Real-world examples of practical examples of data subject rights

Concrete examples of practical examples of data subject rights in daily business

When privacy laws get translated into real life, they look less like legal theory and more like customer service, HR operations, and IT workflows. The best examples show how an ordinary person interacts with a company and what the company actually does next.

Below are real-world style scenarios that illustrate examples of practical examples of data subject rights across multiple jurisdictions (GDPR in the EU/UK, CCPA/CPRA in California, LGPD in Brazil, POPIA in South Africa, and others). Treat these as patterns you can adapt into your own internal playbooks.

Access rights: examples of how individuals get a copy of their data

One of the clearest examples of data subject rights is the right of access (GDPR Article 15, CCPA/CPRA right to know). In practice, this is what it looks like:

Example of a customer requesting their data from a SaaS platform

A small business owner in Texas uses a European SaaS invoicing platform. They email support and say:

“Under GDPR, I’d like a copy of all personal data you hold about me and my business account.”

Behind the scenes, the company should:

• Verify the identity of the requester (for example, by confirming login to the account or using 2FA).
• Pull data from multiple systems: CRM, billing, product logs, marketing tools.
• Exclude data that would reveal trade secrets or other users’ personal data.
• Provide a structured report (often as a PDF plus CSV/JSON exports) within the legal deadline (typically 30 days under GDPR, 45 days under CCPA/CPRA, with limited extensions).

The response usually includes categories of data, specific data fields, and information about sources, recipients, and retention periods. The examples of practical examples of data subject rights here show that this is not just a legal checkbox; it’s a data-mapping and operations exercise.

Real examples from employment contexts

Employees increasingly use access rights to understand what their employer stores about them. Think:

• A former employee in the UK requests a copy of all performance reviews, disciplinary notes, and HR email records that mention them.
• An EU-based contractor asks for logs of access to their personnel file to confirm only HR has viewed it.

These real examples push companies to clean up HR record-keeping and email practices, because anything that counts as personal data may be disclosed. The UK Information Commissioner’s Office (ICO) provides detailed guidance on subject access requests that many companies now follow as a practical standard: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/

Deletion and right to be forgotten: best examples from consumer apps

The right to deletion (GDPR Article 17, CCPA/CPRA deletion right) is one of the best examples of privacy rights that users actually recognize.

Example of a user deleting their social media profile

A user in California decides to permanently leave a global social media platform and submits an in-app request to delete their account. In a well-designed workflow, the platform should:

• Immediately deactivate public visibility of the profile.
• Start a deletion process for personal data in primary databases.
• Flag backups and archives for eventual overwriting according to retention policies.
• Retain limited data if legally required (for example, fraud prevention logs or financial transaction records).

The company’s privacy policy should give clear examples of practical examples of data subject rights like this, explaining what “delete” really means in terms of backups, legal holds, and anonymized analytics.

Example of deleting data from a health and wellness app

Consider a mental health tracking app used by patients in the US and EU. A user requests deletion of all mood logs and journal entries. Because this data is sensitive, the app must:

• Confirm identity with strong authentication.
• Explain that some de-identified data might be retained for research or statistical purposes, in line with guidance from organizations like the U.S. National Institutes of Health (NIH): https://www.nih.gov/
• Provide a confirmation once deletion is complete, including a brief explanation of any data that cannot legally be erased.

This is one of the best examples of how privacy rights intersect with ethics: deleting sensitive data reduces risk, but research and safety obligations may justify limited retention in anonymized form.

Correction and rectification: real examples from finance and healthcare

The right to rectification (GDPR Article 16 and similar rights in many laws) is straightforward but operationally messy.

Example of correcting financial data

A banking customer in Germany sees an incorrect address and outdated employer information on their online profile. They submit a request to correct it. The bank must:

• Update the core customer record.
• Propagate changes to downstream systems: credit risk models, anti-money laundering tools, and marketing databases.
• Notify certain third parties (for example, credit bureaus) if inaccurate data was shared.

This example of a data subject right forces institutions to maintain accurate, synchronized data flows. It highlights why data governance is not only about analytics but also about legal compliance.

Example of correcting medical records

In the healthcare context, a patient in the US disputes a diagnosis code in their electronic health record. Under HIPAA, they can request an amendment. The provider may:

• Accept the correction and amend the record.
• Or, if medically justified, refuse to change the underlying diagnosis but add the patient’s statement of disagreement.

The U.S. Department of Health & Human Services explains how this works for HIPAA-covered entities: https://www.hhs.gov/hipaa/for-individuals/medical-records/index.html

For international companies, privacy policies should include examples of practical examples of data subject rights like these so patients and customers understand that “correction” doesn’t always mean rewriting history; sometimes it means adding context.

Data portability: examples include subscription and gig platforms

Data portability (GDPR Article 20 and similar concepts in other laws) is still maturing, but there are strong, real examples emerging.

Example of a music streaming subscriber switching services

A user in France wants to move from Streaming Service A to Streaming Service B. They exercise their portability right by requesting:

• A machine-readable export (for example, JSON or CSV) of playlists, liked songs, and listening history.
• Direct transmission to the new provider, where technically feasible.

Service A responds with an export file and, in some markets, supports API-based transfers. This is one of the best examples of data subject rights being used to reduce switching costs and promote competition, not just privacy.

