What rights do individuals have under GDPR (e.g., access, deletion)?

GDPR establishes eight core individual rights. Right of Access: individuals can request confirmation of whether you process their data and receive a copy. Right to Rectification: they can request correction of inaccurate data. Right to Erasure ("right to be forgotten"): they can request deletion of their data under certain circumstances. Right to Restriction: they can request limited processing while disputes are resolved.

Right to Data Portability: individuals can receive their data in a structured, machine-readable format and transfer it to another service. Right to Object: they can object to processing based on legitimate interests, including direct marketing, and for marketing, this is absolute. Rights related to automated decision-making: they can request human intervention in automated decisions that significantly affect them.

For email marketers, the most commonly exercised rights are erasure and objection. When someone unsubscribes, that's exercising their right to object to direct marketing. Deletion requests require removing them from all systems, not just suppression lists. You must respond to rights requests within one month, though complex requests may extend to three. Individual rights aren't optional features-they're legally mandated capabilities your systems must support.