Data subject rights — in German Betroffenenrechte — are the enforceable rights the GDPR gives individuals over their own personal data. They are the mechanism through which the regulation’s principles become real power in people’s hands: the ability to know what data is held, to correct it, to obtain a copy, and in defined cases to have it deleted. For any organisation processing personal data, being able to honour these rights reliably and on time is a core operational requirement, not an optional extra.
The right to be informed
Before any other right can be meaningfully exercised, individuals must know that their data is being processed and why. The GDPR requires controllers to provide clear, accessible information — typically through a privacy notice — about what data is collected, the purposes and lawful basis, retention periods, recipients, and the rights available. Transparency is the foundation: without it, the other rights cannot function, and a vague or buried notice undermines the entire framework.
The right of access
Individuals have the right to obtain confirmation that their data is being processed and to receive a copy of it, along with supplementary information about the processing. This subject access right is one of the most frequently exercised. Meeting it requires the ability to locate all of an individual’s data across systems — which is straightforward only if data is well organised. Companies that store personal data in scattered, undocumented places struggle most with access requests.
The right to rectification
Where personal data is inaccurate or incomplete, the individual can require it to be corrected or completed. This is simple in principle but depends on having editable, authoritative records and on propagating corrections to any systems or recipients that received the data. A correction that fixes one database while stale copies persist elsewhere does not truly satisfy the right.
The right to erasure
Often called the right to be forgotten, this right lets individuals require deletion of their data in defined circumstances — for example when it is no longer necessary, when consent is withdrawn, or when it was processed unlawfully. It is not absolute: legal retention obligations and certain other grounds can override it. Implementing erasure properly means being able to delete data across primary systems, backups, and processors, while preserving what the law requires to be kept.
The right to restriction
In certain situations — for instance while the accuracy of data is contested or the lawfulness of processing is being assessed — individuals can require processing to be restricted rather than deleted. Restricted data may be stored but not otherwise used. Supporting this right means systems must be able to flag and “freeze” specific records, a capability that is easy to overlook until a request arrives.
The right to data portability
Where processing is based on consent or contract and carried out by automated means, individuals can receive their data in a structured, commonly used, machine-readable format and transmit it to another controller. For SaaS products, this typically means offering a clean data export. Designing export functionality from the outset is far easier than retrofitting it, and it doubles as a useful product feature.
The right to object
Individuals can object to processing based on legitimate interests or public-interest tasks, and can object at any time to processing for direct marketing — which must then stop. Handling objections requires the ability to suppress specific processing for specific individuals, especially for marketing, where an objection is absolute and must be honoured immediately and permanently.
Automated decision-making
The GDPR gives individuals protection against decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. Where such decision-making is permitted, individuals have the right to obtain human intervention, express their view, and contest the decision. As automated and AI-driven decisions spread, this right intersects directly with AI governance and must be designed for explicitly.
Timeframes and handling requests
Controllers must respond to rights requests without undue delay and generally within one month, extendable in complex cases. Requests are usually free, though manifestly unfounded or excessive ones can be charged or refused. Meeting these deadlines reliably requires a defined internal process: how requests are received, verified, fulfilled across systems, and documented. Ad hoc handling fails under volume.
Implementing rights in software
For SaaS companies, honouring data subject rights is fundamentally an architecture question. Systems that know where each individual’s data lives, and that can export, correct, restrict, and delete it, make rights requests routine; systems that do not turn every request into a manual scramble. Building these capabilities in from the start — part of privacy by design — is dramatically cheaper than retrofitting them. Innopulse designs DACH products with rights-handling built into the data model.
Conclusion
Data subject rights are the GDPR’s grant of real control to individuals — to be informed, to access, rectify, erase, restrict, port, and object, with safeguards around automated decisions. Honouring them within the required timeframes is an operational and architectural challenge as much as a legal one. The organisations that handle rights requests smoothly are those that designed for them from the start, treating the data model itself as a compliance asset.