Individual (Data Subject) Rights¶
Privacy laws give individuals control over their personal data. You must be able to fulfill these rights within required timeframes.
For Data Subjects
If you are an individual looking to exercise your privacy rights, see the Data Subject Guide for step-by-step instructions on submitting requests and managing your preferences.
GDPR Rights¶
Right of Access¶
Individuals can request:
- Confirmation that you process their data
- A copy of their personal data
- Information about why and how you process it
- Who you share it with
Response deadline: One month from receiving the request
Right to Rectification¶
Individuals can request correction of inaccurate or incomplete personal data.
Response deadline: One month
Right to Erasure (Right to be Forgotten)¶
Individuals can request deletion when:
- Data is no longer needed for its original purpose
- They withdraw consent (and there is no other legal basis)
- They object to processing and there are no overriding grounds
- Data was processed unlawfully
When you can refuse: Legal obligations, legal claims, or public health purposes may require you to retain data.
Response deadline: One month
Right to Restrict Processing¶
Individuals can request that you stop processing (but not delete) their data while:
- Accuracy is being verified
- You are determining whether to comply with an erasure request
- You are assessing an objection
Response deadline: One month
Right to Data Portability¶
Individuals can request their data in a machine-readable format to transfer to another service.
Applies when:
- Processing is based on consent or contract
- Processing is carried out by automated means
Format: Common formats include JSON and CSV
Response deadline: One month
Right to Object¶
Individuals can object to processing based on:
- Legitimate interests (you must stop unless you have compelling grounds)
- Direct marketing (you must always stop)
Response deadline: One month
Rights Related to Automated Decision-Making¶
Individuals can:
- Request human review of automated decisions that significantly affect them
- Express their point of view and contest the decision
CCPA/CPRA Rights (California)¶
| Right | Description |
|---|---|
| Right to Know | Categories and specific pieces of personal information collected |
| Right to Delete | Request deletion of personal information |
| Right to Correct | Request correction of inaccurate information |
| Right to Opt-Out | Stop sale or sharing of personal information |
| Right to Limit | Limit use of sensitive personal information |
| Non-Discrimination | Cannot penalize consumers for exercising rights |
Response deadline: 45 days (can extend by 45 more days with notice)
Handling Rights Requests¶
Identity Verification¶
Before fulfilling a request, verify the requester's identity. Methods include:
- Account login verification
- Matching request information with records on file
- Additional verification for sensitive requests
Do not require excessive verification that discourages legitimate requests.
Response Requirements¶
- Acknowledge receipt of the request
- Provide a substantive response within the deadline
- Explain any extensions or refusals
- Inform of right to complain to supervisory authority
When You Can Refuse¶
You may refuse requests that are:
- Manifestly unfounded or excessive
- Repetitive (same request, no new data)
- Against legal requirements
You must still respond and explain your refusal.
Handling Rights Requests in Dxtra¶
Dxtra automates rights request processing:
- Requests submitted through self-service portal or intake forms
- Identity verification workflow
- Automated data gathering across connected systems
- Response generation and delivery
- Audit trail for compliance documentation