A law firm which offers more

Call us: 0113 246 0622

Subject Access, Rectification & Portability


Welcome to the fifth instalment in our mini-series of blog posts on the General Data Protection Regulation ("GDPR").

GDPR provides individuals with greater rights over their personal information. This post highlights three principal rights of which data controllers should be aware.

1. Subject Access

Under GDPR, individuals are entitled to request the following information from a data controller:

Free of Charge

Under the Data Protection Act 1998, data controllers are entitled to charge a fee of £10 to respond to subject access requests. The right to charge a fee is removed under GDPR – the data controller must provide the requested information free of charge.

If a subject access request is unfounded, excessive, repeated or vexatious organisations may be entitled to charge a reasonable fee or refuse to respond. What is considered “reasonable” will depend on the administrative cost of providing the information. The ability to request payment or refuse to respond is likely to be relatively limited in practice.


Data controllers must respond to an access request within 1 month of receipt. Extension of the response time is permitted for up to two additional months where requests are numerous or complex, but data controllers must inform the data subject within 1 month if an extension is required along with an explanation for the delay.

If a data controller decides that, due to the nature of the request, it is not required to respond to the request, it must inform the data subject without delay and no later than 1 month after receiving the request, setting out the reasons why it has chosen not to respond in full.

2. Rectification

Data controllers must ensure that personal data they process is accurate, kept up to date and deleted or corrected without delay if it is inaccurate. GDPR gives data subjects the right to request correction of any inaccurate or incomplete personal data held by the data controller. Data controllers must comply with the request without undue delay.

3. Portability

Under GDPR, data subjects are entitled to:

Responding to a data portability request does not require the data to be deleted from the data controller’s systems nor does it affect the original retention period.


Any failure by a data controller in respect of a data subject’s rights as set out above could incur administrative fines up to €20,000,000 or 4% of group worldwide turnover, whichever is higher.

Next Steps

Organisations should consider:

To find out more about how we can help you to prepare for the GDPR please visit our GDPR section or contact Matthew Hattersley or Florence Maxwell.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.