Data Protection Academy » Data Protection Wiki » Data subjects' rights in the General Data Protection Regulation

A judge's gavel is on the block. Data subject rights in the GDPR

Data subjects' rights in the General Data Protection Regulation

The processing of personal data. can affect people in many ways. Their rights, the "data subjects' rights", are a core component of the General Data Protection Regulation (GDPR). It devotes an entire chapter to them. In order to be able to exercise these rights, one needs to know what data are stored and processed about one's person and by whom. Therefore, the articles 13 and the 14 GDPR lays down extensive transparency obligations for data processing bodies. This information must provide an overview of data processing in an understandable form. In most cases they are included in the data protection declaration. In addition Article 15 GDPR a right of access, according to which each body must provide information on request on what data relating to a person are being processed.

Data subjects can contact companies, public authorities and other data processing bodies directly. Should problems arise, they have the opportunity to supervisory authority to switch on. In particular, the following rights of data subjects are at stake.

Overview of statutory data subject rights in the GDPR

Right to withdraw consent (Article 7 GDPR)

Data subjects have the right to withdraw their consent to the processing of their data. They must be informed before giving their consent. Revocation must be as simple as giving consent. If the data are collected from the data subject, after Article 13 II c GDPR at the time of data collection, the data controller must inform the data subject, in addition to many other information obligations, about the right to withdraw consent.

Right of rectification (Article 16 GDPR)

If incorrect data relating to a person are processed, their correction may be requested. Incomplete data must be completed taking into account the purpose of the processing.

Right of cancellation (Article 17 GDPR)

If there are certain reasons for deletion, the data subject has the right to have the personal data deleted. This is particularly the case if they are no longer necessary for the purpose for which they were originally collected or processed. If they have been made public, the data subject has a "right to be forgotten". This explicit right is new.

Right to restrict processing (Article 18 GDPR)

The right to limit processing may, under certain conditions, enable data subjects to obtain the blocking of their personal data from the controller. The controller must notify data subjects of the rectification, erasure and restriction of processing.

Right to data transferability (Article 20 GDPR)

Data subjects have the right to transfer their own data from one responsible person to another responsible person (e.g. from one social network to another). For this purpose, the operator of the e.g. network must provide the user with a copy of the personal data concerned in a common and machine-readable file format. Compared to the old legal situation under the Federal Data Protection Act, this requirement represents an innovation.

Right of objection (Article 21 GDPR)

Data subjects also have the right to object to legitimate data processing operations carried out in the public interest, in the exercise of official authority or on the basis of the legitimate interest of a body. Data subjects may object to direct marketing and related profiling at any time. This leads to an immediate stop of processing. The data subject must be informed of this right in an understandable form at the latest at the time of the first communication.

Automated decision in individual cases including profiling (Article 22 GDPR)

Data subjects may not be subject to a purely automated decision - including profiling - if it is legally relevant or significantly prejudicial. Data subjects must have the possibility to challenge the decision, to present their point of view and to obtain the intervention of a person.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

General provisions on data subject rights in the GDPR

Right of appeal

The GDPR strengthens the position of the person concerned by extending their rights of appeal and making it easier to exercise them vis-à-vis foreign authorities. The State Data Protection Officers are no longer restricted to monitoring public and non-public bodies in their own federal states. In accordance with the marketplace principle, citizens can also complain to them about the data processing activities of foreign companies within and outside the EU.

Data subject rights in the GDPR in the event of unlawful processing of personal data

While the data subject rights listed so far in the General Data Protection Regulation apply regardless of whether the processing is lawful or unlawful, there are additional rights in the event of unlawful processing, which are set out in the Articles 77 et seq. GDPR are regulated. These include, inter alia, effective judicial remedies, liability and damages and fines.

Requests from interested parties

Since the entry into force of the GDPR, the number of enquiries from affected persons has been increasing. Dealing with these inquiries represents a considerable challenge for many companies. The threat to contact the data protection authority if the response is not made in time or is not satisfactory quickly becomes a real danger, as high fines are threatened in the event of violations. The supervisory authority must take action if a data subject contacts it.

Since many inquiries are received by the customer service, the latter should be appropriately sensitized to handling incoming inquiries and trained in data protection. The data protection officer should first check the inquiries. Once the justification of the right asserted has been clarified, companies must ensure a prompt and legally sound response to the enquiry. This often requires the involvement of several company departments.

Information must be provided to the data subject in a secure and verifiable manner. It is important that requests from affected persons are dealt with quickly and correctly, as the person responsible must answer them immediately in accordance with the GDPR. Failure to comply with data protection deadlines can have serious consequences for companies. Violations can result in claims for damages and can be punished with heavy fines.

Companies must process requests from affected parties quickly and in a legally correct manner. This often requires the cooperation of several company divisions. Employees must be made aware of this. Violations of the regulations can result in heavy fines.

Ulrich Hottelet

This might interest you too:

Erasure concept according to the GDPR

Samples, templates and examples for your GDPR erasure concept according to DIN 66398. Automatically create the erasure concept.

Record of processing activities

List of processing activities according to Art. 30 GDPR. Explained step by step with extensive information. Data protection made easy.

Technical organisational measures (TOMs)

All information on the technical organisational measures according to the GDPR. What do responsible parties have to observe during implementation and documentation?