European Union — Data Subject Rights

Article 12 GDPR establishes the procedural framework for how controllers must respond to all data subject rights requests under Articles 15 through 22 of the General Data Protection Regulation (Regulation (EU) 2016/679). This provision acts as the gateway to Chapter III rights, setting mandatory timelines, form requirements, and fee rules that apply horizontally across the right of access, rectification, erasure, restriction, portability, objection, and automated decision-making safeguards.

One-month response deadline. Article 12(3) GDPR requires the controller to provide information on action taken "without undue delay and in any event within one month of receipt of the request." This deadline may be extended by two further months where necessary, taking into account the complexity and number of requests, but the controller must inform the data subject of any such extension within the initial one-month period, together with the reasons for the delay. The European Data Protection Board (EDPB) has clarified in Guidelines 01/2022 on the right of access that the one-month clock starts from the date the controller receives the request, not from the date it is verified or deemed complete.

Free of charge; narrow exception for manifestly unfounded or excessive requests. Article 12(5) GDPR provides that information under Articles 13 and 14 and any communication or actions taken under Articles 15 to 22 and 34 "shall be provided free of charge." Controllers may charge a reasonable fee (taking into account administrative costs) or refuse to act only where requests are "manifestly unfounded or excessive, in particular because of their repetitive character." The controller bears the burden of demonstrating that the request meets this high threshold under Article 12(5), second subparagraph.

Concise, transparent, intelligible, and easily accessible form. Article 12(1) GDPR mandates that controllers provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 "in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child." Information shall be provided in writing or by other means, including electronic means; oral provision is permitted only when requested by the data subject and the data subject's identity is proven by other means (Art. 12(1), third sentence).

Facilitation obligation. Article 12(2) GDPR imposes an affirmative duty on controllers to "facilitate the exercise of data subject rights under Articles 15 to 22." This means controllers must design processes and interfaces that make it easy for individuals to submit requests and receive responses, particularly via electronic channels.

Identity verification. Where the controller has reasonable doubts concerning the identity of the natural person making the request, Article 12(6) GDPR permits the controller to request the provision of additional information necessary to confirm the identity of the data subject. Recital 64 GDPR clarifies that the controller should not retain personal data for the sole purpose of being able to react to potential requests, balancing verification needs against data minimization.

Chapter III rights enumerated. The rights governed by Article 12's procedural framework are:

• Article 15: Right of access to personal data
• Article 16: Right to rectification
• Article 17: Right to erasure ("right to be forgotten")
• Article 18: Right to restriction of processing
• Article 19: Notification obligation regarding rectification, erasure, or restriction
• Article 20: Right to data portability
• Article 21: Right to object
• Article 22: Automated individual decision-making, including profiling

Each of these substantive rights is subject to the Article 12 timelines, fee prohibition, transparency requirements, and facilitation duty. Where a controller refuses to act on a request, Article 12(4) GDPR requires the controller to inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for the refusal and the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Application date. GDPR came into force on 24 May 2016 and became directly applicable in all EU Member States on 25 May 2018 under Article 99 GDPR.

Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Articles 12–22

Source: EDPB Guidelines 01/2022 on data subject rights – Right of access, adopted 28 March 2023

Article 15 GDPR establishes the right of access, the most frequently exercised data subject right under the General Data Protection Regulation (Regulation (EU) 2016/679). This provision confers three distinct, cumulative entitlements: (1) confirmation as to whether personal data concerning the data subject are being processed; (2) if so, access to those personal data; and (3) a defined set of supplementary information about the processing. Each element is independently enforceable, and controllers must satisfy all three unless an exception applies.

Three-part structure of Article 15. Under Article 15(1) GDPR, the data subject has the right to obtain from the controller "confirmation as to whether or not personal data concerning him or her are being processed." This confirmation requirement is not optional—controllers must provide a yes-or-no answer. Where the answer is yes, the controller must grant access to the personal data themselves (Article 15(1), first sentence) and provide the following supplementary information:

• the purposes of the processing (Art. 15(1)(a));
• the categories of personal data concerned (Art. 15(1)(b));
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations (Art. 15(1)(c));
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period (Art. 15(1)(d));
• the existence of the right to request from the controller rectification, erasure, restriction, or to object to processing (Art. 15(1)(e));
• the right to lodge a complaint with a supervisory authority (Art. 15(1)(f));
• where the personal data are not collected from the data subject, any available information as to their source (Art. 15(1)(g));
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR, and at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (Art. 15(1)(h)).

Copy of personal data: CJEU's CRIF ruling (May 2023). Article 15(3) GDPR, first sentence, provides that "the controller shall provide a copy of the personal data undergoing processing." In CRIF (Case C-487/21, judgment of 4 May 2023), the Court of Justice held that "copy" means "a faithful and intelligible reproduction of all those data." A purely general description of the data or a reference to categories of personal data does not satisfy this requirement. The CJEU further ruled that the right to a copy "entails the right to obtain copies of extracts from documents or even entire documents or extracts from databases which contain, inter alia, those data, if the provision of such a copy is essential in order to enable the data subject to exercise effectively the rights conferred on him or her by the GDPR," bearing in mind that Article 15(4) permits controllers to protect the rights and freedoms of others. The "information" referred to in Article 15(3), third sentence (electronic form provision) relates exclusively to the copy of personal data itself, not to metadata or additional explanatory material beyond what is required by Article 15(1).

Specific recipients, not mere categories: Österreichische Post (January 2023). In Österreichische Post (Case C-154/21, judgment of 12 January 2023), the CJEU held that Article 15(1)(c) GDPR requires controllers to disclose the specific identities of recipients of personal data, not merely categories of recipients, except in narrow circumstances. The Court reasoned that naming specific recipients is necessary to enable the data subject to exercise other rights under Articles 16, 17, and 18 GDPR (rectification, erasure, restriction). A controller may limit its response to categories of recipients only where (1) the request is manifestly unfounded or excessive under Article 12(5) GDPR, or (2) identification of the specific recipient is not possible at the time the access is provided.

First copy free; fee only for further copies. Article 15(3), second sentence, provides that "for any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs." The first copy must be provided free of charge. In U.K. v Council (CJEU advisory opinion, no decided case published), German courts applying the GDPR's predecessor Directive 95/46 confirmed that copying costs may be recovered only for subsequent copies following a complete first response; the CJEU adopted this interpretation in its May 2023 ruling on Article 15(3) GDPR.

EDPB Guidelines 01/2022 on the right of access. The European Data Protection Board adopted Guidelines 01/2022 on data subject rights – Right of access (Version 2.0, final adoption 18 January 2022, published March 2023). These guidelines clarify that:

• Access requests are not subject to a stated purpose requirement—Article 15 applies regardless of the data subject's intention, including requests made to support litigation unrelated to data protection (overruling prior national case law that had required a data-protection purpose);
• Controllers must tailor the Article 15(1) supplementary information to the specific processing at issue; a generic privacy notice is not sufficient unless the information would be identical;
• Controllers should conduct comprehensive searches across all systems where the data subject's personal data may reside; cost or administrative burden alone does not justify narrowing the search;
• Where results are vast, controllers may provide data in layered format or stages, but they may not refuse the request on grounds of volume unless it meets the high "manifestly unfounded or excessive" threshold in Article 12(5) GDPR;
• The one-month clock under Article 12(3) GDPR starts from the date the controller receives the request, not from the date identity is verified or the request is deemed complete.

