Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

1. GDPR individual rights GDPR the heart of compliance

Since the General Data Protection Regulation (GDPR) came into force in 2018, individual rights have become an essential pillar of personal data protection. This European regulation aims to give individuals back real control over the use of their data, in a context where it is collected and processed on a large scale by companies, government agencies, and online services.

Each Data subject by data collection has rights guaranteed by law, which organizations must respect: access, rectification, Erasure of data, data portability, restriction of processing, and objection. These rights exist to protect privacy, prevent abuse, and ensure complete transparency regarding how data is used.

In this article, we review these fundamental rights ( GDPR individual rights), their Purpose, and how to implement them under the GDPR in specific situations.

GDPR individual rights

2. What are the rights of individuals under the GDPR

The GDPR recognizes eight fundamental rights for individuals to enable them to maintain control over their personal data. Every organization that processes this data must not only respect these rights, but also facilitate their exercise in a simple and transparent manner.

Here are the main GDPR rights GDPR for in the regulation:

  • Right of access: anyone may request to know whether data concerning them is being processed, obtain a copy of the data, and verify the rules applied: purposes, Data retention period, third-party recipients, or origin.

  • Right to rectification: the individual may have any inaccurate or incomplete information corrected. This right is essential, particularly when the processing has an impact on their personal or professional situation.

  • Right to erasure (or " Right to be forgotten ): in the event of withdrawal of consent, or if the data is no longer necessary, the individual may request theErasure of data, even if it has been shared with a third party or used for another Purpose.

  • Right to restriction of processing: this allows the use of data to be temporarily suspended pending further verification or consultation.

  • Right to data portability: this right gives individuals the possibility to receive their data in a structured format, in order to transfer it to another controller.

  • Right to object: an individual may refuse the use of their data under certain conditions, in particular for automated decision-making or marketing.

  • Right not to be subject to automated decision-making: particularly when profiling produces significant or legal effects.

  • Right to withdraw consent: at any time, a person may withdraw their consent without justification, and this withdrawal must not result in any negative consequences in terms ofaccess to data or a service.

These individual rights must be accessible, understandable, and easy to exercise.

3. How can you exercise your rights in practice?

In accordance with the GDPR, any Data subject must be able to exercise their rights easily, free of charge, and without hindrance. It is not enough to simply state these rights in a privacy policy: their practical implementation is a legal obligation for the controller.

3.1 Terms and conditions of exercise

Requests may be submitted:

  • Via an online form, if the organization provides one,
  • By email, via a dedicated address such as dpo@dipeeo.com,
  • Or by post, particularly if the person prefers a paper copy.

Regardless of the channel, the organization must verify the identity of the applicant, while ensuring that it does not collect more information than necessary.

3.2 Response time

The response time is a maximum of one month from receipt of the request. In the case of complex requests, this period may be extended by two additional months, but the Data subject must be informed of this within the first month, with clear justifications provided in understandable language.

3.3 Refusal of treatment

The organization may refuse to comply with a request only if it is manifestly excessive, unfounded, or repetitive. Such refusal must be justified, and the Data subject must be informed of the possibility of appealing to the CNIL (National Commission for Information Technology and Civil Liberties) or another competent protection authority.

GDPR procedure for managing individuals' rights

At Dipeeo, we support our clients the practical implementation of GDPR personal rights management procedures. Here are the essential best practices that every company should adopt:

4. The Dipeeo method for processing claims

4.1 Centralize GDPR data subjectrequests

Via a GDPR email address or a clear form on the website. This allows:

  • To avoid lost or misdirected requests,
  • To facilitate the monitoring of deadlines,
  • To reassure those concerned.

4.2 Acknowledge receipt of requests

Always send a confirmation to ensure transparency and track receipt.

4.3 Establish a clear process

The GDPR a deadline of one month. You must:

  • Never leave a request unanswered,
  • Anticipate sensitive periods,
  • Establish structured monitoring.

4.4 Explain the rights on a dedicated page accessible from the website's home page, including:

  • A summary of individual rights,
  • The terms and conditions of exercise,
  • A link to the privacy policy.

4.5 Train all relevant teams

Customer service, sales, marketing... All these teams must:

  • Recognizing a GDPR request,
  • Knowing how to redirect to the right contact person,
  • Mastering the right compliance reflexes.

4.6 Manage cookies transparently

Implement a cookie manager that allows everyone to adjust their preferences when visiting the site, in line with consent and data portability.

