A user emailed a SaaS support inbox: "Under GDPR Article 15, please provide a copy of all personal data you hold on me." The support team logged it as a feature request and let it sit for 19 days. By the time the DPO saw it, they had 11 days to find that user data across the production database, CRM, data warehouse, email marketing tool, analytics platform, support tool, and error-monitoring system. Three weeks later, the user filed a complaint. Not because the company was hiding anything - because the response was incomplete and three days late.
The Eight Rights - Under GDPR
- Right to be Informed (Arts. 13-14): Users must know what data you collect, why, and on what basis - before you collect it.
- Right of Access (Art. 15): Users can request a copy of all personal data you hold on them.
- Right to Rectification (Art. 16): Users can require you to correct inaccurate or incomplete data.
- Right to Erasure (Art. 17): Users can require deletion in most cases - the "right to be forgotten."
- Right to Restrict Processing (Art. 18): Users can require you to pause processing without deleting.
- Right to Data Portability (Art. 20): Users can request their data in a machine-readable format.
- Right to Object (Art. 21): Users can object to processing - absolute for marketing, conditional for legitimate interests.
- Rights in Automated Decision-Making (Art. 22): Users can demand human review of purely automated decisions.
The Three You Will Meet First
Right of Access (Article 15)
A user asks for everything you hold. The scope includes: production DB records, CRM entries, email-marketing lists, chatbot transcripts, analytics events, error traces, session replays, and derived data (scores, segments, tags). You must provide this in a commonly used electronic format within 30 days.
Right to Erasure (Article 17)
Delete from primary systems and propagate to every processor and sub-processor. You can retain for narrow reasons (legal obligation, defence of legal claims), but the burden is on you to justify retention.
Right to Object (Article 21)
For direct marketing - this is absolute, you must stop. For legitimate-interests processing, you can continue only if you show compelling grounds that override the user interests. Most companies cannot.
Where Each Right Breaks
| Right | User Asks For | Deadline | Where It Usually Breaks |
|---|---|---|---|
| Be Informed | Clear notice before collection | At collection | Outdated or misleading privacy notice |
| Access | Copy of all their data | 30 days | Data scattered across 10+ tools |
| Rectification | Correction of inaccurate data | 30 days | No propagation to downstream processors |
| Erasure | Deletion of their data | 30 days | Backups, warehouses, vendor tools still retain it |
| Restrict | Pause processing without deletion | 30 days | No technical "restrict" flag in production DB |
| Portability | Data in machine-readable format | 30 days | No export function built into product |
| Object | Stop processing for marketing/LI | 30 days | Marketing automation ignores the flag |
| Automated | Human review of automated decision | 30 days | No override path built into the ML pipeline |
Building the Process - What You Actually Need
- A single intake point: One email, one form, one place where rights requests land - not scattered across support tickets.
- Identity verification: Authenticate the requester without making the process so burdensome it itself breaches Article 12.
- An engineering playbook per right: Access is an export script with a PII inventory. Erasure is a purge script with processor propagation. Objection is a flag-based processing gate.
- 30-day calendar enforcement: Day-of-receipt tracked, SLA alerted at day 20, escalated at day 25. Extensions require DPO approval.
- A record of each response: Evidence that you honoured the right - timestamps and what was delivered. Regulators ask for this first.
User rights are the part of GDPR that actually touches your product. The companies that handle this well treat them as a product feature - with telemetry, SLAs, and on-call rotation. For the full comparison with India DPDP rights, see 8 Rights of Data Principals Under DPDP.
Frequently Asked Questions
30 calendar days from receipt under GDPR Article 12. You can extend by a further two months for complex or numerous requests, but you must notify the user of the extension and the reason within the initial 30-day window. The clock starts on the day the request is received, regardless of which channel it arrives through.
No, in most cases. Rights requests must be fulfilled free of charge. You can charge a reasonable fee or refuse to act only if the request is 'manifestly unfounded or excessive' - for example, repetitive requests for the same data in a short period. The burden of proving the request is excessive is on you, not the user.
You must conduct a reasonable search across all systems where the data could exist - production databases, CRM, analytics, email marketing, support tools, error monitoring, backups, and data warehouses. If you cannot find data in a specific system, document the search you conducted. An incomplete response that fails to search known systems is a violation.
Yes, but with practical accommodations. You should delete from primary systems immediately and from backups within a reasonable timeframe - typically when the backup rotation cycle naturally overwrites the data, or within 30-90 days. Document your backup retention and deletion approach. Keeping data indefinitely in backups after a deletion request is a violation.
Not universally. The right to object is absolute for direct marketing - you must stop immediately. For processing based on legitimate interests or public task, the user can object but you can continue if you demonstrate compelling legitimate grounds. For processing based on consent, the user simply withdraws consent rather than objecting. For contractual processing, the right to object does not apply.