United Kingdom — Data Subject Rights

The United Kingdom retained the core data subject rights regime from the EU General Data Protection Regulation (GDPR) when it exited the European Union. Following the UK's departure, the UK Government transposed Regulation (EU) 2016/679 into UK national law, creating the UK GDPR, through the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. The UK GDPR works alongside the Data Protection Act 2018 (DPA 2018), which supplements the regime with permitted derogations, exemptions for special-category processing under substantial-public-interest conditions, and context-specific restrictions on data subject rights set out in Schedule 2 of the DPA 2018.

The transposition made technical changes to account for the UK's status as a single jurisdiction — changing references to "Member State" to "the United Kingdom" and removing the cross-border cooperation and consistency mechanism (Articles 60–76 GDPR) — but preserved the substantive text of Chapter III (Articles 12–22), which creates individual rights. As of May 2026, UK courts and the Information Commissioner's Office (ICO) are not bound by post-Brexit Court of Justice of the European Union (CJEU) rulings, though they retain persuasive value and the ICO continues to reference European Data Protection Board (EDPB) guidelines as helpful interpretive aids.

The eight individual rights under UK GDPR

UK GDPR Chapter III establishes eight distinct rights for data subjects (the individuals to whom personal data relates):

1. Right to be informed (Articles 13–14) — Controllers must provide transparency information (privacy notices) at the time personal data is collected (Article 13) or, if obtained from a third party, within one month of obtaining the data (Article 14). This information includes processing purposes, lawful basis, retention periods, recipients, and the existence of automated decision-making.

1. Right of access (Article 15) — Also called a subject access request (SAR), this entitles individuals to obtain a copy of their personal data and supplementary information (processing purposes, categories of data, recipients, retention periods, source if not obtained directly, and meaningful information about the logic involved in automated decision-making under Article 22). Requests may be made verbally or in writing; controllers have one month to respond, extendable by two further months if complex.

1. Right to rectification (Article 16) — Individuals may require controllers to correct inaccurate personal data or complete incomplete data without undue delay.

1. Right to erasure (Article 17) — Often termed the "right to be forgotten," this allows data subjects to demand deletion when personal data is no longer necessary for the original purpose, consent is withdrawn, the individual objects under Article 21 and no overriding legitimate grounds exist, the data was processed unlawfully, or erasure is required by law. Recital 65 notes particular relevance for children who consented to online services without fully understanding the risks.

1. Right to restriction of processing (Article 18) — Where accuracy is contested, processing is unlawful (but the individual does not want erasure), the controller no longer needs the data but the individual requires it for a legal claim, or an objection under Article 21 is pending verification, the individual can require the controller to store the data but cease further use.

1. Right to data portability (Article 20) — Where processing is based on consent or contract and carried out by automated means, individuals can receive their personal data in a structured, commonly used, machine-readable format and have it transmitted directly to another controller where technically feasible.

1. Right to object (Article 21) — Individuals have an absolute right to object to direct-marketing processing (including profiling for that purpose). For processing under Article 6(1)(e) (public task) or (f) (legitimate interests), the individual may object on grounds relating to their particular situation; the controller must then cease processing unless it demonstrates compelling legitimate grounds that override the individual's interests.

1. Rights related to automated decision-making and profiling (Article 22) — Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, unless the decision is necessary for a contract, authorized by UK law, or based on explicit consent. Where Article 22 applies, the controller must implement suitable measures to safeguard rights (at minimum, the right to obtain human intervention, express a point of view, and contest the decision).

Recent amendments under the Data (Use and Access) Act 2025

The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025 and began phased implementation in early 2026, introduced notable changes to the Article 22 automated-decision-making regime. New Article 22C permits significant automated decisions (excluding those processing special-category data, which remain under the narrow Article 22 permissions) provided safeguards involving clear notice, rights to contest, make representations, and seek human intervention are in place. The DUAA also introduced Article 12A, which clarifies that identity verification (when genuinely needed) pauses the response clock on any data subject rights request, and that controllers may pause the clock to seek clarification when a request cannot be properly understood.

Exemptions and restrictions

Schedule 2 of the DPA 2018 lists exemptions that may restrict or adapt the listed UK GDPR provisions (the rights and corresponding transparency obligations in Articles 12–22). These include exemptions for crime prevention and detection, immigration control, legal professional privilege, and scientific or historical research purposes. Exemptions are not blanket; they apply only to the extent that compliance with the right would be likely to prejudice the specified purpose. For example, the crime and taxation exemption (Schedule 2 Part 1) permits withholding subject access information if disclosure would prejudice the prevention or detection of crime or the assessment or collection of tax. The ICO emphasizes that controllers must apply exemptions on a case-by-case basis and demonstrate a causal link between the right and the identified prejudicial effect.

Response timelines

Article 12(3) UK GDPR requires controllers to respond to requests under Articles 15–22 without undue delay and in any event within one month of receipt. The period may be extended by a further two months where necessary, taking into account the complexity and number of requests. Controllers must inform the data subject of any extension within one month of the original request, together with the reasons for the delay.

Source: Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419) Source: Data Protection Act 2018 Source: ICO: A guide to individual rights

The general rule: SARs are free of charge

Article 12(5) of the UK GDPR establishes that information provided under Articles 13 and 14 (transparency obligations) and any actions taken under Articles 15–22 and 34 (data subject rights and breach notification) must be provided free of charge. This means that controllers ordinarily cannot charge a fee to comply with a subject access request (SAR) made under Article 15, nor may they charge for providing supplementary information such as the processing purposes, categories of data, recipients, retention periods, or the source of data not obtained directly from the individual.

The abolition of routine SAR fees represents a significant shift from the Data Protection Act 1998 regime, which permitted a standard £10 fee (£2 for credit reference agency requests). The UK GDPR removed this permission, reflecting the policy that access to one's own personal data is a fundamental right that should not be subject to financial gatekeeping. Section 12 of the Data Protection Act 2018 confirms this position and empowers the Secretary of State to specify fee limits by regulation, though no such limits have been enacted as of May 2026.

Exceptions: when controllers may charge a reasonable fee

Article 12(5) UK GDPR creates two narrow circumstances in which a controller may charge a reasonable fee:

1. Manifestly unfounded or excessive requests — Where a request is manifestly unfounded or excessive, in particular because of its repetitive character, the controller may either:

• charge a reasonable fee taking into account the administrative costs of providing the information or taking the action requested; or
• refuse to act on the request.

1. Further copies — Under Article 15(3) UK GDPR, where a data subject requests further copies of personal data following an initial request, the controller may charge a reasonable fee based on administrative costs.

The burden of demonstrating that a request is manifestly unfounded or excessive rests with the controller (Article 12(5), second sentence). Controllers must be able to explain their reasoning clearly to both the data subject and the Information Commissioner's Office (ICO) if challenged. The ICO emphasizes that controllers must have "strong justifications" and assess each request on a case-by-case basis — blanket policies deeming all requests from a particular individual or source excessive are not permitted.

What constitutes "manifestly unfounded"?

The ICO guidance interprets "manifestly unfounded" to mean that the request is obviously without merit or purpose. The inclusion of "manifestly" signals that the unfounded character must be clear and evident. A request may be manifestly unfounded if:

• The individual clearly has no genuine intention to exercise their right of access (for example, offering to withdraw the request in return for some benefit from the organization);
• The request is malicious in intent or made with the purpose of harassing the organization, with no real purpose other than to cause disruption;
• The request forms part of a broader pattern of vexatious or abusive conduct.

The test is not whether the request is inconvenient or time-consuming for the controller. If the individual has a legitimate interest in obtaining their data — even if their ultimate purpose is to use that data in litigation or to scrutinize the controller's compliance — the request is not manifestly unfounded. Pre-litigation "fishing" requests that seek personal data the individual is entitled to receive remain valid SARs, though controllers may apply relevant exemptions (such as legal professional privilege under Schedule 2, Part 2, paragraph 19 of the DPA 2018) to specific categories of information where the conditions are met.

What constitutes "manifestly excessive"?

The ICO guidance, updated in October 2020 and refined following the Data (Use and Access) Act 2025, explains that a request is "manifestly excessive" if it is clearly or obviously unreasonable. Controllers should assess whether the request is proportionate when balanced against the burden or costs involved in complying.

Factors controllers should consider include:

• Whether the request largely repeats previous requests and a reasonable interval has not elapsed since the last request. Repeated requests for the same information within a short period (for example, weekly or monthly SARs covering the same dataset when nothing material has changed) are more likely to be excessive. The ICO has noted that monthly requests may be excessive if the data has not changed and the individual has already received a complete response.

• The nature and context of the request. A single request covering a large volume of data is not automatically excessive simply because of its scope. If the controller processes substantial amounts of personal data about the individual (for example, years of employment records, extensive transaction histories, or comprehensive health data), the individual is entitled to request all of it, and the controller's obligation to maintain retrievable records supports this.

