GDPR data subject rights — Articles 12-22 operational implementation
Primary statement
GDPR data subject rights operate per Articles 12-22: (1) transparent information modalities (Art. 12); (2) information at direct collection (Art. 13); (3) information at indirect collection (Art. 14); (4) right of access — copy of personal data + processing information (Art. 15); (5) right to rectification (Art. 16); (6) right to erasure (Art. 17 — six grounds); plus Articles 18-22 (restriction, portability, objection, automated decision-making). Response within ONE MONTH (Art. 12(3)) extendable by two months for complex requests.
Audit-fatigue payoff
A unified GDPR rights programme — request portal + identity verification + Articles 13-14 notice generator + Articles 15-22 fulfilment workflow + response SLA tracking — satisfies GDPR rights requirements end-to-end. The one-month response SLA (Art. 12(3)) is the operational anchor.
Strictness matrix
Scope
Scope: all data subjects (EU residents within material scope of Art. 3) with rights under Articles 15-22. Transparency obligation per Article 12 covers information provision AND request handling — both directions.
Ceiling source: gdpr:Art.12
Rationale: GDPR Article 12 specifies the broadest scope — both information provision and request handling.
Threshold
Response threshold: WITHOUT UNDUE DELAY and in any event within ONE MONTH from receipt of request. Extendable by two further months for complex requests with notice within the first month. Response in writing (or by other means including electronic).
Ceiling source: gdpr:Art.12
Rationale: GDPR Article 12(3) one-month response SLA is the binary operational threshold.
Method
Method: (1) transparent information modalities (Art. 12) — concise, transparent, intelligible, easily accessible, plain language; (2) information at direct collection (Art. 13); (3) information at indirect collection within one month (Art. 14); (4) confirmation + copy + processing information for access (Art. 15); (5) rectification without undue delay (Art. 16); (6) erasure on one of six grounds (Art. 17(1)); (7) restriction (Art. 18); (8) portability (Art. 20); (9) objection (Art. 21); (10) automated decision-making safeguards (Art. 22).
Ceiling source: gdpr:Art.12
Rationale: GDPR Articles 12-22 form the comprehensive method. Article 12 anchors the procedural specification.
Frequency
Per-request response within one month (extendable by two months for complex). Article 13/14 notice refresh: on processing change (without undue delay) + annual review. Privacy notice annual minimum review.
Ceiling source: gdpr:Art.12
Rationale: Article 12(3) one-month per-request SLA is the operational cadence.
Evidence
Required evidence: (1) data subject rights procedure; (2) request register with classification, identity verification, response, SLA tracking; (3) Article 13/14 privacy notices for each processing activity; (4) sample fulfilled requests per right type; (5) Article 17 erasure ground analysis for sample erasure; (6) Article 22 ADM controls evidence for material automated systems; (7) extension notices where one-month exceeded.
Ceiling source: gdpr:Art.12
Rationale: GDPR Article 12 evidence list is the audit-defensible specification.
Auditor test pattern
Step 1: Inspect the data subject rights procedure. Step 2: Inspect Article 13/14 privacy notices for sample processing activities. Step 3: Sample one request per right type (access, rectification, erasure, portability); verify one-month SLA met. Step 4: For Article 17 erasure, verify the six-ground analysis. Step 5: For Article 22 ADM, verify safeguards. Step 6: Inspect extension notices where one-month was exceeded.
Common findings
Common 2024–26 findings: (1) One-month SLA exceeded without extension notice; (2) Article 14 indirect-collection notice not provided; (3) Erasure limited to controller systems; not propagated to processors and backups; (4) Article 22 ADM safeguards absent; (5) Privacy notices not in plain language as required by Article 12; (6) Identity verification too heavy (chills exercise) or too light (enables impersonation).