-module, per-user pricing

Costs escalate every time you add a subsidiary, user, or workflow. Budget conversations become negotiation exercises.

US-hosted infrastructure

In a post-Schrems II world, US hosting creates ongoing legal exposure for cross-border data transfers. Your privacy tool shouldn't be a transfer risk itself.

Built for Fortune 500 buyers

200+ features means 180 you'll never touch. Training takes months. Your team spends more time learning the tool than doing privacy work.

Cookie consent, ESG, and ethics hotlines bundled in

You're cross-subsidizing modules designed for other buyers. The platform sprawl slows everything down.

Months-long implementation

Enterprise onboarding timelines that assume you have a 10-person implementation team. Most mid-market privacy teams are 1–3 people.

The Priverion experience

Predictable pricing by company count

Based on number of entities and organizational size , not per-user or per-module. Add team members without renegotiating contracts.

Swiss-built, Swiss-hosted

European data residency guaranteed. All data processing within Swiss infrastructure , the strongest data protection jurisdiction outside the EU. Your compliance tool is itself compliant.

Purpose-built for group-wide privacy

Every feature exists to solve multi-entity privacy management. Cross-entity data mapping, automated ROPA recertification, group-wide dashboards , from day one.

All-in-one privacy platform, nothing you don't need

ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, AI register , integrated in one platform. We don't cover ESG, ethics hotlines, or cookie consent because those aren't privacy program management.

Operational in weeks, not months

Aircraft manufacturer achieved 60% reduction in compliance admin time within their first 6 months. Simpler UX means your team is productive immediately , not after a certification course.

Aircraft manufacturer case study, first 6 months post-implementation

Already evaluating alternatives? See how the switch works in practice.

Book a 30-min walkthrough

Stop managing privacy in spreadsheets

See what group-wide privacy management looks like when it actually works

In 30 minutes, we'll walk you through how organizations like Aircraft manufacturer automated ROPA recertification across every subsidiary , and cut compliance admin time by 60% in their first six months. No slides. No sales pitch. Just the platform, your questions, and honest answers.

Weeks, not months

Average time to go live

No per-user pricing

Predictable costs that scale with entities

100% Swiss-hosted

European data residency guaranteed

Book a 30-minute walkthrough