• The purpose and proportionality. If the volume of information requested is proportionate to the individual's legitimate interest in accessing it (for instance, preparing for litigation or verifying compliance), the request is less likely to be excessive.

• Repeated requests in different formats. Updated ICO guidance acknowledges that if an individual repeatedly requests further copies in different formats after already downloading data from a portal (and has not objected to using the portal), those subsequent requests may be treated as manifestly unfounded or excessive, allowing the controller to charge a fee or refuse.

Importantly, the 2025 Data (Use and Access) Act amendments to Article 12 introduced a "stop the clock" mechanism (new Article 12A) that allows controllers to pause the one-month response deadline when clarification is reasonably required. This reduces the need to rely on the "manifestly excessive" ground where the real issue is that the request is unclear or overly broad and the controller needs the data subject's help to narrow it. Controllers should first ask for clarification rather than immediately characterizing a broad request as excessive.

What is a "reasonable fee"?

Neither the UK GDPR nor the DPA 2018 defines "reasonable fee." Section 12(1) of the DPA 2018 empowers the Secretary of State to specify fee limits by regulation, but no regulations have been made. In practice, the ICO guidance states that a reasonable fee should:

• Be based on the administrative costs actually incurred in responding to the request (staff time at an appropriate hourly rate, costs of retrieval, redaction, and copying);
• Not be punitive or designed to deter the exercise of data subject rights;
• Reflect the actual burden of the specific request, not a blanket charge.

Controllers must notify the data subject of the fee before complying with the request. Under Article 12(5), the controller is not required to act on the request until the fee is paid. The one-month response deadline under Article 12(3) (as amended by the DUAA 2025 to refer to "the applicable time period" defined in new Article 12A) runs from the date the fee is received, not the date the request was made.

Third-party data and the protection-of-rights exemption

A related but distinct issue arises when personal data requested in a SAR contains information that would disclose another identifiable individual. Paragraph 16 of Schedule 2, Part 3 of the DPA 2018 provides that Article 15(1)–(3) UK GDPR does not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information, unless:

• The other individual has consented to the disclosure; or
• It is reasonable to disclose the information without the other individual's consent.

In determining reasonableness, controllers must consider all relevant circumstances, including any duty of confidentiality owed to the other individual, any steps taken to seek that individual's consent, whether the other individual is capable of giving consent, and any express refusal of consent. This is not a fee-related provision but an exemption that permits redaction or withholding of third-party personal data in appropriate cases. Controllers should apply this exemption carefully and on a case-by-case basis, redacting only the minimum necessary to protect the third party's rights.

ICO enforcement and the importance of documentation

Controllers who charge a fee or refuse a SAR on the grounds that it is manifestly unfounded or excessive must document their reasoning comprehensively. The ICO has enforcement powers under Part 6 of the DPA 2018, including the power to issue information notices, assessment notices, and enforcement notices, and may impose administrative fines under Article 83 UK GDPR for failure to comply with Chapter III rights. A data subject who is refused access or charged a fee may complain to the ICO or apply to the court for an order requiring compliance or for compensation (Article 79 and Article 82 UK GDPR).

The ICO's published case decisions show that assertions of "excessive" requests are scrutinized closely, particularly in employment or litigation contexts where the individual has a legitimate interest in the data. Controllers should not conflate "inconvenient" or "large in scope" with "excessive" — the test is whether the request is manifestly (obviously, clearly) excessive when balanced against the fundamental right of access.

Source: Article 12, UK GDPR (Regulation (EU) 2016/679 as retained in UK law) Source: Data Protection Act 2018, section 12 (fees) Source: Data Protection Act 2018, Schedule 2, Part 3, paragraph 16 (protection of rights of others) Source: ICO: A guide to subject access Source: Data (Use and Access) Act 2025, sections 75–78 (amendments to Article 12 and new Article 12A)

Article 17 of the UK GDPR establishes the right to erasure, also known as the right to be forgotten. This right entitles data subjects to obtain from the controller the erasure of personal data concerning them without undue delay, and imposes a corresponding obligation on controllers to erase personal data without undue delay where one of six statutory grounds applies. The right is not absolute — Article 17(3) lists five categories of exception where processing is necessary for a legitimate purpose that overrides the individual's interest in erasure, and Schedule 2 of the Data Protection Act 2018 provides additional UK-specific exemptions that may restrict or disapply the right on a case-by-case basis.

The six grounds for erasure (Article 17(1) UK GDPR)

A data subject may invoke the right to erasure where one of the following grounds applies:

1. No longer necessary (Article 17(1)(a)) — The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. This ground reflects the storage-limitation principle (Article 5(1)(e)) and requires controllers to assess on an ongoing basis whether retention remains necessary for the original purpose. Once that purpose is fulfilled or the data subject's relationship with the controller has ended, continued retention may trigger a right to erasure unless another lawful basis or exception applies.

1. Withdrawal of consent (Article 17(1)(b)) — The data subject withdraws the consent on which processing is based (Article 6(1)(a) for ordinary personal data, or Article 9(2)(a) for special-category data), and there is no other legal ground for the processing. Consent must be the sole lawful basis; if the controller can rely on an alternative basis such as contract, legal obligation, or legitimate interests, the withdrawal does not trigger erasure. Controllers should assess whether another lawful basis is available before acting on an erasure request grounded in consent withdrawal.

1. Successful objection (Article 17(1)(c)) — The data subject objects to processing under Article 21(1) (objection to legitimate-interests or public-task processing) and there are no overriding legitimate grounds for the processing, or the data subject objects under Article 21(2) (absolute right to object to direct-marketing processing, including profiling for that purpose). When an individual objects on Article 21(1) grounds, the controller must cease processing unless it demonstrates compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or the processing is for the establishment, exercise, or defence of legal claims. Direct-marketing objections under Article 21(2) are absolute and require immediate cessation and erasure (subject to any Article 17(3) exception).

1. Unlawful processing (Article 17(1)(d)) — The personal data have been processed unlawfully. Unlawful processing includes processing without a lawful basis, processing in breach of the fairness or transparency principles, or processing that violates any other UK GDPR obligation. If processing is unlawful, the individual is entitled to erasure to remedy the breach, though controllers may still rely on an Article 17(3) exception (for example, if the data must be retained for legal-claims purposes notwithstanding the initial unlawfulness).

1. Legal obligation to erase (Article 17(1)(e)) — The personal data have to be erased for compliance with a legal obligation in UK law to which the controller is subject. This ground captures situations where a statute, regulation, or court order mandates deletion. It is rare but may arise where sector-specific legislation (financial services, health records, or judicial orders) requires erasure by a specified date or upon the occurrence of a specified event.

1. Children's information-society services (Article 17(1)(f)) — The personal data have been collected in relation to the offer of information society services referred to in Article 8(1) UK GDPR. Article 8 permits controllers to rely on a child's consent only where the child is aged 13 or over (in the UK; the age may be lower in other jurisdictions). Article 17(1)(f) gives children (and adults who were children when the data was collected) a specific right to demand erasure of data collected through online services, reflecting Recital 65's emphasis on the heightened risks children face online and their potential lack of full awareness of those risks at the time of consent. This ground is particularly significant for social networks, online games, apps, and other digital services aimed at or used by children.

Enhanced protection for children's data

Recital 65 UK GDPR and ICO guidance emphasize that controllers processing children's data should give particular weight to erasure requests when the data was collected based on a child's consent, especially for internet-based processing. This remains the case even when the data subject is no longer a child, because "a child may not have been fully aware of the risks involved by the processing at the time of consent." The ICO guidance states that if an individual wants a controller to erase personal data they provided when they were a child, the controller should comply with their wishes whenever possible, especially if it appears likely the child gave their data without fully understanding the implications. Controllers offering online services to children must ensure that processes for exercising the right to erasure are as easy to access and understand as the original process for providing the data (a practical application of Article 7(3)'s principle that withdrawal of consent must be as easy as giving it).

The five exceptions to erasure (Article 17(3) UK GDPR)

Article 17(3) provides that paragraphs (1) and (2) do not apply to the extent that processing is necessary for one of the following purposes:

1. Freedom of expression and information (Article 17(3)(a)) — Exercising the right of freedom of expression and information. This exception protects journalistic, academic, artistic, and literary purposes when processing serves the public interest. It is interpreted narrowly and requires a case-by-case balancing of the individual's erasure rights against freedom-of-expression interests. Article 85 UK GDPR and section 123 of the Data Protection Act 2018 set out the framework for the freedom-of-expression derogation.

