UnixTime

Research Note

GDPR Transparency and Data Subject Rights

An operational guide to privacy notices, identity verification, access, correction, deletion, restriction, portability, and objections.

On this page

A notice is an interface

A privacy notice must describe the actual processing at the collection point. Legal completeness does not excuse vague purposes, hidden recipients, or unreadable presentation.

Article 13 collection notice

When collecting personal data directly, provide the controller identity and contact, DPO contact where applicable, purposes, legal bases, legitimate interests where used, recipients, transfer safeguards, retention period or criteria, applicable rights, withdrawal and complaint routes, whether provision is required, and meaningful automated-decision information where applicable.

Rights workflow

Right Operational response
Access Locate the person’s data, purposes, categories, recipients, transfers, retention, source, and automated-decision information
Rectification Correct inaccurate data and complete incomplete data where appropriate
Erasure Evaluate Article 17 grounds and exceptions, delete across active systems, and control backup reappearance
Restriction Mark data so ordinary processing stops while permitted storage or exceptions remain
Portability Export eligible consent- or contract-based automated data in a structured, commonly used, machine-readable format
Objection Stop direct marketing immediately; assess compelling grounds for other legitimate-interest or public-task processing
Automated decisions Provide safeguards where Article 22 applies, including human intervention and challenge routes

Request handling design

  1. Accept requests through a visible electronic channel.
  2. Record receipt, scope, systems, owner, due date, decisions, and communications.
  3. Verify identity proportionately; do not collect excessive new identity data by default.
  4. Search primary stores, support systems, exports, archives, and relevant processors.
  5. Apply exemptions narrowly and record the legal reasoning.
  6. Respond without undue delay and normally within one month; document any permitted extension and notify the requester within the initial period.
  7. Preserve evidence of completion without retaining the full response indefinitely.

Primary references

  • Gdpr
  • Privacy notice
  • Data subject rights
  • Dsar
  • Transparency

Note Metadata

Aliases: GDPR Rights, Data Subject Access Requests, GDPR Article 13

Source: https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng