GDPR Articles Reference
This guide provides quick reference to the GDPR articles most relevant to handling data subject requests.
Data Subject Rights (Chapter III)
Article 12 - Transparent Communication
Key Points:
- Respond within one month of receipt
- May extend by two months for complex requests
- Must inform subject of extension within one month
- Response must be free of charge (first copy)
- Can charge reasonable fee for additional copies
In SAR Portal:
- Automatic 30-day deadline tracking
- Extension feature with subject notification
- Timeline tracking for compliance
Article 13 & 14 - Information to be Provided
Key Points:
- Must inform subjects about data processing
- At collection (Art. 13) or within one month (Art. 14)
- Includes purposes, recipients, retention, rights
In SAR Portal:
- Public portal includes required disclosures
- Privacy notice link configurable
Article 15 - Right of Access
Key Points:
- Confirm whether personal data is processed
- Provide copy of personal data
- Provide information about processing
- First copy free, may charge for additional
In SAR Portal:
- “Access Request” case type
- Document upload for data provision
- AI redaction to remove third-party data
Article 16 - Right to Rectification
Key Points:
- Right to correct inaccurate data
- Right to have incomplete data completed
In SAR Portal:
- “Rectification” case type
- Track corrections made
Article 17 - Right to Erasure
Key Points:
- Right to have personal data erased
- Applies when: no longer necessary, consent withdrawn, unlawful processing
- Exemptions: legal obligations, legal claims, public interest
In SAR Portal:
- “Erasure Request” case type
- Document deletion tracking
- Exemption documentation
Article 18 - Right to Restriction
Key Points:
- Right to restrict processing in certain cases
- Data can be stored but not processed
- Must notify subject before lifting restriction
In SAR Portal:
- “Restriction” case type
- Status tracking for restricted data
Article 20 - Right to Data Portability
Key Points:
- Receive data in structured, machine-readable format
- Applies to data provided by subject
- Based on consent or contract
- Right to transmit to another controller
In SAR Portal:
- “Portability” case type
- Support for data export formats
Article 21 - Right to Object
Key Points:
- Object to processing based on legitimate interests
- Must stop unless compelling legitimate grounds
- Direct marketing: must stop on request
In SAR Portal:
- “Objection” case type
- Track objection and response
Article 22 - Automated Decision-Making
Key Points:
- Right not to be subject to solely automated decisions
- With legal or significant effects
- Exceptions: contract, authorized by law, explicit consent
In SAR Portal:
- “Automated Decision” case type
- Document the basis for automated decisions
Controller Obligations
Article 24 - Responsibility of Controller
Key Points:
- Implement appropriate measures
- Demonstrate compliance
- Consider nature, scope, purposes of processing
In SAR Portal:
- Audit trails demonstrate compliance
- Documented processes
- Evidence of proper handling
Article 30 - Records of Processing
Key Points:
- Maintain records of processing activities
- Include purposes, categories, recipients, transfers, retention
In SAR Portal:
- Case records serve as processing records
- Audit logs provide activity records
Article 32 - Security of Processing
Key Points:
- Appropriate technical and organizational measures
- Encryption, confidentiality, availability
- Regular testing and evaluation
In SAR Portal:
- AES-256 encryption at rest
- TLS encryption in transit
- Role-based access control
- Regular security reviews
Article 33 - Breach Notification
Key Points:
- Notify supervisory authority within 72 hours
- Unless unlikely to result in risk
- Document all breaches
Relevant to SAR Portal:
- Secure handling reduces breach risk
- Audit logs support investigation
Processor Obligations
Article 28 - Processor
Key Points:
- Only use processors with sufficient guarantees
- Binding contract required
- Process only on documented instructions
SAR Portal as Processor:
- Acts as data processor
- DPA available for customers
- Processing only as instructed
Response Timeline Summary
| Situation | Deadline |
|---|---|
| Standard request | 30 days |
| Complex/numerous requests | 30 + 60 days (must notify) |
| Manifestly unfounded/excessive | May refuse or charge fee |
| Identity verification needed | Clock pauses until verified |
Lawful Bases for Refusing
You may refuse a request if:
Article 12(5)
- Request is manifestly unfounded
- Request is excessive (especially repetitive)
- Must demonstrate why it qualifies
Article 15(4)
- Would adversely affect rights of others
- Redact third-party data instead
Article 17(3)
- Freedom of expression
- Legal obligation
- Public health
- Archiving in public interest
- Legal claims
Penalties (Article 83)
For violations of data subject rights:
- Up to €20 million, or
- 4% of annual global turnover
- Whichever is higher
This underscores the importance of proper DSAR handling.
Further Reading
- Official EU GDPR Text
- EDPB Guidelines
- Your local Data Protection Authority guidance