Data Subject Rights Response Template
Procedures and response templates for handling all eight GDPR data subject rights — from access requests to the right to object — within mandatory timelines.
Quick Answer
GDPR grants eight data subject rights including access, erasure, portability, and objection — all must be fulfilled within 30 calendar days, with identity verification and a documented request register.
Compliance Checklist (8 items)
Penalty if not compliant
Up to €20 million or 4% of global annual turnover; ICO can issue enforcement notices requiring compliance.
Frequently Asked Questions
What are the eight GDPR data subject rights?
Right to be informed (Articles 13-14), right of access (15), right to rectification (16), right to erasure (17), right to restrict processing (18), right to data portability (20), right to object (21), and rights related to automated decision-making (22).
Can I charge a fee for handling data subject access requests?
Generally no — responses must be free of charge. A reasonable fee can be charged for manifestly unfounded or excessive requests, or for additional copies. You must be able to justify the fee if challenged.
Can I extend the 30-day response deadline?
Yes, by up to 2 further months for complex or numerous requests. You must inform the data subject within the initial 30 days, explaining why the extension is needed.
Need this turned into a real document?
Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.