Example of a gig worker exporting their ratings and history

A ride-share driver in Brazil requests an export of their trip history and ratings from the app to use as evidence of work experience. Under GDPR-like frameworks and Brazil’s LGPD, the platform should:

• Provide structured data on trips, earnings, and rider feedback.
• Exclude other riders’ personal data or pseudonymize it.
• Explain any algorithmic profiling that affects driver ratings.

Privacy policies that include examples of practical examples of data subject rights like this help workers understand they can reuse their own data to negotiate better terms or prove professional history.

Objection and opt-out: real examples under GDPR and CCPA/CPRA

The right to object (GDPR Article 21) and the CCPA/CPRA rights to opt out of “sale” or “sharing” of personal information show up in marketing and ad-tech.

Example of opting out of targeted advertising

A visitor in California lands on a retail website and clicks “Do Not Sell or Share My Personal Information.” In practice, the company should:

• Stop sharing personal identifiers with third-party ad networks for cross-context behavioral advertising.
• Honor Global Privacy Control (GPC) signals sent by the user’s browser.
• Update internal preference databases and sync with marketing tools.

The California Attorney General’s site provides practical guidance and enforcement examples: https://oag.ca.gov/privacy/ccpa

This is one of the clearest examples of practical examples of data subject rights where UI design, cookie banners, and backend systems all have to line up.

Example of objecting to direct marketing in the EU

An EU-based user receives email marketing from a retailer they bought from once, years ago. They click “unsubscribe” and also send an email invoking their right to object to direct marketing.

The retailer must:

• Immediately stop sending marketing emails to that address.
• Maintain a suppression list to ensure the user is not re-added by mistake.
• Not require the user to create an account just to unsubscribe.

This example of a data subject right shows that consent and legitimate interest must be balanced with a simple, respected opt-out.

Restriction, complaints, and human review: more advanced examples

Some rights are less visible but increasingly important as AI and automated decision-making expand.

Example of restricting processing during a dispute

A customer in the Netherlands disputes a large, potentially fraudulent charge on their account. They ask the bank to restrict processing of their personal data while the dispute is investigated.

The bank can:

• Flag the account so that data is not used for marketing or new analytics.
• Continue limited processing needed to handle the dispute and comply with law.

This kind of example of a data subject right is often missing from policies, but in 2024–2025 regulators are paying more attention to proper implementation of restriction.

Example of challenging automated decisions

A job applicant in the EU is rejected after an automated screening system scores their resume below a threshold. They request:

• An explanation of the key factors in the automated decision.
• Human review of their application.

Under GDPR, if the decision has legal or similarly significant effects, the company must provide meaningful information about the logic involved and offer a way for humans to reconsider. With the rise of AI hiring tools, this is one of the most important examples of practical examples of data subject rights to build into HR and recruiting processes.

How to use these examples in your international privacy policy

If you’re drafting or updating international privacy policy templates, don’t stop at abstract statements like “You have certain rights regarding your personal data.” That language is too vague for 2025 users and regulators.

Instead, weave in short, concrete examples of practical examples of data subject rights, tailored to your services. For instance:

• Under your “Access” section, describe how a customer can request a copy of their account history and how you will respond.
• Under “Deletion,” explain what happens when someone closes their account, with a plain-language note about backups and legal retention.
• Under “Portability,” give an example of exporting data to another service.
• Under “Objection/Opt-Out,” show how users can stop marketing emails or targeted ads.

These examples include the kinds of scenarios regulators cite in guidance and enforcement, which helps demonstrate that you understand the real-world impact of privacy laws. They also make your policy genuinely useful to users, not just a legal shield.

From a search and documentation perspective, including examples of practical examples of data subject rights in your privacy policy templates also makes the document more discoverable and more actionable for legal, IT, and product teams who need to operationalize rights requests.

FAQ: examples of practical examples of data subject rights

Q1: What are some concrete examples of data subject rights in practice?
Common examples include a customer requesting a copy of all data a retailer holds about them, a user deleting their social media account and associated posts, an employee correcting an incorrect performance record, a patient asking to amend part of their medical file, or a California resident opting out of the sale or sharing of their personal information for targeted advertising.

Q2: Can you give an example of a data portability request?
One clear example of portability is a user asking a music streaming service for an export of all their playlists and listening history so they can import it into another platform. Another is a ride-share driver requesting a machine-readable file of their trip history and ratings to prove work experience to another platform or lender.

Q3: Are companies required to honor all deletion requests?
No. Most privacy laws allow companies to refuse deletion where data is needed to comply with legal obligations, defend legal claims, or prevent fraud. A good example is a financial institution that must retain transaction records for a minimum number of years under anti-money laundering rules, even if a customer asks for deletion. In those cases, the company should explain what can and cannot be deleted.

Q4: What is an example of restricting processing instead of deleting data?
If a customer disputes the accuracy of their data, they might ask the company to stop using it for marketing or profiling while the dispute is investigated. The data stays in the system, but its use is limited. This is a practical example of the right to restriction, often used when deletion would be premature or harmful.

Q5: How should international privacy policies present these rights?
Policies should describe each right in plain language and then add short, realistic examples. For instance, under “Right to Object,” you might say: “If you no longer want to receive promotional emails, you can click ‘unsubscribe’ in any message or contact us. We will stop sending marketing communications and will keep your email address only on a suppression list.” These kinds of examples of practical examples of data subject rights make the policy understandable to non-lawyers and easier to implement internally.