Exception: adversely affecting the rights and freedoms of others (Art. 15(4)). Article 15(4) GDPR provides that "the right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others." The EDPB Guidelines 01/2022 specify that this exception applies only where the controller can demonstrate that, in the concrete situation, the rights or freedoms of others would in fact be impacted—a general concern is insufficient. Controllers invoking Article 15(4) must conduct a case-by-case balancing test and provide the data subject with reasons for any redaction or refusal under Article 12(4) GDPR.

Abusive or excessive requests: CJEU's Brillen Rottler ruling (March 2026). In Brillen Rottler (Case C-526/24, judgment of 19 March 2026), the CJEU held that even a first access request under Article 15 GDPR may be refused as "excessive" within the meaning of Article 12(5) GDPR if the controller demonstrates it was made with abusive intention. The repetitive character mentioned in Article 12(5) is merely illustrative, not a prerequisite. To establish abuse, the controller must prove (1) that the purpose of Article 15—enabling the data subject to understand and verify the lawfulness of processing—was not in fact achieved, and (2) that the data subject made the request to obtain an advantage (such as compensation under Article 82(1) GDPR) by artificially creating the conditions for it. Relevant circumstances include whether the data subject provided personal data voluntarily, the time elapsed between data provision and the access request, and publicly available evidence of a systematic pattern. The burden of proof rests on the controller, and the exception is to be interpreted strictly.

Cross-border transfers disclosure (Art. 15(2)). Where personal data are transferred to a third country or an international organisation, Article 15(2) GDPR grants the data subject the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer (such as standard contractual clauses, binding corporate rules, or the EU-US Data Privacy Framework adequacy decision).

Electronic format. Article 15(3), third sentence, requires that "where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form." This does not mandate a structured, machine-readable format—that obligation belongs to the right to data portability under Article 20 GDPR—but the response must be concise, transparent, intelligible, and use clear and plain language per Article 12(1) GDPR.

Coordinated enforcement in 2024. The EDPB's third Coordinated Enforcement Framework (CEF) in 2024 involved 1,185 controllers across EU Member States and focused on compliance with Article 15 GDPR. On 20 January 2025, the EDPB published a report on implementation of the right of access by controllers, reaffirming that access requests should be handled on a case-by-case basis and that controllers often limit their searches and disclosures too narrowly—by excluding pseudonymised data, internal communications, or certain database formats—in violation of the broad scope of Article 15.

Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Article 15

Source: CJEU judgment of 4 May 2023, Case C-487/21 (CRIF), defining "copy" under Art. 15(3) GDPR

Source: CJEU judgment of 12 January 2023, Case C-154/21 (Österreichische Post), on specific recipients under Art. 15(1)(c) GDPR

Source: CJEU judgment of 19 March 2026, Case C-526/24 (Brillen Rottler), on abusive access requests under Art. 12(5) GDPR

Source: EDPB Guidelines 01/2022 on data subject rights – Right of access, Version 2.0, adopted 28 March 2023

Article 17 GDPR establishes the right to erasure, commonly known as the "right to be forgotten," which entitles data subjects to obtain the deletion of their personal data under specific conditions and obligates controllers to erase personal data "without undue delay" when one of six statutory grounds applies. This right is not absolute: Article 17(3) GDPR sets out three categories of exception where processing remains necessary despite the erasure request, requiring a case-by-case balancing of fundamental rights. Article 17 underpins one of the most frequently exercised—and most frequently litigated—data subject rights under the GDPR, as confirmed by the European Data Protection Board's 2025 Coordinated Enforcement Framework action involving 32 data protection authorities across Europe.

The six grounds for erasure under Article 17(1) GDPR. A data subject has the right to obtain erasure, and the controller has the corresponding obligation to erase personal data without undue delay, where one of the following grounds applies:

• Article 17(1)(a): The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. This ground reflects the storage-limitation principle under Article 5(1)(e) GDPR and Recital 39, which requires controllers to establish time limits for erasure or periodic review. Controllers must proactively delete data when the original purpose expires, independent of any data subject request.

• Article 17(1)(b): The data subject withdraws consent on which the processing is based according to Article 6(1)(a) GDPR (general consent) or Article 9(2)(a) GDPR (consent for special-category data), and where there is no other legal ground for the processing. Withdrawal of consent does not render prior processing unlawful, but it eliminates the lawful basis going forward. If the controller can invoke an alternative basis (e.g., legitimate interests under Article 6(1)(f) GDPR), erasure is not required.

• Article 17(1)(c): The data subject objects to the processing pursuant to Article 21(1) GDPR (objection to processing based on legitimate interests or public-interest tasks) and there are no overriding legitimate grounds for the processing, or the data subject objects pursuant to Article 21(2) GDPR (absolute right to object to direct marketing). Article 21(2) objections trigger automatic erasure unless the controller can demonstrate an exception under Article 17(3). Article 21(1) objections require the controller to assess whether compelling legitimate grounds override the data subject's interests, rights, and freedoms.

• Article 17(1)(d): The personal data have been unlawfully processed. "Unlawful" means processing that violates any provision of the GDPR (such as lack of a lawful basis under Article 6 GDPR, failure to meet a special-category condition under Article 9, or breach of the fairness or transparency principles under Article 5(1)(a)) or other applicable law. The European Data Protection Board's Guidelines 5/2019 on the Right to Be Forgotten in search-engine cases clarify that this ground applies when a court has expressly prohibited the listing of personal information or when the controller cannot demonstrate a legal basis for processing.

• Article 17(1)(e): The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. This ground applies where a statute or regulation imposes an affirmative duty to delete data (e.g., sector-specific retention ceilings in financial services or telecommunications law).

• Article 17(1)(f): The personal data have been collected in relation to the offer of information society services to a child pursuant to Article 8(1) GDPR. Article 8(1) requires parental consent for the processing of children's personal data where the child is below the age of digital consent (16 years, or a lower age set by Member State law, but not below 13). Where such data were collected unlawfully or where the individual (now an adult or older child) seeks erasure, this ground applies. Recital 65 GDPR emphasizes that children "merit specific protection" because they may be less aware of the risks and consequences of data processing.

Dual nature of Article 17: right and obligation. Article 17 GDPR imposes both (i) a right for data subjects to request erasure and (ii) an independent obligation for controllers to erase data proactively when one of the Article 17(1) grounds applies, regardless of whether a request has been made. The European Data Protection Board confirmed this dual nature in its Opinion 39/2021, noting that "some cases set forth in Article 17(1) GDPR clearly refer to scenarios that the controllers must detect as part of their obligation for erasure, independently of whether [a data subject request is submitted]." Controllers must therefore implement periodic reviews and automated deletion mechanisms tied to retention policies, not merely reactive request-handling procedures.