One of the most common mistakes is to systematically request identification for every GDPR request. This practice is contrary to the spirit of the regulation.

What the GDPR says

Identity checks should only be carried out in cases of reasonable doubt regarding the applicant's identity (Article 12.6 of GDPR). Making them a default requirement violates the principle of data minimization (Article 5.1.c).

It is therefore essential to limit this verification to cases where it is truly justified.

Download a privacy policy template

Access a customizable GDPR template GDPR easily create your own privacy policy. Ideal for websites, blogs, e-commerce, or applications.
Download

5. How can you prove that personal data rights are being managed properly?

The GDPR requires organizations not only to respect individuals' rights, but also to be able to demonstrate that they have done so. This is known as the principle Accountability, set out in Article 5.2 of the regulation.

In practical terms, this means that each company must be able to justify how it handles requests: that a request has been received, analyzed, processed within the deadline, and that a response has been provided.

5.1 Maintain a record of requests

At Dipeeo, we always recommend keeping an internal record of rights requests, including at least:

  • The date of receipt of the application,
  • The type of right exercised (access, rectification, deletion, etc.),
  • The date and nature of the response provided,
  • Status (in progress, processed, denied with justification, etc.),
  • And, when necessary,the identity of the Data subject.

This register allows you to:

  • Follow the deadlines imposed by the GDPR 1 month maximum),
  • Prove the proper handling of each request in the event of an audit by the CNIL (National Commission for Information Technology and Civil Liberties),
  • Centralize history to avoid duplicates or internal errors.

A frequently asked question: why keep names after a deletion request?

This is a question our clients ask clients very often:

“If a person exercises their right to erasure, can we still keep their name in a register?”

The answer is yes, but with conditions.

It is perfectly legitimate to keep minimal records (e.g., name, email address, and date of request) for evidentiary purposes, in order to demonstrate that the request was properly processed. This Data retention justified by the Purpose of documentation related to accountability.

On the other hand:

  • This data must be strictly limited to what is necessary,
  • No longer be used for other purposes (neither commercial nor statistical),
  • And be stored separately from operational databases (e.g., via a GDPR register GDPR a dedicated secure space).

In summary, the right to erasure does not mean erasing all traces of the exercise of this right. A fair balance must be struck between operational deletion and Data retention evidence, within a secure and proportionate framework.

6. What are the penalties for non-compliance?

The GDPR is not limited to theoretical principles: it is accompanied by concrete powers of control and sanction, entrusted to data protection authorities such as the CNIL (National Commission for Information Technology and Civil Liberties) in France. When an organization fails to respect individuals' rights or hinders their exercise, it exposes itself to consequences that can sometimes be severe.

6.1 Fines of up to €20 million

Failure to comply with GDPR rights GDPR one of the most seriously penalized violations under the GDPR.
Administrative fines can reach:

  • Up to €20 million, or
  • 4% of the company's global annual revenue (whichever is higher).

The criteria taken into account by the CNIL (National Commission for Information Technology and Civil Liberties) determining a penalty include:

  • The severity and duration of the violation,
  • The number of people affected,
  • Whether intentional or not,
  • And the company's cooperation during the inspection.

6.2 Specific examples of sanctions

Several organizations have been penalized for:

  • Failure to respond to a request for deletion oraccess within the specified time frame,
  • Having refused to exercise a right without valid justification,
  • Or have deliberately made the process complex, discouraging people from asserting their rights.

6.3 Anticipating means avoiding risks

Respecting people's rights GDPRis not just about avoiding fines: it is about protecting your reputation, building trust, and ensuring the GDPR compliance of your business.

Conclusion: Put GDPR individual rights GDPR the heart of your compliance efforts

Individual rights GDPR are not just an administrative formality: they are the backbone of the law. Through the right of access, rectification, andErasure of data, data portability, restriction of processing, andobjection, every individual must be able to exercise effective control over the use of their personal data.

For companies, this involves much more than a declaration of intent. It is a matter of implementing:

  • clear rules,
  • a documented organization,
  • language that is understandable to all audiences,
  • and practical tools such as an online form, a dedicated email address, and a powerful cookie manager.

At Dipeeo, we support our clients transforming these obligations into levers for transparency, trust, and sustainable compliance. Respecting GDPR rights also means anticipating appeals, avoiding penalties, and building a responsible relationship with clients partners.

For more information, see our GDPR privacy policy template : clear, comprehensive, and compliant. It contains everything you need to inform your users and enable them to exercise their rights easily.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager