Category: Compliance & AML · Reviewed by Matt Bartlett, Director · Founder · Last reviewed June 2026
The eight individual rights conferred by UK GDPR Chapter III — the rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making and profiling — that controllers must be able to honour on request, within prescribed deadlines.
Data subject rights are the rights that individuals have in respect of their personal data. They are set out in Chapter III of the UK GDPR (Articles 12–22) and supplemented by the Data Protection Act 2018. The rights are not absolute — many are qualified by exemptions and balanced against the interests of others.
UK GDPR, Articles 12 (transparent communication), 13–14 (right to be informed), 15 (right of access — DSAR), 16 (right to rectification), 17 (right to erasure / right to be forgotten), 18 (right to restrict processing), 19 (notification obligation), 20 (right to data portability), 21 (right to object), 22 (rights in relation to automated individual decision-making). Data Protection Act 2018, Schedule 2 (exemptions).
A right is exercised by a request to the controller. The controller must respond within one month (extendable by two further months for complex requests). The response must be free of charge unless the request is manifestly unfounded or excessive. The right of access (DSAR) is the most common — it gives the individual a copy of their personal data and supplementary information about the processing. The right to erasure applies in specific situations including where the data is no longer necessary or processing was unlawful. The right to object applies to direct marketing as an absolute right and to other legitimate-interests processing as a balancing exercise.
Many DPA 2018 Schedule 2 exemptions apply — including for crime prevention, regulatory compliance (FCA, AML, sanctions), legal professional privilege, and certain insurance fraud prevention work. The Article 22 automated decision-making restriction has exemptions for explicit consent and contract performance with appropriate safeguards.
A former customer requests a copy of their personal data held by Apex (Article 15 DSAR). Apex confirms identity, identifies all systems holding the data, redacts third-party personal data where relevant, applies any Schedule 2 exemptions (e.g. for ongoing complaint investigation), and provides the response within one month. The DSAR log records the request, the responsive data, the exemptions applied and the date of response.
UK GDPR, Articles 12–22. Data Protection Act 2018, Schedule 2. ICO guidance on Individual rights.
By Matt Bartlett, Director, on 2026-06-11.
This entry is part of the Apex Insurance Wiki. Last reviewed by Matt Bartlett on 2026-06-11. Apex Insurance Brokers Limited, FCA FRN 724952, Companies House 07014570. Not regulated advice — consult your broker on your specific position.
Apex Insurance Brokers serves UK professional services firms and commercial businesses. Call 0117 325 0027, email hello@apexinsurancebrokers.co.uk, or request a quotation.
Get a quote