1. Legal obligation or public-interest task (Article 17(3)(b)) — Compliance with a legal obligation which requires processing under UK law, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This exception captures statutory retention obligations (tax records under HMRC rules, employment records under PAYE and national-minimum-wage legislation, anti-money-laundering transaction records under the Money Laundering Regulations) and public-sector tasks. Controllers must be able to point to a specific legal obligation or statutory function; a general "good practice" retention policy is insufficient.

1. Public health (Article 17(3)(c)) — Reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) (processing for health or social care, public-health monitoring, protection against serious cross-border health threats, or ensuring high standards of healthcare) as well as Article 9(3) (processing by health professionals under an obligation of professional secrecy). This exception is narrow and applies primarily to NHS bodies, public-health authorities, and healthcare providers when processing is necessary for statutory public-health purposes and subject to professional confidentiality.

1. Archiving, research, or statistics (Article 17(3)(d)) — Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 84B UK GDPR, insofar as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing. Article 84B (inserted by the Data (Use and Access) Act 2025, replacing the former Article 89(1) reference) sets out safeguards for research and archiving. Paragraph 27 of Schedule 2, Part 6 of the DPA 2018 provides an exemption from the right to erasure if processing is for scientific or historical research or statistical purposes, appropriate safeguards are in place, and erasure would prevent or seriously impair achievement of the research objectives. The ICO guidance illustrates this with the example of a clinical-trial participant who withdraws from further tests but requests erasure of all their health data already collected: if complying would undermine the integrity of the dataset and skew the study results, the research exception applies and the controller may refuse erasure.

1. Establishment, exercise, or defence of legal claims (Article 17(3)(e)) — The establishment, exercise, or defence of legal claims. This is the most commonly invoked exception in practice. Controllers may retain personal data if they reasonably need it to pursue or defend potential legal proceedings, even if no claim has yet been filed or threatened, provided the applicable limitation period has not expired. The test is whether retention is necessary for the legal-claim purpose, applying a proportionality assessment. Controllers relying on this exception should document the nature of the potential claim, the limitation period, and the necessity of retaining the specific data in question. The exception is particularly significant in employment contexts (unfair-dismissal and discrimination claims), contract disputes, and regulatory investigations.

UK-specific exemptions and restrictions in Schedule 2 of the DPA 2018

Schedule 2 of the Data Protection Act 2018 lists exemptions that may restrict or disapply the listed UK GDPR provisions, including Article 17(1) and (2). Part 1 of Schedule 2 (adaptations and restrictions under Articles 6(3) and 23(1)) includes exemptions for:

• Crime prevention and detection, and tax assessment and collection (paragraph 2) — Article 17 does not apply to the extent that compliance would be likely to prejudice the prevention or detection of crime, or the assessment or collection of a tax or duty. This exemption is applied on a case-by-case basis and requires a causal link between the disclosure (or erasure) and the identified prejudice.

• Immigration control (paragraph 4, as amended by the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), which came into force on 8 March 2024) — The immigration exemption allows the Secretary of State to restrict Article 17 where compliance would be likely to prejudice the maintenance of effective immigration control or the investigation or detection of activities that would undermine it. Following the Court of Appeal's judgment in R (3million and Open Rights Group) v Secretary of State for the Home Department [2023] EWCA Civ 1474, the 2024 Regulations inserted detailed safeguards into new paragraph 4A of Schedule 2. The Secretary of State must now make a separate decision for each relevant UK GDPR provision on each occasion, taking into account all circumstances of the case including any vulnerability of the data subject, all their rights and freedoms (including Convention rights), the UK's obligations under the Refugee Convention and Trafficking Convention, and the duty to safeguard children under section 55 of the Borders, Citizenship and Immigration Act 2009. The decision must demonstrate that restricting the right would give rise to a substantial risk of prejudice, that risk outweighs the risk to the data subject's interests, and the restriction is necessary and proportionate.

• Legal professional privilege (paragraph 19, Part 2) — Article 17 does not apply to personal data consisting of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. This protects confidential lawyer-client communications and litigation work-product from compelled disclosure or erasure.

• Protection of rights of others (paragraph 16, Part 3) — Article 15(1)–(3) UK GDPR does not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another identifiable individual, unless the other individual has consented or it is reasonable to disclose without consent. This exemption is more commonly invoked in subject-access-request contexts than erasure requests, but may be relevant when an erasure request encompasses third-party data (for example, email threads involving multiple individuals). Controllers should redact or withhold only the minimum necessary to protect the third party, and must balance all relevant circumstances including any duty of confidentiality, the capability of the third party to consent, and any express refusal of consent.

Exemptions are not blanket; they apply only to the extent that compliance with the right would be likely to prejudice the specified purpose. Controllers bear the burden of demonstrating the applicability of an exemption and must document their reasoning comprehensively. The ICO emphasizes that controllers should not conflate "inconvenient" or "large in scope" with grounds for refusal — the test is whether one of the Article 17(3) exceptions or a Schedule 2 exemption genuinely applies.

Procedural obligations when granting erasure

When a controller is obliged to erase personal data that has been disclosed to others (recipients as defined in Article 4(9) UK GDPR, including other controllers and processors), Article 19 UK GDPR requires the controller to communicate the erasure to each recipient, unless this proves impossible or involves disproportionate effort. If asked, the controller must also inform the data subject about those recipients. Where the controller has made the personal data public (for example, on social networks, forums, websites, or publicly accessible databases) and is obliged to erase, Article 17(2) requires the controller, taking account of available technology and the cost of implementation, to take reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested erasure of any links to, or copies or replications of, the data. This obligation reflects the "right to be forgotten" dimension and aims to extend erasure beyond the original controller's systems when data has been disseminated online. What constitutes "reasonable steps" is fact-specific and may include notifying search engines, social-media platforms, or data aggregators, but does not require the controller to guarantee that all copies are removed from the internet (a technical impossibility in many cases).

Response timelines, fees, and manifestly unfounded or excessive requests

Controllers must respond to erasure requests within one month of receipt (Article 12(3) UK GDPR), extendable by a further two months where necessary, taking into account the complexity and number of requests. The controller must inform the data subject of any extension within one month of the original request, together with reasons for the delay. Erasure requests are free of charge unless the request is manifestly unfounded or excessive, in particular because of its repetitive character, in which case the controller may charge a reasonable fee based on administrative costs or refuse to act (Article 12(5)). The burden of demonstrating that a request is manifestly unfounded or excessive rests with the controller, and the ICO requires strong justifications applied on a case-by-case basis. A request is not manifestly unfounded simply because the individual's ultimate purpose is to scrutinize the controller's compliance or to prepare for litigation — such requests remain valid provided the individual has a genuine intention to exercise their right.

Enforcement and remedies

Failure to comply with Article 17 may result in an administrative fine under Article 83 UK GDPR. Infringements of the Chapter III rights (Articles 12–22) fall under the upper tier of fines: up to £17.5 million or 4% of total annual worldwide turnover of the preceding financial year, whichever is higher (Article 83(5)). Data subjects who are refused erasure or believe a controller has failed to comply may lodge a complaint with the Information Commissioner's Office (Article 77) or apply to the court for an order requiring compliance or for compensation for material or non-material damage (Articles 79 and 82 UK GDPR). The ICO's enforcement powers under Part 6 of the DPA 2018 include the power to issue information notices, assessment notices, and enforcement notices compelling controllers to take remedial action. Published ICO case decisions show that assertions of exceptions are scrutinized closely, particularly in employment and litigation contexts where the individual has a legitimate interest in erasure but the controller relies on the legal-claims exception.

Source: Article 17, UK GDPR (Regulation (EU) 2016/679 as it forms part of UK law) Source: Data Protection Act 2018, Schedule 2 (exemptions from the UK GDPR) Source: ICO: Right to erasure guidance Source: Data (Use and Access) Act 2025, section 66 (research and archiving safeguards — new Article 84B)

Article 15 of the UK GDPR establishes the right of access, also known as a subject access request (SAR). This right entitles data subjects (individuals to whom personal data relates) to obtain from the controller confirmation as to whether or not personal data concerning them are being processed and, where that is the case, access to the personal data and nine categories of supplementary information about the processing. The right of access is one of the most frequently exercised data subject rights and generates the highest volume of Information Commissioner's Office (ICO) complaints and enforcement activity. Controllers must design processes to recognise, verify, search for, and disclose personal data in compliance with the Article 15 requirements, the one-month statutory deadline, and the Schedule 2 exemptions framework.

The three-part obligation under Article 15(1)–(3) UK GDPR

Article 15 imposes three distinct obligations on controllers when responding to a SAR:

1. Confirmation of processing (Article 15(1), opening words) — The controller must confirm whether or not personal data concerning the data subject are being processed. If the controller does not process any personal data about the individual, the controller must state this clearly. A "no data held" response is a valid SAR response provided the controller has conducted a reasonable and proportionate search.

