Data Subject Rights – DSR

This post is part of the long journey started with the descriptions of the tasks usually assigned to a Certified Information Privacy Manager. So, now it is time to talk about the Data Subject Rights (for short: DSR).


Data Subject Rights: What are they?

First, in the GDPR, there is not a specific definition of what they are, but they are clearly enumerated starting from article 12 (see the full official text here).

Broadly speaking, DSRs consist in the rights granted to individuals by the GDPR allowing them to have the strictest control possible on their own personal data.

Consequently, an individual, under the scope of the privacy European legislation, can:

  • receive the information mentioned in art. 13;
  • access his/her personal data;
  • rectify or erase them (the so-called right to be forgotten);
  • restrict the scope of the processing;
  • transfer the data to a different controller;
  • object to the processing (under specific conditions).

So, the data subjects have all these rights; now it is time to see how to enforce them.


Ensuring the effectiveness of DSR

DSR: Who is obliged

According to the art. 12 GDPR, it is up to the controller to answer in a timely manner to the requests presented by the data subject in a “… concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child.”

Although, a Processor can help in dealing with this task, the accountability will always be on the Controller’s side.

How to deal with DSR

Specifically, the information shall be provided in writing, including by electronic means. If the request comes from an unambiguously identified data subject, the information could even be provided orally.

DSR and the concept of timely manner

Primarily, a controller must provide the information “without undue delay and in any event within one month of receipt of the request. Where necessary, the controller can extend that period by two further months, taking into account the complexity and number of the requests. Therefore, the controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.”

DSR: what if…

What if the controller doesn’t attend a DSR properly. You better avoid this situation…

Foundationally, infringements of the DSR shall be subject to administrative fines up to 20 Millions € or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.



To sum up, the controller must ensure the Data Subject Rights. The tasks associated to the legal requirements could be tricky. Drop us a line. We are your Privacy Manager in Spain, Europe and we’re to help you!



Privacy Guys help you with the DSR