The rights of individuals, set out in Articles 15 - 22 of the Applied GDPR, are:

These rights can only be exercised against controllers who must respond in a timely and appropriate manner.

Regulation 140 of the Implementing Regulations makes it clear that the exercise of rights, or the associated obligations of controllers, cannot be removed or restricted by any enactment or rule of law which otherwise prohibits or restricts the disclosure of the personal data or authorises the withholding of such personal data.

Individuals can take remedial actions against controllers or processors if they consider that their rights have been breached or there is non-compliance with the requirements of the law. 

Article 12 of the Applied GDPR sets out general rules in respect of duties and procedural aspects of the rights, together with exceptions to those general rules.

General rules applying to the rights 

Exceptions to the general rules

Compliance period *

The compliance period is "without undue delay" and in any event within one month of receipt. (See Calculating "one month") Compliance with a request to exercise a right can be delayed by a maximum of TWO months, if necessary, where the requests are particularly complex or due to the volume of requests received. 

If there is a delay, the reason for the delay must be explained to the individual within ONE month of receipt of the request.

Fees **

If a request to exercise a right is manifestly unfounded or excessive, particularly due to repetition of the same request, the controller may charge a reasonable fee (based on administrative costs), or refuse to act.  Controllers must be able to demonstrate why it believed the request to be manifestly unfounded or excessive.