1. Access to the personal data (Article 15(1), "access to the personal data") — Where personal data are being processed, the controller must provide access to that data. Article 15(3) clarifies that the controller must provide a copy of the personal data undergoing processing. The ICO guidance, updated in May 2025 following the Data (Use and Access) Act 2025, emphasises that "access" means providing the data itself in an intelligible form, not merely describing the categories or confirming existence. The data subject is entitled to receive the actual content of emails, notes, transaction records, and other records that constitute their personal data.

1. Nine categories of supplementary information (Article 15(1)(a)–(h) and Article 15(2)) — In addition to the copy of the data, the controller must provide the following information:

(a) The purposes of the processing — The controller must explain why it processes the personal data (for example, to perform a contract, comply with a legal obligation, or pursue legitimate interests). This should align with the lawful basis disclosed in the privacy notice under Article 13 or 14.

(b) The categories of personal data concerned — The controller must identify the types of data being processed (for example, contact details, financial information, health data, employment records). This helps the data subject understand the scope of processing.

(c) Recipients or categories of recipient — The controller must disclose to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations. The ICO's May 2025 guidance update, reflecting recent case law including Harrison v Cameron and ACL, clarifies that controllers must disclose specific recipients (the actual names of organisations or entities) to whom personal data have been or will be disclosed. Providing only "categories of recipients" (such as "IT service providers" or "marketing agencies") is permitted only where naming specific recipients would be impossible or the request is manifestly unfounded or excessive. Controllers should map and record their actual data disclosures to comply with this requirement; vague categorical descriptions are no longer sufficient unless genuinely impossible to specify.

(d) Retention period or criteria — Where possible, the controller must state the envisaged period for which the personal data will be stored. If it is not possible to specify a retention period (for example, because retention depends on future events such as the conclusion of litigation), the controller must explain the criteria used to determine the retention period (for example, "retained for six years following contract termination in accordance with limitation periods for contract claims").

(e) Rights to request rectification, erasure, restriction, or object — The controller must inform the data subject of their right to request rectification or erasure of personal data, restriction of processing, or to object to processing under Articles 16, 17, 18, and 21.

(f) Right to lodge a complaint with the Information Commissioner — The controller must inform the data subject of their right to lodge a complaint with the Information Commissioner's Office (ICO). Article 15(1)(f) UK GDPR refers to "the Commissioner" rather than "a supervisory authority" reflecting the UK's single-regulator model.

(g) Source of the data if not collected directly — Where the personal data were not collected from the data subject, the controller must provide any available information as to the source. If the data came from a publicly accessible source (such as Companies House, the electoral register, or a professional directory), the controller should say so. If the source is a third party (such as a credit reference agency, a previous employer, or a data broker), the controller should name that third party unless an exemption applies (for example, paragraph 16 of Schedule 2, Part 3 of the DPA 2018, which protects the rights of other individuals in certain circumstances).

(h) Existence of automated decision-making, including profiling — The controller must disclose the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) UK GDPR, and, at least in those cases, provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. This requirement applies primarily to decisions based solely on automated processing that produce legal or similarly significant effects (Article 22 decisions). When Article 22 applies, the controller must explain the algorithm's logic in terms a layperson can understand, the factors considered, and the potential impact on the individual (for example, "automated credit scoring based on transaction history and credit bureau data; a score below 600 results in loan application refusal").

(Article 15(2): Cross-border transfer safeguards) — Where personal data are transferred to a third country (a country outside the UK) or to an international organisation, the data subject has the right to be informed of the appropriate safeguards pursuant to Article 46 UK GDPR relating to the transfer. Controllers must specify the transfer mechanism (for example, "transfers to our US-based cloud provider under the UK Extension to the EU Standard Contractual Clauses approved by the ICO on [date]" or "transfers to Singapore under the adequacy regulations designating Singapore as having an adequate level of protection"). Vague statements such as "appropriate safeguards are in place" do not satisfy Article 15(2); the data subject is entitled to know the specific mechanism.

Article 15(3): the right to a copy and the format of provision

Article 15(3) UK GDPR provides that the controller must provide a copy of the personal data undergoing processing. This is the core of the access right — the data subject is entitled to receive the actual data, not merely a summary or description. Article 15(3) further provides:

• Further copies may be subject to a reasonable fee. For any further copies requested by the data subject (beyond the first copy), the controller may charge a reasonable fee based on administrative costs. This provision mirrors Article 12(5) and is discussed in detail in the existing "SAR fees — manifestly unfounded or excessive" section of this guide.

• Electronic format by default. Where the data subject makes the request by electronic means (email, online form, social media message), and unless otherwise requested by the data subject, the information must be provided in a commonly used electronic form. The ICO guidance states that PDF is generally acceptable, though machine-readable structured formats (CSV, JSON, XML) may be more appropriate for large datasets or when the data subject requests portability under Article 20. Controllers should not routinely provide only hard-copy responses to electronic requests unless the data subject has specifically asked for paper.

Article 15(4): the protection-of-rights limitation

Article 15(4) UK GDPR provides that the right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others. This is a built-in limitation, not a full exemption. When a SAR response would disclose information that identifies another individual (third-party personal data), the controller must assess whether disclosure would adversely affect that other person's rights and freedoms. Paragraph 16 of Schedule 2, Part 3 of the Data Protection Act 2018 operationalises this principle: Article 15(1)–(3) UK GDPR does not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information, unless:

• The other individual has consented to the disclosure; or
• It is reasonable to disclose the information without the other individual's consent.

In determining reasonableness, controllers must consider all relevant circumstances, including any duty of confidentiality owed to the other individual, any steps taken to seek that individual's consent, whether the other individual is capable of giving consent, and any express refusal of consent. The ICO guidance emphasises that controllers should apply this exemption on a case-by-case basis and redact only the minimum necessary to protect the third party's rights. It is often possible to redact the third party's name and identifying details while still disclosing the substance of the communication or record that relates to the data subject. A blanket policy of withholding all multi-party emails or records is not compliant; controllers must assess each document individually.

Article 15(1A) and (1B): the Data (Use and Access) Act 2025 amendments — reasonable and proportionate search

The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, inserted new Article 15(1A) and (1B) into the UK GDPR. These amendments came into force on [date to be confirmed by commencement regulations, expected May 2026]. Article 15(1A) provides:

> "Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph."

This amendment codifies the ICO's long-standing guidance that controllers are required to conduct a reasonable and proportionate search for responsive personal data but are not required to conduct exhaustive, disproportionate searches. Article 15(1B) sets out factors controllers must consider when determining whether a search is reasonable and proportionate:

• (a) The cost of providing the information, having particular regard to the administrative costs of providing the information;
• (b) The time it would take to provide the information;
• (c) The volume of information that may need to be searched to provide the information;
• (d) The ease or difficulty of retrieving the information; and
• (e) Any other relevant factors.

The ICO's updated guidance (May 2025) explains that controllers may now consider volume as a relevant factor when assessing whether searches would be unreasonable or disproportionate, even if the request is not manifestly excessive under Article 12(5). This is a shift from the previous position, which treated volume primarily as a factor in assessing whether a request was manifestly excessive. Controllers must document their reasoning comprehensively when limiting a search on reasonableness-and-proportionality grounds, balancing the factors in Article 15(1B) against the fundamental importance of the right of access. The ICO will scrutinise assertions that a search is disproportionate, particularly in employment or litigation contexts where the individual has a clear interest in the data.

How to recognise a SAR — no formal wording required

The ICO guidance emphasises that a SAR can be made verbally or in writing, including by social media, email, letter, or in person. The request does not have to include the phrases "subject access request," "right of access," or "Article 15 of the UK GDPR." It just needs to be clear that the individual is asking for their own personal information. Controllers must train staff across all customer-facing functions (not only data protection or legal teams) to recognise and escalate SARs. Individuals can make requests to any part of the organisation, and controllers must have internal processes to route SARs to a central point for action and tracking.

A third party may make a SAR on behalf of another person (for example, a solicitor acting for a client, a relative acting for an elderly or incapacitated individual, or a parent making a request for a child's data). The ICO guidance states that it is essential that controllers are satisfied that the third party is entitled to act on the person's behalf. The third party is responsible for providing evidence of this authority — for example, a written authority signed by the data subject, a power of attorney, or parental responsibility documentation. Controllers may refuse to comply until satisfied that the third party has proper authority, but must not impose unnecessary barriers or demand disproportionate evidence. The one-month response clock runs from the date the controller is satisfied of the third party's authority, not the date of the initial request.

