Data Subject Rights – DSR

This post is part of the long journey started with the descriptions of the tasks usually assigned to a Certified Information Privacy Manager. So, now it is time to talk about the Data Subject Rights (for short: DSR).


Data Subject Rights: What are they?

First, in the GDPR, there is not a specific definition of what they are, but they are clearly enumerated starting from article 12 (see the full official text here).

Broadly speaking, DSR consist in the rights granted to individuals by the GDPR allowing them to have the strictest control possible on their own personal data.

Consequently, an individual, under the scope of the privacy European legislation, is allowed to:

  • receive the information mentioned in art. 13;
  • access his/her personal data;
  • rectificate or erase them (the so-called right to be forgotten);
  • restrict the scope of the processing;
  • transfer the data to a different controller;
  • object to the processing (under specific conditions).

So, the data subjects have all these rights; now it is time to see how to enforce them.


Ensuring the effectiveness of DSR

DSR: Who is obliged

According to the art. 12 GDPR, it is up to the controller to answer in a timely manner to the requests presented by the data subject in a «… concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child

A Processor can help in dealing with this task but the accountability will always be on the Controller’s side.

How to deal with DSR

The information shall be provided in writing, including by electronic means. If the request comes from an unambiguously identified data subject, the information could even be provided orally.

DSR and the concept of timely manner

A controller must provide the information «without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay

DSR: what if…

What if a DSR is not attended properly. You better avoid this situation…

Infringements of the DSR shall be subject to administrative fines up to 20 Millions € or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.



Data Subject Rights must be ensured. The tasks associated to the legal requirements could be tricky. Drop us a line: we’re to help you!


Privacy Guy

Privacy Guys help you with the DSR