The GDPR[1] reserves the right for data subjects to request the following from the controller:

  • Access to any processed data, and a free copy if requested
  • Correction of any erroneous data
  • Deletion of any processed data
  • Restriction of data processing
  • Portability of any processed data
  • Objection against the processing of personal data

The data controller must give notice about any actions they have taken to adhere to the request of the data subject within one month of the receipt of said request. Considering the complexity of a request, or a large quantity of simultaneous requests, this period may be extended by two more months; the data subject must however still be informed about the reasons of the delay within one month.

The information is provided free of charge, unless the data controller can prove that the requests from a data subject are unfounded or excessive, in particular because of their repetitive character. In such circumstances, the data controller may either charge a reasonable fee taking into account any administrative costs, or they may refuse to act on the request. In case the controller has reasonable doubts concerning the identity of the subject making the request, the controller may request additional information necessary to confirm the identity of the data subject.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.


[1]     Chapter III GDPR.