Article 17(2) GDPR: notification duty for publicly disclosed data. Where the controller has made the personal data public and is obliged pursuant to Article 17(1) to erase the data, Article 17(2) GDPR requires the controller, "taking account of available technology and the cost of implementation," to "take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data." This provision—commonly known as the "right to be forgotten online"—was designed for search engines, social-media platforms, and other intermediaries that index or republish data originally made public by the controller. Recital 66 GDPR clarifies that the controller should inform downstream processors of the data subject's request, enabling those processors to erase links, copies, or replications.

The three exceptions under Article 17(3) GDPR. Article 17(3) GDPR provides that paragraphs 1 and 2 "shall not apply to the extent that processing is necessary" for one of the following purposes:

• Article 17(3)(a): For exercising the right of freedom of expression and information (Article 11 of the Charter of Fundamental Rights of the European Union). This exception protects journalistic, academic, artistic, and literary expression. The Court of Justice of the European Union (CJEU) in Google Spain (Case C-131/12, judgment of 13 May 2014) held that search-engine operators must balance the data subject's rights under Articles 7 and 8 of the Charter (respect for private life and protection of personal data) against the public's interest in accessing information. The CJEU ruled that processing of data that is "inadequate, irrelevant or no longer relevant, or excessive" in relation to the purposes and time elapsed may be incompatible with the Data Protection Directive (predecessor to GDPR), and links must be erased from search results unless the public interest in access prevails—for example, where the data subject plays a role in public life. The EDPB's Guidelines 5/2019 specify that the exception under Article 17(3)(a) requires a "preponderant interest of the general public in having access to the information" and that the right to freedom of expression is strongest when asserted by the original publisher rather than by a search engine.

• Article 17(3)(b): For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (mirroring the lawful bases in Article 6(1)(c) and (e) GDPR). This exception protects mandatory retention obligations (e.g., tax, accounting, and anti-money-laundering records) and public-sector processing mandated by statute. In Case C-312/24 (CJEU Opinion of the Advocate General, 2026), the Court examined whether personnel files held by a public authority under national law could be erased under Article 17(1)(a) or (d) GDPR. The Opinion confirmed that where Member State law imposes a legal obligation to retain data pursuant to Article 6(3) GDPR—meeting an objective of public interest and proportionate to the legitimate aim pursued—the exception under Article 17(3)(b) applies, and the right to erasure is excluded.

• Article 17(3)(c) through (e): For reasons of public interest in the area of public health (Article 9(2)(h) and (i) GDPR); for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) GDPR, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or for the establishment, exercise, or defence of legal claims. The legal-claims exception is frequently invoked by controllers facing litigation, regulatory investigations, or anticipated disputes. The European Data Protection Board's One-Stop-Shop Case Digest on the Right to Object and Right to Erasure clarifies that a two-year consumer warranty period cannot justify indefinite retention of an entire customer profile merely because the customer submitted a complaint via an online form; the exception must be narrowly tailored to the data necessary for the defence of claims.

**CJEU and national case law: the Google Spain precedent.** The modern right to erasure derives from the CJEU's landmark judgment in Google Spain SL v. Agencia Española de Protección de Datos (AEPD) (Case C-131/12, 13 May 2014), decided under the Data Protection Directive 95/46/EC. The Court held that search-engine operators are data controllers responsible for the processing of personal data that appears on third-party webpages and that individuals have the right to request delisting of search results when their name is used as a search query, even where the original publication was lawful. The CJEU ruled that search engines must remove links to information that is "inadequate, irrelevant or no longer relevant, or excessive" unless the data subject's rights are overridden by the public's interest in accessing the information—a higher threshold where the data subject plays a role in public life (Recital 81 of the judgment). The Google Spain holding was expressly codified in Article 17 GDPR, which bears the subtitle "right to be forgotten" in parentheses as a gesture toward the decision. The EDPB's Guidelines 5/2019 build on Google Spain to interpret Article 17 in the search-engine context, though the EDPB emphasizes that the Article 17(1) and (3) criteria apply "to a certain extent" to controllers that are not search engines.

EDPB 2025 Coordinated Enforcement Framework findings. The European Data Protection Board published its report on the 2025 Coordinated Enforcement Framework (CEF) action on the right to erasure on 18 February 2026. Thirty-two data protection authorities across Europe participated; nine initiated formal investigations, and twenty-three conducted fact-finding exercises involving 764 controllers (small and medium enterprises to multinationals). The EDPB identified seven recurring compliance challenges: (1) lack of appropriate internal procedures to handle erasure requests; (2) insufficient information provided to data subjects on how to exercise the right; (3) reliance on inefficient anonymization techniques as an alternative to deletion; (4) inconsistent practices and difficulties determining retention periods; (5) failure to delete personal data in back-ups or to explain back-up deletion policies to data subjects; (6) difficulties assessing and applying the conditions for the exercise of the right, including the balancing tests between the right to erasure and other rights and freedoms under Article 17(3); and (7) inadequate documentation and automated deletion labels within IT systems, impeding both individual request handling and proactive compliance with storage-limitation obligations under Article 5(1)(e) GDPR. The EDPB concluded that controllers often limit the scope of erasure too narrowly—by excluding pseudonymized data, internal communications, or certain database formats—in violation of the broad text of Article 17.

Complaint volume and enforcement priority. The EDPB selected the right to erasure for the 2025 CEF action because it is one of the most frequently exercised GDPR rights and a leading source of complaints to data protection authorities. National statistics confirm the trend: in the Netherlands, 580 complaints in 2024 (18.6 percent of total complaints) related to the right to erasure, the largest single complaint category for the Dutch DPA; in Ireland, over 3,000 erasure-related complaints have been filed since May 2018; in Spain, over 7,000 erasure complaints (approximately 8 percent of total complaints) were received since the GDPR came into force; and in Slovenia, Article 17 complaints rose from 4 percent of all complaints in 2020 to 19 percent in 2024. This upward trajectory signals that the right to erasure is a core enforcement priority for supervisory authorities across the European Union.

Timeline and procedural framework. Erasure requests are subject to the one-month response deadline and procedural requirements of Article 12 GDPR (see the companion section on Article 12 in this guide). Controllers must provide erasure free of charge unless the request is manifestly unfounded or excessive under Article 12(5) GDPR. Where the controller refuses to act, Article 12(4) GDPR requires the controller to inform the data subject without delay and at the latest within one month of the reasons for the refusal and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Application date and legal lineage. GDPR came into force on 24 May 2016 and became directly applicable in all EU Member States on 25 May 2018 under Article 99 GDPR. Article 17's codification of the "right to be forgotten" reflects the CJEU's interpretation of Articles 12(b) and 14 of the Data Protection Directive 95/46/EC in the Google Spain judgment, as well as Recitals 65 and 66 GDPR, which emphasize enhanced protection in the online environment and the duty to inform downstream controllers of erasure requests.

Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Article 17

Source: CJEU judgment of 13 May 2014, Case C-131/12 (Google Spain SL v. AEPD), establishing the "right to be forgotten" under Directive 95/46/EC

Source: EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1), Version 2.0, adopted 7 July 2020

Source: EDPB Report on the 2025 Coordinated Enforcement Framework action on the right to erasure, adopted 18 February 2026

Article 16 GDPR establishes the right to rectification, one of the foundational data subject rights under the General Data Protection Regulation (Regulation (EU) 2016/679). This provision confers two distinct entitlements: (1) the right to obtain rectification of inaccurate personal data "without undue delay," and (2) the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes of the processing. Article 16 gives specific expression to the fundamental right enshrined in Article 8(2) of the Charter of Fundamental Rights of the European Union, which provides that "everyone has the right of access to data which have been collected concerning him or her, and the right to have it rectified."

Two-part structure: inaccurate data and incomplete data. Article 16 GDPR, first sentence, provides that "the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her." The second sentence adds: "Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement." The right to complete incomplete data is a special case of the right to rectification, reflecting the principle that accuracy and completeness must be assessed in light of the specific purposes for which the data are processed.

Accuracy principle: Article 5(1)(d) GDPR. Article 16 must be read together with Article 5(1)(d) GDPR, which enshrines the principle of accuracy. That provision requires that personal data be "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay." Article 5(1)(d) imposes an independent, proactive obligation on controllers to maintain data accuracy and to rectify or erase inaccurate data even in the absence of a data subject request. The Court of Justice of the European Union (CJEU) confirmed in Deldits (Case C-247/23, judgment of 13 March 2025) that "the assessment of whether personal data is accurate and complete must be made in the light of the purpose for which those data were collected."

**CJEU's Deldits ruling (March 2025): rectification of gender identity and the accuracy-in-context test.** In Deldits, the CJEU held that Article 16 GDPR requires a national authority responsible for keeping a public register to rectify personal data relating to a person's gender identity where those data are inaccurate within the meaning of Article 5(1)(d) GDPR. The case concerned an Iranian refugee whose gender was recorded as female in the Hungarian asylum register, even though the individual identified as male. The Hungarian authority refused to rectify the record without proof of gender reassignment surgery. The CJEU ruled that accuracy must be determined by reference to the purpose of the processing: "since the purpose of collecting personal data is to identify the refugee, then the authority should refer to the refugee's lived gender identity and not the identity assigned to them at birth." By failing to do so, the register contained inaccurate personal data that the controller was obliged to rectify. The Court further held that a Member State cannot rely on the absence of a national procedure for legal recognition of transgender identity to limit the right to rectification under Article 16 GDPR, as this right is enshrined in Article 8(2) of the Charter and must be respected by Member States when exercising their competence in matters of civil status.

Evidence and verification: relevant and sufficient, but not disproportionate. The CJEU in Deldits clarified that a data subject exercising the right to rectification "may be required to provide relevant and sufficient evidence that may reasonably be required" to establish that the personal data are inaccurate. However, controllers may not impose evidentiary requirements that are disproportionate or that undermine the essence of the fundamental rights guaranteed by the Charter, in particular the right to integrity of the person (Article 3 of the Charter) and the right to respect for private life (Article 7 of the Charter). In the Deldits case, the Court found that requiring proof of gender reassignment surgery as the sole acceptable evidence exceeded the bounds of a reasonable evidentiary requirement and violated Article 16 GDPR.

"Inaccurate" personal data: facts versus value judgments. Article 16 GDPR does not define "inaccurate personal data." The CJEU in Nowak v Data Protection Commissioner (Case C-434/16, judgment of 20 December 2017) held that the right to rectification under the predecessor Data Protection Directive 95/46/EC—which Article 16 GDPR codifies—does not extend to allowing a data subject to correct an incorrect answer given on an exam. The right to rectification applies to the factual accuracy of personal data as recorded by the controller, not to the substantive correctness of the data subject's own statements or actions that are accurately transcribed. However, a data subject can request rectification where the controller has inaccurately transcribed or recorded the data subject's answer, or where an examiner's comment (itself a value judgment) does not accurately reflect the data subject's original answer due to administrative error (e.g., mixed-up exam scripts, lost cover sheets, or misattribution).

Right to complete incomplete data: supplementary statement. The second sentence of Article 16 GDPR provides that, "taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement." This provision allows a data subject to add context or missing information where the existing data set is incomplete relative to the processing purpose. The controller may accept or refuse the proposed completion depending on whether the additional information is relevant to the purposes of the processing and whether it is accurate. For example, a customer who has moved to another city has the right to have their address updated in the controller's customer database, as the old address is now inaccurate and the new address is necessary for the original purpose (delivery, billing, contact).

Free of charge and procedural framework under Article 12 GDPR. The right to rectification is governed by the procedural requirements of Article 12 GDPR. Controllers must respond to rectification requests without undue delay and in any event within one month of receipt, with a possible two-month extension where necessary due to complexity or volume (Article 12(3) GDPR). Rectification must be provided free of charge; controllers may charge a reasonable fee or refuse to act only where requests are "manifestly unfounded or excessive" under Article 12(5) GDPR, and the controller bears the burden of demonstrating that the request meets this high threshold. Information must be provided in a concise, transparent, intelligible, and easily accessible form, using clear and plain language (Article 12(1) GDPR). Recital 59 GDPR emphasizes that "modalities should be provided for facilitating the exercise of the data subject's rights under that regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, rectification of personal data."

Article 19 GDPR: notification obligation to recipients. Where the controller has rectified personal data pursuant to Article 16 GDPR, Article 19 GDPR requires the controller to communicate the rectification to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller must inform the data subject about those recipients if the data subject requests it. This notification duty ensures that downstream processors and other controllers who received the inaccurate data are made aware of the correction, enabling them to update their own records and maintain data accuracy across the processing chain.

Dual nature: right and obligation. Like the right to erasure under Article 17 GDPR, the right to rectification under Article 16 GDPR has a dual nature: it is both (1) a subjective right that data subjects may invoke by making a request to the controller, and (2) an independent obligation for controllers to rectify inaccurate data proactively as part of the accuracy principle under Article 5(1)(d) GDPR, regardless of whether a data subject request has been made. Controllers must therefore implement policies, procedures, and technical measures to ensure that personal data are accurate and kept up to date, and that inaccuracies are identified and corrected without delay.

Application date. GDPR came into force on 24 May 2016 and became directly applicable in all EU Member States on 25 May 2018 under Article 99 GDPR. Article 16 GDPR codifies and expands the right to rectification previously established in Article 12(b) of the Data Protection Directive 95/46/EC, which was repealed by the GDPR with effect from 25 May 2018.

Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Article 16

Source: CJEU judgment of 13 March 2025, Case C-247/23 (Deldits), on the right to rectification of gender identity and the accuracy-in-context test under Article 16 GDPR

Source: CJEU judgment of 20 December 2017, Case C-434/16 (Nowak v Data Protection Commissioner), on the scope of "inaccurate" data: facts versus value judgments

Article 20 GDPR establishes the right to data portability, one of the most innovative and future-oriented data subject rights under the General Data Protection Regulation (Regulation (EU) 2016/679). This provision enables data subjects to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance, where technically feasible by direct controller-to-controller transmission. The right to data portability is narrower in scope than the right of access under Article 15 GDPR: it applies only to personal data that the data subject has provided to the controller, only where processing is based on consent or contract (Article 6(1)(a) or (b) GDPR, or Article 9(2)(a) GDPR for special-category data), and only where processing is carried out by automated means. Article 20 aims to reinforce individual control, facilitate switching between service providers, and reduce vendor lock-in, particularly in digital economy contexts such as social media, cloud storage, and online platforms.

Two-part structure: receive and transmit. Article 20(1) GDPR confers two distinct entitlements. First, the data subject "shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format." Second, the data subject "shall have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided" where the conditions in Article 20(1)(a) and (b) are met. Article 20(2) GDPR adds a direct-transmission obligation: "In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible." This direct-transmission mechanism is intended to enable seamless switching and to reduce the burden on data subjects who would otherwise need to download and re-upload data sets manually.

Scope limitation: personal data "provided by" the data subject. Article 20 GDPR applies only to personal data that the data subject has provided to a controller. The European Data Protection Board's Guidelines on the right to data portability (WP242 rev.01, endorsed by the EDPB at its first plenary meeting on 25 May 2018) clarify that "provided by the data subject" includes two categories of data:

• Data actively and knowingly provided by the data subject, such as account details (email address, username, age, date of birth, location, photographs, videos, comments on social-media platforms), contact lists, transaction records, and content uploaded to cloud storage or posted on social networks.

• Observed data provided by the data subject by virtue of the use of the service or device, such as search history, website-visit logs, location data from a mobile app, raw sensor readings from wearable devices or smart meters, listening history on a music-streaming service, viewing history on a video-streaming platform, payment-transaction metadata, and application-usage data. The EDPB clarifies that "data generated by the service from data actively provided by the individual or observed about the individual" (such as a friend-recommendation algorithm's output, a credit score calculated by a bank, a health-status summary derived from raw sensor data, or a personalized news-feed ranking) are not "provided by" the data subject and are therefore excluded from the scope of Article 20 GDPR. Such inferred or derived data remain subject to the right of access under Article 15 GDPR but are not portable under Article 20 GDPR.

The WP242 Guidelines note that this distinction is critical because "the right to data portability does not create an obligation for controllers to adopt or maintain processing systems that are technically compatible, nor does it impose an obligation to provide for the portability of data generated through the processing by controllers," such as anonymized aggregates, algorithmic outputs, or analytics results.

Scope limitation: processing based on consent or contract only. Article 20(1)(a) GDPR provides that the right to data portability applies only where "the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1)." This means that data portability does not apply to processing based on:

• Compliance with a legal obligation (Article 6(1)(c) GDPR);
• Vital interests (Article 6(1)(d) GDPR);
• Performance of a task carried out in the public interest or in the exercise of official authority (Article 6(1)(e) GDPR);
• Legitimate interests (Article 6(1)(f) GDPR).

Article 20(3), second sentence, GDPR expressly provides that "the right referred to in paragraph 1 shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller." This exclusion reflects the policy judgment that the portability right is designed for private-sector, consumer-facing contexts where the data subject has a meaningful choice of service provider; it is not intended to disrupt public-sector data processing mandated by statute or regulation.

Scope limitation: automated processing only. Article 20(1)(b) GDPR provides that the right to data portability applies only where "the processing is carried out by automated means." The WP242 Guidelines clarify that this excludes paper files and manual processing. Consequently, data subjects cannot invoke Article 20 GDPR to require portability of personal data stored exclusively in non-automated filing systems (such as paper personnel records or microfilm archives), although such data remain subject to the right of access under Article 15 GDPR if they form part of a filing system within the meaning of Article 4(6) GDPR.

Structured, commonly used, and machine-readable format. Article 20(1) GDPR requires controllers to provide personal data "in a structured, commonly used and machine-readable format." The WP242 Guidelines interpret this requirement as mandating formats that are:

• Structured: the data are organized and tagged in a way that makes individual data elements identifiable and extractable (e.g., CSV, JSON, XML), rather than unstructured formats such as free-text PDFs or scanned images.

• Commonly used: the format is widely adopted and supported by multiple software applications, avoiding proprietary or niche formats that require specialized tools to read.

• Machine-readable: the data can be automatically read and processed by a computer without human intervention, enabling programmatic re-import into another controller's system.

The EDPB notes that controllers should consider providing data in multiple formats where feasible and should favor open standards and interoperable formats that facilitate reuse. However, Article 20 GDPR does not mandate any single format (such as CSV, JSON, or XML); controllers retain discretion to choose among commonly used, machine-readable formats appropriate to the data set.

Direct transmission "where technically feasible" (Article 20(2) GDPR). Article 20(2) GDPR provides that data subjects "shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible." The WP242 Guidelines clarify that "technical feasibility" depends on whether both the transmitting controller and the receiving controller operate technical systems that support interoperable data formats and transmission mechanisms (such as APIs, secure file-transfer protocols, or standardized data-exchange interfaces). Controllers are not required under Article 20 GDPR to adopt or maintain processing systems that are technically compatible with every other controller in the market; the obligation arises only where direct transmission is already technically feasible given the existing systems. When direct transmission is not technically feasible, the data subject may receive the data from the first controller and manually transmit them to the second controller. Recital 68 GDPR notes that the right to data portability "should not create an obligation for controllers to adopt or maintain processing systems which are technically compatible."

Interaction with the right of access (Article 15 GDPR). The right to data portability under Article 20 GDPR is distinct from the right of access under Article 15 GDPR, though the two rights overlap in part. Article 15 GDPR grants the right to obtain a copy of all personal data undergoing processing, regardless of the lawful basis for processing and regardless of whether the data were provided by the data subject, observed, or inferred. Article 20 GDPR, by contrast, applies only to the subset of data that the data subject provided, only where processing is based on consent or contract, and only where processing is automated. The WP242 Guidelines emphasize that "the right to data portability complements the right of access" but does not replace it. A data subject may invoke both rights simultaneously: Article 15 GDPR to obtain a comprehensive copy (which may be in human-readable format such as PDF) and Article 20 GDPR to obtain a portable, machine-readable copy of the provided data for reuse with a different controller.

"Without hindrance" obligation and interoperability. Article 20(1) GDPR requires that the data subject "have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided" (emphasis added). Recital 68 GDPR clarifies that "this Regulation should not impose an obligation on controllers to adopt or maintain processing systems which are technically compatible" but notes that controllers "should be encouraged to develop interoperable formats that enable data portability." The "without hindrance" obligation means that controllers may not:

• Impose unreasonable delays or administrative obstacles on portability requests;
• Charge fees for providing portable data (portability requests are subject to the same free-of-charge rule and one-month deadline as other data subject rights under Article 12 GDPR, unless the request is manifestly unfounded or excessive under Article 12(5) GDPR);
• Use technical protection measures (such as encryption, obfuscation, or proprietary encoding) designed to prevent the receiving controller from reading or using the portable data set;
• Condition the provision of portable data on the data subject's agreement to continue using the service or on the waiver of other rights.

