Schedule Demo
GDPR 2 Minute Read

Data Subject Rights

Data Subjects, i.e. living individuals, have many rights under the data protection acts. The table below summarises these rights along with the relevant data controller obligations. This is a quick reference guide. Further details can be found on PrivacyEngine.

Data Subject’s Right

Controller Obligation


Right of Appeal

Confirmation of Processing

Controller must confirm details of any processing within 21 days, including source, purpose and other relevant information Response in writing Data Subject needs to provide proof of processing if Controller denies having data

Data Subject’s Right of Access

Controller must respond asap, but within 40 calendar days (60 for uncorrected exam results). Several exemptions are available Request must be in writing, max. fee of €6.35, Data Subject must provide verifiable identification Appeal to DP Commissioner if deadline is not met, or response is considered inadequate

Prevention of Processing causing damage or distress

Must provide a response in writing within 20 days Controller may decline where they feel processing is in public interest, fulfils a lawful function, etc. If Controller does not comply, Data Subject can complain to the Commissioner; Compensation only available via civil courts

Automated Decision Making

Controller must explain decision-making mechanism within 21 calendar days of receipt of request Can’t be used solely for evaluation reliability, credit worthiness, performance at work, etc. Data Subject can challenge the decision further in court

Opt out from Direct Marketing

Controller must respond within 40 days to confirm compliance Option to opt out must be free, clearly offered, easy to use, and unambiguous If direct marketing continues, Data Subject can complain to the Commissioner

Rectification, Erasure or Blocking

Controller must confirm correction of data within 40 days or receipt of correct data Data Subject must identify error, provide proof of correct information Controller must notify Processors with whom data was shared in past 12 mths – they must also make the changes

Assistance from Office of the DP Commissioner

On receipt of a valid request, Commissioner’s Office will investigate circumstances. Allow up to 15 working days for initial response Data Subject must provide identification and evidence of processing, as well as any relevant details Controller may appeal against findings of the Commissioner within 21 days of any formal Notice being issued


Entitled to compensation for damage or distress if proven; Difficult to prove actual causality Controller is exempt if not directly responsible for distress caused No guideline in DP legislation on the amount payable; Controller can appeal against any award