Public authorities and the interplay with Freedom of Information (FOI) law

If the controller is a public authority for the purposes of the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIR), or equivalent Scottish or Welsh legislation, and the requester mentions FOI law or uses FOI request wording, the controller must determine whether the request relates solely to the requester's own personal information or also to other information. If the request relates only to the requester's own personal information, the controller must deal with it as a SAR under the UK GDPR (the one-month deadline applies), and the personal information is exempt from disclosure under FOIA. The ICO guidance states that public authorities should clarify within 20 working days that they are treating the request as a SAR and that the one-month UK GDPR timeline applies. If the request relates to both the requester's personal information and to other information, the controller must treat it as two requests: one SAR under the UK GDPR for the personal data, and one FOI request under FOIA for the remaining information. The two regimes have different timelines (one month for SARs, 20 working days for FOIA) and different disclosure tests, so controllers must apply the correct framework to each category of information.

Identity verification and the Article 12A "stop the clock" mechanism

Controllers are entitled to request reasonable information to confirm the identity of the data subject making the request, particularly when the request relates to sensitive data or is received by a channel that does not inherently verify identity (such as an anonymous email address or social media message). Article 12(6) UK GDPR permits controllers to request additional information to confirm identity if they have reasonable doubts. However, controllers must not use identity verification as a mechanism to delay or obstruct SARs. The ICO guidance states that controllers should apply a proportionate approach: asking for a copy of photo ID and proof of address may be appropriate for a request concerning financial or health records, but would be excessive for a request concerning a newsletter subscription.

The Data (Use and Access) Act 2025 inserted new Article 12A into the UK GDPR, which allows controllers to pause the one-month response deadline when clarification is reasonably required to provide an effective response. This "stop the clock" mechanism applies in two scenarios:

1. Identity verification (Article 12A(1)(a)) — When the controller reasonably requires confirmation of the identity of the data subject or of a person making a request on behalf of the data subject.

1. Clarification of the request (Article 12A(1)(b)) — When the controller reasonably requires clarification to locate the personal data or to understand what the data subject wants, and it is not reasonable to expect the controller to comply with the request without that clarification.

Crucially, the DUAA removed the previous condition that the controller must process a "large amount of information" about the requester before pausing the clock. The ICO's May 2025 guidance confirms that controllers may now pause the deadline when clarification is genuinely needed to respond effectively, regardless of the volume of data held. The controller must notify the data subject promptly of the need for clarification, and the clock resumes when the clarification is received. Controllers should not abuse this mechanism by asking unnecessary or repetitive clarificatory questions; the ICO will scrutinise whether clarification was reasonably required or whether the controller was simply seeking to delay the response.

Response timeline, fees, and manifestly unfounded or excessive requests

Article 12(3) UK GDPR requires controllers to respond to SARs without undue delay and in any event within one month of receipt. The period may be extended by a further two months where necessary, taking into account the complexity and number of requests, provided the controller informs the data subject of the extension within one month of the original request, together with reasons for the delay. The existing "SAR fees" section of this guide discusses the Article 12(5) rule that SARs are free of charge unless the request is manifestly unfounded or excessive, in which case the controller may charge a reasonable fee or refuse to act. The burden of demonstrating that a request is manifestly unfounded or excessive rests with the controller and requires comprehensive documentation and case-by-case justification.

Source: Article 15, UK GDPR (Regulation (EU) 2016/679 as it forms part of UK law) Source: Data Protection Act 2018, Schedule 2, Part 3, paragraph 16 (protection of rights of others) Source: ICO: Right of access guidance Source: ICO: A guide to subject access Source: Data (Use and Access) Act 2025, Schedule 10, paragraphs 5 and 6 (amendments to Article 15 and new Article 12A)

Article 21 of the UK GDPR establishes the right to object, which entitles data subjects to require controllers to stop processing their personal data in specified circumstances. The right operates on three distinct levels, each with different procedural requirements and controller obligations. The right to object to direct marketing (including profiling for direct marketing) is absolute — controllers must cease processing immediately and have no grounds to refuse. The right to object to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)) is not absolute — controllers may continue processing if they demonstrate compelling legitimate grounds that override the data subject's interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. The right to object to processing for scientific or historical research purposes or statistical purposes is limited to cases where the processing is not necessary for the performance of a task carried out for reasons of public interest. Article 21 is one of the most frequently invoked data subject rights in practice, and the Information Commissioner's Office (ICO) emphasizes that controllers must train staff across all customer-facing functions to recognize and escalate objections, particularly given that objections may be made verbally, in writing, or to any part of the organization.

The three-tier structure of Article 21 UK GDPR

Article 21 creates three distinct objection rights, each tied to a specific lawful basis or processing purpose and each with a different controller obligation:

1. Right to object to legitimate-interests or public-task processing (Article 21(1) and (3))

Article 21(1) UK GDPR provides that the data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) (public task or legitimate interests), including profiling based on those provisions. The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025, amended Article 21(1) by inserting the word "clearly" before "on grounds relating to his or her particular situation" with effect from 5 February 2026. This amendment requires that the grounds relating to the data subject's particular situation must be clearly stated, reinforcing the obligation on data subjects to provide specific reasons for their objection rather than blanket or unsubstantiated demands.

Article 21(3) UK GDPR imposes a corresponding obligation on controllers: where a data subject objects under Article 21(1), the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. This is a balancing test. The burden of proof shifts to the controller once the objection is received — the controller must affirmatively demonstrate that its grounds are compelling and that they override the individual's interests. The ICO guidance states that "compelling" sets a high bar; controllers must show that their interests are sufficiently important and that continued processing is necessary and proportionate to achieve those interests. Vague assertions of business need or general efficiency are insufficient. Controllers must document their reasoning comprehensively, weighing the nature and sensitivity of the data, the impact on the individual, the controller's purpose, and any less intrusive alternatives.

The legal-claims exception within Article 21(3) permits continued processing when necessary for the establishment, exercise, or defence of legal claims, even when the controller cannot demonstrate compelling legitimate grounds unrelated to the claim. This exception is interpreted broadly and includes potential claims (not yet filed or threatened) provided the applicable limitation period has not expired and retention is necessary and proportionate. The ICO guidance notes that this exception is commonly invoked in employment contexts (unfair dismissal, discrimination claims) and contract disputes, where controllers routinely retain personal data for the duration of the limitation period (typically six years for contract claims, three years for personal injury or discrimination claims from the date of knowledge).

2. Right to object to direct marketing (Article 21(2) and (3))

Article 21(2) UK GDPR provides that where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Article 21(3) provides that where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes. This is an absolute right — there are no exemptions or grounds for refusal (Article 21(2) and ICO guidance). Controllers must stop processing immediately upon receiving an objection, regardless of the lawful basis originally relied upon (consent, legitimate interests, or any other basis). The ICO guidance states: "If someone objects, you must stop using their personal information for direct marketing. There are no reasons that you can use to refuse their objection."

What constitutes "direct marketing"?

The UK GDPR does not define "direct marketing," but Recital 47 (which remains part of UK law following the transposition of the EU GDPR) states that processing for direct marketing purposes "may be regarded as carried out for a legitimate interest." The ICO's Direct Marketing Guidance (updated periodically, most recently in 2024) defines direct marketing as the communication (by whatever means) of advertising or marketing material which is directed to particular individuals. This includes:

• Selling or promoting products or services (commercial marketing);
• Promoting aims or ideals (charities, political parties, advocacy organizations);
• Profiling to select individuals for the above purposes, including the building and refinement of marketing profiles.

The ICO has clarified that online targeted advertising (behavioral advertising, programmatic ad targeting on social media and websites) constitutes direct marketing for the purposes of Article 21(2). In its submissions to the court in O'Carroll v Meta (2024, settled before trial), the ICO stated that "online targeted advertising should be considered as direct marketing" because the UK GDPR "applies in a technologically neutral manner, including to online activity." The ICO's position is that targeted advertising directed at groups of people (based on their profiles, browsing behavior, or demographic characteristics) falls within the scope of direct marketing, and individuals therefore have an absolute right to object to the collection and processing of their data for such purposes. This position has significant implications for social media platforms, ad-tech providers, and any controller that builds user profiles for advertising purposes.

3. Right to object to research or statistical processing (Article 21(6))

Article 21(6) UK GDPR (as amended by section 70(5) of the Data (Use and Access) Act 2025) provides that where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to his or her particular situation, shall have the right to object to processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest. This is a limited right — if the controller can demonstrate that the research or statistical processing is necessary for a public-interest task (for example, government statistical surveys, public-health monitoring, or archival preservation mandated by law), the objection can be refused. The ICO guidance (updated May 2025 following the DUAA amendments) advises that controllers relying on the public-task basis for research should differentiate between research carried out solely as a task in the public interest and research carried out in the exercise of official authority. Article 21(6) creates an exception only for the former; the ICO recommends that controllers consider each objection on its merits and go through the Article 21(1)/(3) balancing exercise rather than refusing the objection outright unless the public-interest necessity is clear.