Article 20(3) GDPR: no prejudice to Article 17 erasure, and exception for others' rights and freedoms. Article 20(3), first sentence, GDPR provides that "the exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17." This means that a data subject who has successfully obtained portable data under Article 20 GDPR may subsequently (or simultaneously) request erasure of the data under Article 17 GDPR, provided one of the six erasure grounds in Article 17(1) GDPR applies and no exception under Article 17(3) GDPR applies. Article 20(4) GDPR provides that "the right referred to in paragraph 1 shall not adversely affect the rights and freedoms of others." This limitation mirrors Article 15(4) GDPR and requires controllers to conduct a case-by-case balancing test where the portable data set includes personal data of third parties (such as contact lists, email threads, or social-media posts involving multiple individuals). The WP242 Guidelines note that this exception applies only where transmission would in fact adversely affect the rights and freedoms of others and that controllers may not invoke it as a blanket refusal; redaction or anonymization of third-party data may be a proportionate alternative to wholesale refusal.

Application date and policy objectives. GDPR came into force on 24 May 2016 and became directly applicable in all EU Member States on 25 May 2018 under Article 99 GDPR. Article 20 GDPR is a novel provision without a direct predecessor in the Data Protection Directive 95/46/EC. Recital 68 GDPR explains the policy objectives of data portability: "To further strengthen the control over their own data, where the processing of personal data is carried out by automated means, the data subject should also be allowed to receive personal data concerning him or her which he or she has provided to a controller in a structured, commonly used, machine-readable and interoperable format, and to transmit it to another controller." The recital emphasizes that portability "should not create an obligation on controllers to adopt or maintain processing systems which are technically compatible" but that "controllers should be encouraged to develop interoperable formats that enable data portability." The European Commission and the European Data Protection Board have noted that Article 20 GDPR is intended to reduce switching costs, prevent vendor lock-in, promote competition in digital markets, and empower individuals to move their digital lives between platforms—objectives that align with broader EU digital-single-market and competition-policy goals.

Enforcement and complaint trends. Data portability complaints to supervisory authorities remain relatively low compared to access, erasure, and rectification complaints, reflecting the limited awareness of the right and the narrow scope of Article 20 GDPR. The EDPB has not conducted a coordinated enforcement framework (CEF) action specifically targeting data portability as of June 2026. However, national supervisory authorities have issued guidance and enforcement decisions clarifying portability obligations in specific sectors. For example, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) published guidance in 2020 on portability in the context of online platforms and cloud services, emphasizing that controllers must provide data in a format that is actually reusable by competing service providers, not merely a format that is technically machine-readable but practically unusable due to proprietary structure. The Irish Data Protection Commission has investigated several large online platforms regarding compliance with Article 20 GDPR, though enforcement decisions remain pending as of mid-2026.

Interaction with sector-specific portability regimes: EU Digital Markets Act (DMA). Article 6(9) of the Digital Markets Act (Regulation (EU) 2022/1925, applicable from 2 May 2023) imposes enhanced continuous and real-time data portability obligations on "gatekeepers" (very large online platforms designated by the European Commission). These DMA obligations go beyond the GDPR Article 20 requirements by mandating continuous real-time access and by applying to a broader set of data categories. The EDPB and the European Commission published joint guidelines in October 2025 (subject to public consultation until December 2025, final version expected in 2026) clarifying the interplay between GDPR Article 20 and DMA Article 6(9). The joint guidelines confirm that gatekeeper platforms remain subject to both regimes: the GDPR sets the data-protection baseline (including consent, transparency, and limitations to protect others' rights and freedoms), and the DMA imposes additional technical and temporal obligations specific to gatekeepers. Data subjects dealing with non-gatekeeper controllers continue to rely exclusively on GDPR Article 20.

Procedural framework and timeline. Data portability requests are subject to the one-month response deadline and procedural requirements of Article 12 GDPR (see the companion section on Article 12 in this guide). Controllers must provide portable data free of charge unless the request is manifestly unfounded or excessive under Article 12(5) GDPR. Where the controller refuses to act, Article 12(4) GDPR requires the controller to inform the data subject without delay and at the latest within one month of the reasons for the refusal and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Article 20

Source: EDPB-endorsed WP29 Guidelines on the right to data portability, WP242 rev.01, adopted 5 April 2017, endorsed by EDPB 25 May 2018

Article 21 GDPR establishes the right to object, a data subject right that permits individuals to stop or prevent the processing of their personal data under specific conditions tied to the lawful basis for processing. This right operates on a two-tier structure: Article 21(1) GDPR grants a qualified right to object to processing based on legitimate interests (Article 6(1)(f) GDPR) or public-interest tasks (Article 6(1)(e) GDPR), requiring the controller to cease processing unless it can demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms; Article 21(2) GDPR grants an absolute right to object to processing for direct marketing purposes, with no balancing test—controllers must stop processing immediately upon receipt of the objection. Article 21 thus imposes both a procedural obligation (controllers must recognize and respond to objections) and a substantive obligation (controllers must cease processing unless an exception applies). The right to object is one of the most frequently exercised data subject rights in practice, second only to access and erasure, and has been the subject of coordinated European Data Protection Board enforcement scrutiny and extensive CJEU case law interpreting the "compelling legitimate grounds" threshold.

Article 21(1) GDPR: qualified right to object to legitimate-interests and public-task processing. Article 21(1) GDPR, first sentence, provides that "the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions." This right applies only where the controller is relying on one of two lawful bases:

• Article 6(1)(e) GDPR: processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
• Article 6(1)(f) GDPR: processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

The right to object does not apply to processing based on consent (Article 6(1)(a) GDPR), contract (Article 6(1)(b) GDPR), legal obligation (Article 6(1)(c) GDPR), or vital interests (Article 6(1)(d) GDPR). For consent-based processing, the data subject may instead withdraw consent under Article 7(3) GDPR, triggering erasure under Article 17(1)(b) GDPR if no other lawful basis applies.

Article 21(1) GDPR requires the data subject to state "grounds relating to his or her particular situation." Recital 69 GDPR clarifies that the data subject "should have the right to object to the processing of personal data concerning him or her" and that "the controller should no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims." The European Data Protection Board's One-Stop-Shop Case Digest on the Right to Object and Right to Erasure confirms that the objection must be based on the data subject's individual circumstances—generic objections unsupported by any factual detail may be insufficient, though controllers bear a heavy burden to assess each objection on its merits and may not impose unreasonable evidentiary demands on the data subject.

