The GDPR's data subject rights framework was designed for structured databases where individual records could be identified, located, retrieved, and deleted. Generative AI complicates this picture considerably: AI systems are trained on personal data that may be inextricably woven into model weights; they process personal data in unstructured prompts and conversations; and their outputs may contain personal data about third parties. This guide explains how GDPR data subject rights apply in AI contexts, which rights are most commonly triggered, and what practical responses look like for organizations using AI tools with personal data about EU residents.

The seven data subject rights and their AI relevance

The GDPR grants EU data subjects seven enforceable rights. Each has distinct implications for AI:

Article 15 — Right of access: Data subjects can request a copy of their personal data and information about how it is being processed.

Article 16 — Right to rectification: Data subjects can request correction of inaccurate personal data.

Article 17 — Right to erasure ("right to be forgotten"): Data subjects can request deletion of their personal data in certain circumstances.

Article 18 — Right to restriction of processing: Data subjects can request that processing be paused while an accuracy dispute or other objection is resolved.

Article 20 — Right to data portability: Data subjects can request their personal data in a portable format for transfer to another controller.

Article 21 — Right to object: Data subjects can object to processing based on legitimate interests, including profiling.

Article 22 — Right not to be subject to solely automated decisions: Data subjects have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, with exceptions.

The access right and AI: the hardest question

The access right (Article 15) is the most practically challenging in AI contexts. When a data subject asks "what personal data do you hold about me?", the organization must identify and produce that data.

AI tool interaction logs. If your organization uses enterprise AI tools (ChatGPT Enterprise, Claude for Work, Microsoft 365 Copilot) and employees processed the data subject's personal data in AI prompts, the interaction logs may contain the subject's personal data. A subject access request could require you to produce those logs — including both the input (the employee's prompt containing the subject's data) and the AI's output.

Practical implications: Maintain AI interaction logs for enterprise tools. Ensure your retention policies allow you to search and retrieve logs by data subject. Establish a process for reviewing AI interaction logs as part of subject access request response.

AI model training data. If your organization has fine-tuned an AI model on data including the subject's personal data, the access right technically covers that data — but practically, it may be impossible to extract individual data subjects' training data from model weights. GDPR's recitals (particularly Recital 26) acknowledge that some data is technically impossible to attribute to individuals in anonymized or aggregated contexts; DPAs and regulators vary in how they interpret this for model weights.

Third-party AI vendors. When data subjects make access requests about AI vendors (e.g., "what does OpenAI hold about me?"), the vendor's privacy policy and data subject rights process apply. As a controller, you are responsible for your own AI-related processing; the vendor is responsible for their own. Your DPA should specify how the vendor cooperates with your access request responses.

The right to erasure and AI: what deletion means

Article 17 grants the right to erasure ("right to be forgotten") in several circumstances: consent is withdrawn, the data is no longer necessary for the original purpose, the data subject objects and there are no overriding legitimate grounds, or the data was unlawfully processed.

AI conversation history. Enterprise AI tools allow deleting conversation history. When a data subject exercises the right to erasure, delete their personal data from:

AI interaction logs retained by your organization.
Any AI tool conversation history that contains their data.
Documents or outputs generated by AI that contain their personal data and are stored in organizational systems.

AI-generated outputs. If an AI tool generated a report, summary, or analysis containing the data subject's personal data, that output is itself personal data subject to erasure obligations. Inventory your AI-generated outputs and ensure they are within the scope of your erasure process.

Training data. If the data subject's personal data was used to fine-tune or train an AI model, erasure from the training data set does not automatically erase it from the model weights. This is the hardest erasure problem in AI. Options:

Retrain or fine-tune the model without the subject's data (expensive and not always possible).
Apply differential privacy techniques during training to reduce individual memorization (a technical control, not a guarantee).
Accept that model weight erasure is currently infeasible, document this limitation in your DPIA, and ensure the subject is informed of the limitation as part of the erasure response.

GDPR Article 17(3) permits exceptions to erasure for legitimate interests, compliance with legal obligations, and public interest. Organizations that can demonstrate a legitimate interest in retaining model weights (e.g., a model critical to a product's function) may be able to justify not retraining. This is an area of ongoing regulatory development; monitor guidance from relevant Supervisory Authorities.

Article 22: the right against solely automated decisions

Article 22 is the GDPR's most AI-specific right. It applies when:

A decision is based solely on automated processing (no meaningful human involvement).
The decision produces legal or similarly significant effects on the individual.

Examples of legal or similarly significant effects: being denied a loan, job application rejection, denial of insurance coverage, reduced access to healthcare services, criminal sentencing inputs.

The "solely automated" qualifier. If a human reviews the AI's recommendation before making the final decision — and the review is meaningful, not rubber-stamp — Article 22 does not apply. The human review must be genuine: the reviewer must have the ability and authority to override the AI's recommendation.

When Article 22 applies: The data subject has the right to:

Human review of the decision.
Express their view on the decision.
Contest the decision.

For organizations using AI in consequential decisions (hiring, credit, insurance, healthcare resource allocation), Article 22 compliance requires:

An identified human reviewer with authority to override.
A documented process for data subjects to request human review.
A mechanism for data subjects to express their view and contest the outcome.
A documented response to contestations.