How to recognize an objection — no formal wording required

The ICO guidance emphasizes that an objection to processing can be made verbally or in writing (including by email, social media, telephone, or in person) and can be made to any part of the organization. A request does not have to include the phrases "objection to processing," "right to object," or "Article 21 of the UK GDPR" — as long as it is clear that the individual is asking the controller to stop processing their personal data for a specified purpose, it is a valid objection. This presents a practical challenge: any employee who regularly interacts with individuals (customer service, sales, account management, HR) may receive a valid verbal objection. Controllers must implement internal processes to identify and escalate objections to a central point for action and tracking. The ICO recommends maintaining a policy for recording details of objections received verbally, particularly those made by telephone or in person, to ensure the controller can demonstrate compliance and avoid processing data the individual has objected to.

A third party may make an objection on behalf of another person (for example, a solicitor, a relative, or a litigation representative), provided the third party can demonstrate authority to act on the data subject's behalf. Controllers may request evidence of this authority (a written authority signed by the data subject, a power of attorney, or parental responsibility documentation) before acting on the objection, but must not impose unnecessary barriers or demand disproportionate evidence. The one-month response clock runs from the date the controller is satisfied of the third party's authority, not the date of the initial objection.

Controller obligations when an objection is received

When a controller receives an objection under Article 21(1) (legitimate interests or public task), the controller must:

• Stop processing immediately (or within the one-month response deadline under Article 12(3), extendable by two months if complex) unless the controller can demonstrate compelling legitimate grounds that override the individual's interests or the processing is necessary for legal claims. Controllers should implement a temporary suspension of processing (akin to restriction under Article 18) while the compelling-grounds assessment is undertaken, particularly when the data subject has articulated specific harm or impact.

• Conduct and document a balancing assessment if the controller intends to continue processing. This assessment must weigh the controller's grounds (articulated with specificity — not merely "business efficiency" or "we have always done it this way") against the individual's particular situation, the nature and sensitivity of the data, the impact on the individual, and any less intrusive alternatives. The assessment must demonstrate that the controller's grounds are compelling (sufficiently important and pressing) and that they override (are weightier than) the individual's interests, rights, and freedoms. The ICO will scrutinize these assessments closely, particularly in employment, litigation, and profiling contexts where the individual has articulated specific harm (distress, reputational damage, or discriminatory impact).

• Notify the data subject of the outcome within one month (extendable by two months), explaining either that processing has ceased or, if the controller is refusing the objection, the compelling legitimate grounds relied upon, the individual's right to lodge a complaint with the ICO, and the individual's right to an effective judicial remedy (Articles 77, 78, 79 UK GDPR).

When a controller receives an objection under Article 21(2) (direct marketing), the controller must:

• Stop processing the data for direct marketing purposes immediately. This is non-negotiable; there is no balancing test or exception. Processing must cease upon receipt of the objection, and the controller must ensure that the individual's details are not processed for direct marketing in the future.

• Suppress the individual's details rather than erasing them entirely. The ICO guidance clarifies that objecting to direct marketing does not automatically mean the controller must erase the individual's personal data. In most cases it will be preferable to suppress their details — retaining just enough information (name, email address, postal address, or unique identifier) to ensure that their preference not to receive direct marketing is respected in future. Suppression involves placing the individual's details on a suppression list (also called a "do not contact" list) and clearly marking those records so that they are not used for direct marketing purposes. This ensures that if the controller subsequently acquires new direct marketing lists (from third parties or data brokers), it can screen those lists against the suppression list to avoid re-contacting individuals who have objected. The ICO states that because a suppression list is not used for direct marketing purposes (it is used to prevent direct marketing), there is no automatic right for individuals to have their information on such a list deleted. Controllers may rely on the legal-obligation or legitimate-interests lawful basis to maintain suppression lists.

• If the individual also requests erasure in addition to objecting to direct marketing, the controller must assess whether one of the Article 17(1) grounds for erasure applies (for example, the data are no longer necessary, consent is withdrawn and there is no other lawful basis, or the individual objects and there are no overriding legitimate grounds). If an erasure ground applies and no Article 17(3) exception applies, the controller must erase the data except for the minimal information necessary to maintain on a suppression list (name and contact details) to prevent future direct marketing.

Transparency obligation — Article 21(4) and Recital 70

Article 21(4) UK GDPR provides that at the latest at the time of the first communication with the data subject (when the controller first contacts the individual, whether for direct marketing or any other purpose), the right to object under Article 21(1) and (2) shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information. Recital 70 emphasizes that this information should be presented in a clear and plain manner, enabling the individual to easily exercise the right. For direct marketing, this typically means including a prominent opt-out mechanism (an unsubscribe link in emails, a "STOP" keyword for SMS, a tick-box or preference-center link) in every direct marketing communication, and ensuring that the right to object is highlighted in the privacy notice in a way that is visually distinct from other rights. The ICO guidance states that controllers must avoid burying the right to object in dense legal jargon or long privacy notices; transparency builds trust and reduces complaints.

Automated means of objecting — Article 21(5)

Article 21(5) UK GDPR provides that in the context of the use of information society services (online services, apps, websites, social media platforms), the data subject may exercise his or her right to object by automated means using technical specifications. This provision permits the use of technical opt-out signals such as browser settings, preference signals (for example, the Global Privacy Control (GPC) signal, which is a standardized HTTP header and JavaScript API that enables users to signal their objection to the sale or sharing of their personal data), or "Do Not Track" mechanisms. The ICO has indicated that controllers offering online services should honor such automated signals where they are clear, user-initiated, and technically feasible, though the legal force of any particular signal depends on its standardization and adoption. The GPC signal has been recognized by the California Attorney General as a valid opt-out mechanism under the CCPA, and the ICO's guidance suggests that controllers should consider honoring it for UK GDPR objection purposes as well, particularly in the context of direct marketing and profiling. Article 21(5) was amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 to refer to "domestic law made before IP completion day implementing Directive 2002/58/EC" (the ePrivacy Directive), reflecting the UK's post-Brexit status.

Response timelines, fees, and manifestly unfounded or excessive objections

Controllers must respond to objections under Article 21 within one month of receipt (Article 12(3) UK GDPR), extendable by a further two months where necessary, taking into account the complexity and number of requests. The controller must inform the data subject of any extension within one month of the original objection, together with reasons for the delay. Objections are free of charge unless the objection is manifestly unfounded or excessive, in particular because of its repetitive character, in which case the controller may charge a reasonable fee based on administrative costs or refuse to act (Article 12(5)). The burden of demonstrating that an objection is manifestly unfounded or excessive rests with the controller, and the ICO requires strong justifications applied on a case-by-case basis. An objection is not manifestly unfounded simply because the individual's ultimate purpose is to scrutinize the controller's compliance or to prepare for litigation — such objections remain valid provided the individual has a genuine intention to exercise their right.

The Data (Use and Access) Act 2025 inserted new Article 12A into the UK GDPR, which allows controllers to pause the one-month response deadline when identity verification is reasonably required or when clarification is reasonably required to locate the personal data or understand what the data subject wants (and it is not reasonable to expect the controller to comply without that clarification). Controllers must notify the data subject promptly of the need for clarification, and the clock resumes when the clarification is received. Controllers should not abuse this mechanism by asking unnecessary or repetitive clarificatory questions; the ICO will scrutinize whether clarification was reasonably required or whether the controller was simply seeking to delay the response.

Exemptions and restrictions — Schedule 2 of the Data Protection Act 2018

Schedule 2 of the Data Protection Act 2018 lists exemptions that may restrict or disapply the listed UK GDPR provisions, including Article 21. The exemptions most relevant to the right to object are:

• Crime prevention and detection, and tax assessment and collection (paragraph 2, Part 1 of Schedule 2) — Article 21 does not apply to the extent that compliance would be likely to prejudice the prevention or detection of crime, or the assessment or collection of a tax or duty. This exemption is applied on a case-by-case basis and requires a causal link between ceasing processing (in response to the objection) and the identified prejudice. Controllers relying on this exemption must document the specific prejudice and demonstrate that it is likely to arise if processing ceases.

• Legal professional privilege (paragraph 19, Part 2 of Schedule 2) — Article 21 does not apply to personal data consisting of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. This protects confidential lawyer-client communications and litigation work-product from compelled cessation of processing in response to an objection.

• Research exemption (paragraph 27, Part 6 of Schedule 2) — Article 21(1) and (2) do not apply if processing is for scientific or historical research purposes or statistical purposes, the controller has implemented appropriate safeguards for the rights and freedoms of the data subject in accordance with Article 84B UK GDPR (as amended by the DUAA 2025, replacing the former Article 89(1) reference), and compliance with the right to object would prevent or seriously impair the achievement of the research objectives. This exemption is narrow and fact-specific. Controllers must demonstrate that ceasing processing would not merely inconvenience the research but would seriously impair or render impossible the achievement of the research objectives (for example, by skewing a longitudinal study, undermining the integrity of a clinical trial dataset, or preventing archival preservation mandated by law). The exemption does not apply to data collected directly from the data subject for the research.

Exemptions are not blanket; they apply only to the extent that compliance with the right would be likely to prejudice the specified purpose. Controllers bear the burden of demonstrating the applicability of an exemption and must document their reasoning comprehensively.

Enforcement and remedies

Failure to comply with Article 21 may result in an administrative fine under Article 83 UK GDPR. Infringements of the Chapter III rights (Articles 12–22) fall under the upper tier of fines: up to £17.5 million or 4% of total annual worldwide turnover of the preceding financial year, whichever is higher (Article 83(5)). Data subjects who are refused or believe a controller has failed to comply may lodge a complaint with the Information Commissioner's Office (Article 77) or apply to the court for an order requiring compliance or for compensation for material or non-material damage (Articles 79 and 82 UK GDPR). The ICO's enforcement powers under Part 6 of the DPA 2018 include the power to issue information notices, assessment notices, and enforcement notices compelling controllers to take remedial action. Published ICO case decisions show that assertions of compelling legitimate grounds are scrutinized closely, particularly in employment, litigation, and profiling contexts where the individual has articulated specific harm.

Source: Article 21, UK GDPR (Regulation (EU) 2016/679 as it forms part of UK law) Source: Data Protection Act 2018, Schedule 2 (exemptions from the UK GDPR) Source: ICO: Right to object guidance Source: ICO: Direct marketing guidance Source: Data (Use and Access) Act 2025, section 70 (amendment to Article 21)

Article 16 of the UK GDPR establishes the right to rectification, which entitles data subjects to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. This right has two components: the right to have inaccurate personal data corrected, and the right to have incomplete personal data completed, including by means of providing a supplementary statement. Article 16 is closely linked to the accuracy principle in Article 5(1)(d) UK GDPR, which requires that personal data be "accurate and, where necessary, kept up to date" and that "every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay." The right to rectification imposes a specific obligation on controllers to reconsider the accuracy of data upon request, even when the controller took reasonable steps to ensure accuracy at the time of collection.

The two-limb right: inaccurate data and incomplete data

Article 16 UK GDPR provides that:

> "The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement."

The first limb addresses inaccurate personal data. The UK GDPR does not define "inaccurate," but the Information Commissioner's Office (ICO) guidance and case law interpret this to mean that the facts contained within the personal data do not conform to reality. Common examples include misspelled names, incorrect addresses, erroneous employment history, or inaccurate credit reference information. Inaccuracy is assessed objectively: if the data does not reflect the true factual position, it is inaccurate. However, the concept of accuracy can be complex when applied to opinions or historical records. The ICO guidance states that opinions are, by their very nature, subjective, and it can be difficult to conclude that the record of an opinion is inaccurate. As long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified. Controllers should distinguish between challenging the accuracy of a fact (which may be objectively wrong) and challenging the validity or fairness of an opinion (which is inherently subjective).

The second limb addresses incomplete personal data. The ICO guidance clarifies that data may be deemed "complete" for one purpose but "incomplete" for another, so controllers are only obliged to rectify data sets that are incomplete having regard to the purposes of the processing. The ICO provides the example of creditworthiness information: if a credit file records a refusal to pay but omits the fact that the reason was an incorrect delivery of goods, the record is incomplete because it gives a misleading impression for the purpose of assessing credit risk. The data subject may require the controller to complete the record by adding a supplementary statement explaining the context.

How to recognize a rectification request — no formal wording required

The UK GDPR does not specify how to make a valid rectification request. The ICO guidance emphasizes that an individual can make a request for rectification verbally or in writing (including by email, letter, social media message, telephone, or in person), and the request can be made to any part of the organization, not only to a specific person or contact point. A request to rectify personal data does not need to mention the phrase "request for rectification," "Article 16," or "UK GDPR" to be valid. As long as the individual has challenged the accuracy of their data and has asked the controller to correct it, or has asked the controller to complete incomplete data, this will be a valid request under Article 16. This presents an operational challenge: any employee who regularly interacts with individuals (customer service, sales, account management, HR) may receive a valid verbal rectification request. Controllers must implement internal processes to identify and escalate rectification requests to a central point for action and tracking. The ICO recommends maintaining a policy for recording details of requests received verbally, particularly those made by telephone or in person, to ensure the controller can demonstrate compliance.

A third party may make a rectification request on behalf of another person (for example, a solicitor acting for a client, a relative acting for an elderly or incapacitated individual, or a parent making a request for a child's data). The ICO guidance states that controllers are entitled to request evidence that the third party is entitled to act on the person's behalf — for example, a written authority signed by the data subject, a power of attorney, or parental responsibility documentation. Controllers may refuse to comply until satisfied that the third party has proper authority, but must not impose unnecessary barriers or demand disproportionate evidence.

The controller's assessment obligation — reasonable steps to verify accuracy

When a controller receives a rectification request, Article 16 imposes an affirmative obligation on the controller to take reasonable steps to satisfy itself that the data is accurate and to rectify the data if necessary. The controller must take into account the arguments and evidence provided by the data subject. What steps are "reasonable" depends, in particular, on the nature of the personal data and what it will be used for. The more important it is that the personal data is accurate, the greater the effort the controller should invest in checking its accuracy and, if necessary, taking steps to rectify it. The ICO guidance states that controllers should make a greater effort to rectify inaccurate personal data if it is used to make significant decisions that will affect an individual or others, rather than data used for trivial or low-impact purposes. For example, a controller should rigorously investigate and rectify inaccuracies in credit reference data, employment records used for background checks, or medical data used for clinical decisions, because errors in these contexts can cause substantial harm (denial of credit, loss of employment opportunities, or incorrect medical treatment).

The ICO guidance clarifies that a rectification request gives the controller an opportunity to reconsider the accuracy of data upon request, even if the controller originally took reasonable steps to ensure accuracy at the time of collection. This reflects the principle that personal data must remain accurate over time, and that data subjects are often best placed to identify errors in data about themselves. Controllers should not dismiss rectification requests simply because the data was accurate when originally collected or because the controller has relied on the data for a period of time. Changed circumstances (a name change following marriage, a change of address, updated employment status) or newly discovered evidence (proof that a debt was disputed or paid) may require rectification even when the original data was accurate at the time of recording.

Restriction of processing pending verification — Article 18 interplay

The ICO guidance, updated in 2025, emphasizes that as a matter of good practice, controllers should restrict the processing of the personal data in question while they are verifying its accuracy, whether or not the individual has formally exercised their right to restriction under Article 18 UK GDPR. Article 18(1)(a) UK GDPR provides that the data subject has the right to obtain restriction of processing where the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data. When processing is restricted, the controller is permitted to store the personal data but must cease further use of it (except with the data subject's consent, for the establishment, exercise, or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest — Article 18(2) UK GDPR). The ICO recommends that controllers implement a temporary suspension or flag on contested data to prevent it from being used for decision-making or disclosed to third parties while the accuracy assessment is ongoing. This minimizes the risk of harm to the data subject if the data is ultimately found to be inaccurate.

Response timeline, fees, and manifestly unfounded or excessive requests

Article 12(3) UK GDPR requires controllers to respond to rectification requests without undue delay and in any event within one month of receipt. The period may be extended by a further two months where necessary, taking into account the complexity and number of requests, provided the controller informs the data subject of the extension within one month of the original request, together with reasons for the delay. The ICO guidance states that the one-month period starts on the day after the request is received (it does not matter whether that day is a working day or not), and the deadline is the corresponding calendar date in the next month. If there is no corresponding date (for example, a request received on 31 January has a deadline of 28 or 29 February, depending on whether it is a leap year), the deadline is the last day of the month. If the deadline falls on a weekend or public holiday, the controller has until the end of the next working day to comply.

Rectification requests are free of charge unless the request is manifestly unfounded or excessive, in particular because of its repetitive character, in which case the controller may charge a reasonable fee based on administrative costs or refuse to act (Article 12(5) UK GDPR). The burden of demonstrating that a request is manifestly unfounded or excessive rests with the controller, and the ICO requires strong justifications applied on a case-by-case basis. The ICO guidance states that controllers must be able to demonstrate to the individual (and, if asked, to the ICO) why they consider the request manifestly unfounded or excessive. A request is not manifestly unfounded simply because the controller believes its data is accurate or because the individual's ultimate purpose is to prepare for litigation — such requests remain valid provided the individual has a genuine intention to exercise their right to rectification.