Compelling legitimate grounds: higher threshold than Article 6(1)(f) balancing test. Article 21(1) GDPR, second sentence, provides that "the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims." This provision imposes a higher threshold than the initial Article 6(1)(f) balancing test that the controller performed when first selecting legitimate interests as the lawful basis. Under Article 6(1)(f) GDPR, the controller's legitimate interests must not be "overridden" by the data subject's interests, rights, and freedoms; under Article 21(1) GDPR, the controller's grounds must be "compelling" and must "override" the data subject's interests. The European Data Protection Board's draft Guidelines 1/2024 on processing based on Article 6(1)(f) GDPR (issued for public consultation in October 2024, final version expected in 2026) clarify that "compelling" means the interest must be essential to the controller or third party—merely beneficial or advantageous interests do not suffice. To be compelling, the legitimate interest should address a serious and imminent risk to the controller's organization or operations, such as protection from serious harm, severe penalties, or outcomes that would fundamentally impair the controller's ability to function. The EDPB further emphasizes that the balancing test under Article 21(1) GDPR must be conducted in view of the particular situation of the data subject, as required by Recital 69 GDPR, whereas the initial Article 6(1)(f) balancing test is a more general assessment at the category-of-processing level.

Legal-claims exception: establishment, exercise, or defence. The second limb of Article 21(1) GDPR permits controllers to continue processing despite an objection where processing is necessary "for the establishment, exercise or defence of legal claims." This exception is narrowly construed. The EDPB's One-Stop-Shop Case Digest on the Right to Object and Right to Erasure includes an example in which a controller argued that a two-year consumer-warranty period justified retaining an entire customer profile after the customer objected, on the ground that the customer could file a complaint via an online form. The EDPB found this reasoning insufficient: the legal-claims exception must be tailored to the data necessary for the defence of claims, and the general possibility that a claim might arise does not justify indefinite retention of unrelated profile data. Controllers must demonstrate that the processing is actually necessary for a specific, existing, or reasonably anticipated claim, and must limit processing to the data genuinely required for that purpose.

Article 21(2) GDPR: absolute right to object to direct marketing. Article 21(2) GDPR provides that "where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing." Article 21(3) GDPR adds: "Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes." This right is absolute—no balancing test applies, and controllers may not invoke compelling legitimate grounds or legal-claims exceptions. Once the controller receives a direct-marketing objection, it must immediately cease processing the data subject's personal data for direct marketing and may not resume such processing without obtaining fresh consent (if consent is the new lawful basis) or unless a wholly distinct purpose and lawful basis applies to the same data set.

Recital 70 GDPR emphasizes that "where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge. That right should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information." (emphasis added). This means controllers engaged in direct marketing must provide enhanced transparency about the right to object, going beyond the general transparency obligations in Articles 13 and 14 GDPR. The objection mechanism should be prominently displayed, easy to locate, and readily actionable—for example, an "unsubscribe" link in every marketing email, a clearly labeled opt-out button on a marketing-preferences page, or a straightforward online form dedicated to marketing objections.

Article 21(5) GDPR: automated opt-out for information-society services. Article 21(5) GDPR provides that "in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications." This provision contemplates machine-readable objection signals such as the Global Privacy Control (GPC) signal, browser-based opt-out headers, and similar technical mechanisms that allow data subjects to signal an objection without manually filling out a form or sending an email. Recital 70 GDPR notes that the right to object should be "explicitly brought to the attention of the data subject and presented clearly and separately from any other information" and that, in the online context, objections should be facilitated by automated means. Article 21(5) GDPR thus imposes an affirmative duty on controllers offering information-society services (online services, apps, websites, platforms) to honor automated objection signals where technically feasible, particularly in the direct-marketing context. Supervisory authorities including the French CNIL and the Dutch Autoriteit Persoonsgegevens have issued guidance confirming that controllers must recognize and act upon GPC signals and similar technical opt-out mechanisms when presented by users' browsers or devices.

Article 21(6) GDPR: limited right to object to research and statistical processing. Article 21(6) GDPR provides that "where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1), the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest." This provision is narrower than Article 21(1) and (2) GDPR: data subjects may object to research or statistical processing only if the processing is not necessary for a public-interest task, and controllers invoking the Article 21(6) exception must demonstrate that the research is carried out under Article 89(1) GDPR (with appropriate safeguards for data subjects' rights, such as technical and organizational measures to ensure data minimization, pseudonymization, and respect for the principle of 'data protection by design and by default').

Procedural framework: one-month deadline, free of charge, no formal wording required. Objections are subject to the one-month response deadline and procedural requirements of Article 12 GDPR (see the companion section on Article 12 in this guide). Controllers must respond to objections without undue delay and in any event within one month of receipt, with a possible two-month extension where necessary due to complexity or volume (Article 12(3) GDPR). Processing objections must be provided free of charge; controllers may charge a reasonable fee or refuse to act only where requests are "manifestly unfounded or excessive" under Article 12(5) GDPR, and the controller bears the burden of demonstrating that the objection meets this high threshold. The UK Information Commissioner's Office (ICO) guidance on the right to object (mirroring GDPR principles applicable across the EU) confirms that an objection does not need to include the phrase "objection to processing" or cite Article 21 GDPR—any communication that makes clear the data subject's desire to stop processing on grounds relating to their particular situation (for Article 21(1)) or to stop direct marketing (for Article 21(2)) constitutes a valid objection. This presents a challenge for controllers: any employee who regularly interacts with data subjects may receive a valid verbal objection. Controllers must therefore train front-line staff to recognize objections and must implement internal procedures to record, escalate, and respond to objections within the statutory deadline.

Article 18(1)(d) GDPR: restriction pending verification of compelling grounds. Where a data subject has objected to processing under Article 21(1) GDPR, Article 18(1)(d) GDPR grants the data subject an automatic right to restriction of processing pending verification of whether the controller's legitimate grounds override those of the data subject. During this restriction period, the controller may store the personal data but may not otherwise process them (except with the data subject's consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or a Member State, per Article 18(2) GDPR). The EDPB's draft Guidelines 1/2024 on legitimate interests emphasize that this restriction must be applied promptly, and that once the verification is concluded, the data should either be deleted (if the objection is upheld) or the restriction should be lifted (if the controller successfully demonstrates compelling grounds). Controllers may not leave data in indefinite restriction status; Article 18(3) GDPR requires controllers to inform the data subject before lifting the restriction.

Relationship between Article 21(1) objection and Article 17(1)(c) erasure. Article 17(1)(c) GDPR provides that the data subject has the right to obtain erasure of personal data "where the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing." This provision codifies the consequence of a successful Article 21(1) objection: if the controller cannot demonstrate compelling legitimate grounds, the data subject may request (and the controller must perform) erasure. The European Data Protection Board's One-Stop-Shop Case Digest on the Right to Object and Right to Erasure clarifies that where the criteria for an Article 21(1) objection and an Article 17(1)(c) erasure request are essentially the same (i.e., the controller has no compelling grounds), a successful objection should automatically lead to erasure if the data subject so requests. Controllers should not treat objection and erasure as wholly separate procedures requiring duplicative requests; if a data subject objects and the controller has no compelling grounds, the controller should offer to erase the data or explain why erasure is subject to an Article 17(3) GDPR exception (such as legal claims, legal obligations, or archiving/research purposes).