National derogations. Member States can permit solely automated decisions with appropriate safeguards (including the right to human review, right to express views, and right to contest). EU AI Act Article 26 also requires human oversight for high-risk AI systems — see the EU AI Act glossary entry for the interaction between these frameworks.

Responding to data subject rights requests involving AI: a practical guide

Step 1: Identify where the subject's data lives in AI systems

When a request comes in, search:

AI interaction logs (enterprise tool admin dashboards).
AI-generated documents, reports, or outputs stored in organizational systems (SharePoint, Google Drive, document management systems).
AI training data sets (if the organization has fine-tuned models on personal data).
AI tool accounts where the subject's data may have been processed.

Step 2: Assess applicable rights

Determine which rights apply based on the lawful basis for processing:

Consent: subject can withdraw (right to erasure applies).
Legitimate interests: subject can object (Article 21 applies); erasure may apply if no overriding grounds.
Contractual necessity: erasure applies when contract ends and retention period expires.
Legal obligation: erasure may be restricted during the legal obligation period.

Step 3: Produce the response

For access requests: Compile AI interaction logs, AI-generated outputs, and other AI-processed personal data relevant to the subject. Provide within one month (extendable by two months for complex requests, with notice).

For erasure requests: Delete from AI interaction logs, AI-generated outputs, and AI tool conversation history. For model weight erasure, document the technical limitation and the organization's position. Consider providing the subject with information about the limitation and the safeguards in place.

For automated decision objections (Article 22): Assign human review of the specific decision. Document the reviewer's independent assessment. Communicate the outcome and the subject's rights.

Step 4: Document the response

GDPR's accountability principle (Article 5(2)) requires that organizations be able to demonstrate compliance. Document:

The request received (date, subject, nature of request).
The search conducted for AI-related personal data.
The response provided (data produced, data deleted, explanation of limitations).
Any exceptions claimed and the legal basis.

GDPR data subject rights and AI: jurisdiction-specific notes

France (CNIL): The CNIL has issued guidance on automated decision-making under Article 22 and has conducted enforcement actions against AI systems that lack meaningful human review. The CNIL's AI team actively monitors AI system deployments by French organizations.

Italy (Garante): The Garante issued a temporary ban on ChatGPT in 2023 based partly on concerns about data subject rights — specifically, the inability of Italian data subjects to access or correct ChatGPT's training data. The Garante's enforcement focus on AI training data and subject rights remains active.

Germany (BfDI and state DPAs): German data protection authorities have focused on the lawful basis for AI processing and the accuracy principle — AI outputs that are inaccurate and are about identifiable individuals may violate Article 5(1)(d). Organizations with German operations should ensure AI-generated content about individuals is reviewed for accuracy before use.

UK (ICO): Post-Brexit, the UK GDPR mirrors the EU GDPR's data subject rights framework. The ICO has issued specific guidance on explaining AI decisions to individuals — relevant to Article 22 compliance.

Frequently asked questions

A data subject asked what AI tools we use to process their data. Must we disclose this?

Yes. Article 15(1)(h) requires disclosure of "the existence of automated decision-making, including profiling" and "meaningful information about the logic involved." Even where Article 22 does not apply (because a human is involved), if AI tools are used to process the subject's data in ways that affect them, the privacy notice should describe this, and the subject can request information about it. Your AI governance documentation supports this disclosure.

Can we charge a fee for subject access requests related to AI interaction logs?

The GDPR allows a reasonable fee for manifestly unfounded or excessive requests. For a routine access request that requires searching AI interaction logs, a fee is generally not appropriate. If the request is exceptionally voluminous or burdensome, consider asking for clarification to narrow scope before deciding on a fee.

Our AI model was trained on historical employee data. Do former employees have erasure rights?

Potentially. If former employees are EU residents and the training data includes their personal data, they may exercise the right to erasure if the processing no longer has a valid lawful basis. The lawful basis for training data processing is often legitimate interests — analyze whether that interest persists after employment termination. If it does not, consider whether model retraining is required or whether documented technical limitations apply. This is an area where legal counsel should be involved.

We use ChatGPT Enterprise for employee communications. Do employees have access rights to their AI conversations?

Yes, if those conversations are about them and constitute personal data. Employees as data subjects have Article 15 access rights. Enterprise AI tools typically allow admins to search and export conversation data. Include AI interaction logs in your employee data access request process.

How does the right to explanation under Article 22 work in practice?

When an automated decision is subject to Article 22, the organization must provide "meaningful information about the logic involved." This does not require a full technical explanation of model architecture — regulators and courts have interpreted this as requiring a plain-language explanation of the factors considered, the data used, and how the output influenced the decision. Document this explanation in your Article 22 response process before deploying high-risk AI systems.

The bottom line

GDPR data subject rights apply to AI processing just as they apply to any other personal data processing — but AI introduces technical complications that existing data governance processes were not designed to handle. The organizations that manage this well in 2026 have mapped where personal data exists in AI systems (interaction logs, outputs, training data), built AI-aware subject access request processes, and established Article 22 human review procedures for consequential AI decisions. Those that have not will face difficult situations when the first subject access request or erasure request involves AI-processed personal data they cannot locate or delete.

For the broader GDPR picture for AI tools, see GDPR and AI: A 2026 Compliance Guide and Is ChatGPT GDPR Compliant?.

GDPR Data Subject Rights and AI: Access, Erasure, and Automated Decisions in 2026