Refusing a rectification request — when controllers may (and must) say no

Controllers are not obliged to rectify data in every case. A controller may refuse a rectification request if, after taking reasonable steps to investigate, it is satisfied that the personal data is accurate and complete. The ICO guidance emphasizes that controllers should inform the data subject if they are not going to amend the data, and should explain clearly why they believe the data is accurate. The controller must also inform the data subject of their right to lodge a complaint with the ICO and their right to seek a judicial remedy (Articles 77, 78, and 79 UK GDPR). If the controller refuses to rectify the data, the ICO recommends as a matter of good practice that the controller record that the data subject has challenged the accuracy of the data and the reasons why. This ensures that if the data is subsequently disclosed (for example, in a subject access request response or to a third party), the controller can demonstrate that it considered the challenge and explain its decision.

Disputed facts and opinions — special cases

Two categories of rectification request present particular difficulty: disputed facts and opinions.

Disputed facts arise when the data subject and the controller each believe their version of the facts to be accurate, but the versions conflict. For example, an employer's disciplinary record may state that an employee was absent without authorization on a specific date, but the employee asserts they had prior approval. The ICO guidance does not prescribe a single approach, but emphasizes that controllers must conduct a reasonable investigation, weigh the evidence on both sides, and document their reasoning. If the controller cannot definitively resolve the dispute, it may be appropriate to add a supplementary statement to the record (using the "incomplete data" limb of Article 16) reflecting the data subject's contested account, rather than simply deleting or replacing the original entry. This preserves both accounts and acknowledges the dispute.

Opinions are inherently subjective. The ICO guidance states that as long as the record shows clearly that the information is an opinion and, where appropriate, whose opinion it is, it may be difficult to say that it is inaccurate and needs to be rectified. For example, a performance review that records a manager's opinion that an employee's work quality is "below expectations" is not inaccurate simply because the employee disagrees with the assessment, provided the record makes clear it is the manager's opinion and is dated and attributed. However, if the record of the opinion is factually wrong (for example, it attributes an opinion to the wrong person, or records an opinion that was never expressed), the record itself is inaccurate and must be corrected. The ICO guidance suggests that in some cases, the appropriate remedy may be to add the data subject's own statement to the record, providing their perspective on the opinion, rather than to delete or alter the original opinion.

Historical records and audit trails — the "accurate record of a mistake" issue

A related issue arises when personal data records a historical mistake that has since been corrected. For example, a bank may have initially recorded an incorrect account balance, then corrected it the following day. The historical record shows the mistake; the current record is accurate. The ICO guidance states that it "may be possible to argue" that the record of the mistake is accurate as a record of what was believed or recorded at the time, even though the underlying fact was wrong. Controllers must balance the accountability principle (Article 5(2) UK GDPR), which requires that processing be transparent and auditable, against the individual's right to rectification. In many cases, the appropriate approach is to retain the historical record with an annotation explaining that it was an error and has been corrected, rather than deleting the historical entry entirely. This preserves the audit trail (particularly important for financial services, healthcare, and public-sector controllers subject to regulatory record-keeping obligations) while ensuring that anyone reviewing the record understands the correction. The ICO emphasizes that controllers should apply this approach carefully and on a case-by-case basis; it is not a blanket justification for refusing to rectify demonstrably inaccurate data.

The Article 19 onward-notification duty — telling recipients about the rectification

When a controller rectifies personal data, Article 19 UK GDPR imposes a corresponding obligation to communicate the rectification to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. A "recipient" is defined in Article 4(9) UK GDPR as a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. The definition includes controllers, processors, and persons who, under the direct authority of the controller or processor, are authorized to process personal data. The ICO guidance emphasizes that controllers must contact each recipient and inform them of the rectification (or completion) of the personal data, unless doing so is impossible (for example, the recipient no longer exists or cannot be identified) or involves disproportionate effort (for example, the data was disclosed to hundreds of recipients in bulk, and tracing and notifying each would require resources entirely out of proportion to the benefit). The ICO clarifies that "disproportionate effort" is a narrow exception and controllers must be able to justify it on a case-by-case basis.

If the data subject asks the controller to identify the recipients, the controller must inform the individual about those recipients (Article 19, second sentence). Controllers should therefore maintain records of disclosures (as part of their general Article 5(2) accountability obligation and, where applicable, their Article 30 records of processing activities) to enable them to comply with the Article 19 notification duty and to respond to requests for recipient information.

Exemptions and restrictions — Schedule 2 of the Data Protection Act 2018

Schedule 2 of the Data Protection Act 2018 lists exemptions that may restrict or disapply the listed UK GDPR provisions, including Article 16. The exemptions most relevant to the right to rectification are:

Crime prevention and tax (paragraph 2, Part 1 of Schedule 2) — Article 16 does not apply to the extent that compliance would be likely to prejudice the prevention or detection of crime, or the assessment or collection of a tax or duty. This exemption is applied on a case-by-case basis and requires a causal link between rectifying the data and the identified prejudice. For example, a law-enforcement agency may refuse to rectify data forming part of an ongoing criminal investigation if doing so would tip off the suspect or undermine evidence gathering. Controllers relying on this exemption must document the specific prejudice and demonstrate that it is likely to arise if the data is rectified.

Immigration control (paragraph 4, Part 1 of Schedule 2, as amended by S.I. 2024/342) — The immigration exemption historically permitted the Secretary of State to restrict Article 16 (along with other listed GDPR provisions) where compliance would be likely to prejudice the maintenance of effective immigration control or the investigation or detection of activities that would undermine it. Following the Court of Appeal's judgment in R (3million and Open Rights Group) v Secretary of State for the Home Department [2023] EWCA Civ 1474, the Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342), which came into force on 8 March 2024, inserted detailed safeguards into new paragraph 4A of Schedule 2. Notably, paragraph 4(2) of Schedule 2 expressly excludes Article 16 (right to rectification) from the immigration exemption, meaning that the right to rectification cannot be restricted on immigration-control grounds. This is a significant change and reflects the Court of Appeal's emphasis on the fundamental nature of the right to accurate data. Controllers processing personal data for immigration purposes (including the Home Office, UK Visas and Immigration, and Border Force) must comply with Article 16 rectification requests and cannot invoke the immigration exemption to refuse them.

Legal professional privilege (paragraph 19, Part 2 of Schedule 2) — Article 16 does not apply to personal data consisting of information in respect of which a claim to legal professional privilege could be maintained in legal proceedings. This protects confidential lawyer-client communications and litigation work-product from compelled rectification. The privilege applies only to legally privileged communications (advice privilege or litigation privilege); it does not extend to general legal or regulatory correspondence that is not privileged.

Research exemption (paragraph 27, Part 6 of Schedule 2) — Paragraph 27 of Schedule 2 provides an exemption from Article 16 if processing is for scientific or historical research purposes or statistical purposes, the controller has implemented appropriate safeguards for the rights and freedoms of the data subject in accordance with Article 84B UK GDPR (as amended by the Data (Use and Access) Act 2025, replacing the former Article 89(1) reference), and complying with the right to rectification would prevent or seriously impair the achievement of the research objectives. This exemption is narrow and fact-specific. The ICO guidance states that controllers must demonstrate that rectifying the data would not merely inconvenience the research but would seriously impair or render impossible the achievement of the research objectives. An example is archived records of enduring historical value, which are generally not altered after the archiving organization receives them because doing so would undermine the integrity of the historical record. The research exemption does not permit a blanket refusal of all rectification requests; controllers must assess each request on a case-by-case basis and apply the exemption only to the extent necessary to prevent the identified prejudice.

Exemptions are not blanket; they apply only to the extent that compliance with the right would be likely to prejudice the specified purpose. Controllers bear the burden of demonstrating the applicability of an exemption and must document their reasoning comprehensively.

Enforcement and remedies

Failure to comply with Article 16 may result in an administrative fine under Article 83 UK GDPR. Infringements of the Chapter III rights (Articles 12–22) fall under the upper tier of fines: up to £17.5 million or 4% of total annual worldwide turnover of the preceding financial year, whichever is higher (Article 83(5)). Data subjects who are refused rectification or believe a controller has failed to comply may lodge a complaint with the Information Commissioner's Office (Article 77) or apply to the court for an order requiring compliance or for compensation for material or non-material damage (Articles 79 and 82 UK GDPR). The ICO's enforcement powers under Part 6 of the DPA 2018 include the power to issue information notices, assessment notices, and enforcement notices compelling controllers to take remedial action. The ICO has emphasized in published guidance that the right to rectification is a fundamental safeguard for the accuracy principle and that controllers who routinely refuse rectification requests without proper investigation risk regulatory intervention.

Source: Article 16, UK GDPR (Regulation (EU) 2016/679 as it forms part of UK law) Source: Article 19, UK GDPR (notification obligation regarding rectification or erasure) Source: Data Protection Act 2018, Schedule 2 (exemptions from the UK GDPR) Source: ICO: Right to rectification guidance Source: Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 (S.I. 2024/342)