Interaction with direct-marketing objection and erasure. Where a data subject objects to direct marketing under Article 21(2) GDPR, the controller must immediately cease processing for that purpose. The controller is not automatically required to erase the data—Article 21(3) GDPR requires only that "the personal data shall no longer be processed for such purposes"—but the data subject may subsequently invoke Article 17(1)(b) GDPR (withdrawal of consent, where consent was the lawful basis) or Article 17(1)(c) GDPR (objection under Article 21(1) where legitimate interests were the basis) to obtain erasure, provided one of the Article 17(1) grounds applies and no Article 17(3) exception applies. In practice, many controllers offer a single "unsubscribe and delete" option that honors both the Article 21(2) objection and the Article 17 erasure request in one step, simplifying compliance and improving the data subject's experience.

CJEU case law: Article 21 in the context of credit scoring and social-media profiling. The Court of Justice of the European Union has interpreted Article 21 GDPR in several significant judgments. In SCHUFA Holding (Case C-634/21, judgment of 7 December 2023), the CJEU held that a credit-reference agency engages in automated individual decision-making under Article 22 GDPR when it creates credit-repayment probability scores that lenders rely on heavily to establish, implement, or terminate contracts. The CJEU restated the right to object under Article 21 GDPR, noting that where the lawful basis for processing is Article 6(1)(e) or (f) GDPR, "the controller must cease to process the personal data after a data subject objects, unless the controller can demonstrate compelling legitimate grounds to continue processing which would override the data subjects' interests" (paras. 54–55). Interestingly, the CJEU did not reference the phrase "on grounds relating to his or her particular situation" in its summary of Article 21(1) GDPR, leading some commentators to suggest that the Court may be adopting a more expansive interpretation of the right to object as a general right applicable in all situations, though this interpretation remains contested pending further case law. If the controller fails to provide proof of compelling grounds, the data subject may also request erasure under Article 17 GDPR.

In Meta Platforms Ireland v. Bundeskartellamt (Case C-252/21, judgment of 4 July 2023), the CJEU examined the interplay between GDPR compliance and EU competition law in the context of Meta's personalized content and advertising on Facebook. The CJEU ruled that where a controller relies on Article 6(1)(f) GDPR (legitimate interests) for processing personal data for personalized advertising and profiling, the controller must conduct a case-by-case balancing test and must respect the data subject's right to object under Article 21(1) GDPR. The judgment emphasizes that the balancing test under Article 21(1) GDPR requires the controller to demonstrate compelling legitimate grounds—a higher threshold than the initial Article 6(1)(f) assessment—and that data subjects' reasonable expectations and the principle of data minimization (Article 5(1)(c) GDPR) play a central role in this assessment. The CJEU also noted that where a data subject objects to processing based on Article 6(1)(f) GDPR, it is not sufficient for the controller merely to assert that its earlier legitimate-interest assessment was correct; the controller must conduct a new balancing test taking into account the particular situation of the data subject as articulated in the objection.

EDPB enforcement priorities and complaint trends. The European Data Protection Board selected the right to object and the right to erasure for coordinated scrutiny in its One-Stop-Shop Case Digest published in February 2023. The digest analyzed cross-border enforcement decisions involving Articles 17 and 21 GDPR and identified recurring compliance challenges, including: (1) controllers failing to recognize verbal or implicit objections, particularly in customer-service interactions; (2) controllers imposing unreasonable evidentiary burdens on data subjects seeking to demonstrate "grounds relating to [their] particular situation"; (3) controllers asserting blanket legal-claims exceptions without case-by-case justification; (4) controllers continuing to process data during the Article 18(1)(d) restriction period; and (5) controllers failing to offer automated objection mechanisms for information-society services as required by Article 21(5) GDPR. The EDPB emphasized that objection-handling procedures must be designed to facilitate the exercise of the right, not to obstruct it, and that controllers must train staff to identify and escalate objections promptly.

Transparency obligation: explicit notice of the right to object. Article 13(2)(b) GDPR (for data collected directly from the data subject) and Article 14(2)(c) GDPR (for data obtained from third-party sources) require controllers to inform data subjects of "the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability" (emphasis added). Where processing is based on Article 6(1)(e) or (f) GDPR, Article 13(1)(d) and Article 14(2)(b) GDPR further require controllers to disclose "the legitimate interests pursued by the controller or by a third party" to enable data subjects to assess whether to object. Recital 70 GDPR provides that in the direct-marketing context, the right to object "should be explicitly brought to the attention of the data subject and presented clearly and separately from any other information." This means that privacy notices, cookie banners, marketing emails, and account-settings pages must prominently disclose the right to object and provide a straightforward mechanism for exercising it—generic boilerplate language buried in lengthy privacy policies does not satisfy the Article 21 transparency obligation.

National complaint statistics and enforcement volume. National data protection authorities report that objection-related complaints represent a significant and growing share of total complaints, though not as large as access or erasure complaints. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) reported in 2024 that approximately 9 percent of complaints involved the right to object, primarily in the direct-marketing and online-advertising contexts. The Irish Data Protection Commission has received over 1,200 objection-related complaints since May 2018, many involving social-media platforms, adtech companies, and online retailers. The Spanish Agencia Española de Protección de Datos (AEPD) has noted a sharp increase in objection complaints related to profiling for targeted advertising, particularly following the CJEU's judgments in Meta v. Bundeskartellamt and SCHUFA Holding, which clarified the scope of Article 21 GDPR and the heightened "compelling grounds" threshold. Supervisory authorities have emphasized that controllers must not treat objections as optional or advisory; the right to object is a mandatory, enforceable data subject right, and failure to honor a valid objection within the one-month deadline constitutes an infringement of Article 21 GDPR subject to administrative fines under Article 83(5)(b) GDPR (up to €20 million or 4 percent of total worldwide annual turnover, whichever is higher, for infringements of data subject rights under Articles 12–22 GDPR).

Application date and legal lineage. GDPR came into force on 24 May 2016 and became directly applicable in all EU Member States on 25 May 2018 under Article 99 GDPR. Article 21 GDPR builds on Article 14 of the Data Protection Directive 95/46/EC, which granted a right to object "on compelling legitimate grounds relating to his particular situation" for processing based on legitimate interests or public tasks. The wording shift from the Directive to the GDPR is significant: under the Directive, the data subject bore the burden of demonstrating "compelling legitimate grounds" for the objection; under Article 21(1) GDPR, the controller bears the burden of demonstrating "compelling legitimate grounds" to continue processing after the objection. This inversion reflects the GDPR's principle that data subject rights should be easy to exercise and that controllers bear the compliance burden, as confirmed by Recital 69 GDPR and the EDPB's One-Stop-Shop Case Digest.

Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Article 21

Source: EDPB One-Stop-Shop Case Digest on the Right to Object and Right to Erasure, adopted February 2023

Source: CJEU judgment of 7 December 2023, Case C-634/21 (SCHUFA Holding), on automated decision-making and the right to object under Article 21 GDPR

Source: CJEU judgment of 4 July 2023, Case C-252/21 (Meta Platforms Ireland v. Bundeskartellamt), on legitimate interests, data minimization, and the compelling-grounds threshold under Article 21(1) GDPR