The EU-wide General Data Protection Regulation (GDPR) came into effect on 25 May 2018. Ever since then it has presented companies with enormous challenges. Especially in the area of what are known as the rights of the data subject, many things have changed compared to the previous legal situation. Data subjects have been given a variety of tools to help them monitor and manage how their personal data is handled. Since the GDPR came into effect, the supervisory authorities in Germany and other EU countries have already imposed a large number of administrative fines, many of them for non-compliance with the rights of data subjects. The list ranges from not granting access, to missed deadlines and failing to delete data despite the right to erasure. The right to data portability under Art. 20 GDPR also poses a major challenge for companies.
What are “rights of the data subject”?
Rights of the data subject means the rights of any individual affected by data processing pursuant to Art. 12 et seq. GDPR. They protect the right to “informational self-determination” (Art. 2(1) in conjunction with Art. 1(1) of the German constitution) and serve to provide information and transparency.
Art. 12(3) GDPR stipulates that data subject requests must receive a response “at the latest” within one month. An extension for a further two months is possible in exceptional cases. However, this extension is not justified by arguing, for example, that the company is generally too busy to respond sooner, but must be considered on a case-by-case basis.
What rights of the data subject does the GDPR define?
1. The controller’s duty to inform (Art. 13, 14 GDPR).
Art. 13 and Art. 14 GDPR together form a single complex. Together with Art. 15 GDPR, the provisions constitute an essential component (“Magna Carta”) of the rights of the data subject. It is only through the information obtained with the help of Art. 13 GDPR that the data subject can properly assess a data processing operation and properly exercise their rights as a data subject. Art. 13 GDPR is therefore of fundamental importance.
The EU legislator has fleshed out the principles of fair and transparent processing by specifying certain information which the controller is obliged to provide. In this sense, Art. 13(1) GDPR stipulates that the data subject must be informed above all of the contact details of the controller, the purpose (for each individual data processing operation separately) and the duration of the data processing, as well as information about the recipients of the personal data, the legal basis of the data processing, and a comprehensible explanation of how the interests of the data subject were weighed against those of the controller.
According to Art. 13(1) and (2) GDPR, the data subject must also be informed of all rights of the data subject, i.e. that they have a right of access, a right to rectification, to erasure, to restriction of processing, a right to object, and a right to data portability. What’s more, the data subject must be informed about the extent to which decision-making is based exclusively on automatic data processing (especially profiling). It is important to note here that the data subject must be provided with all this information where the data is collected, e.g. when subscribing to a newsletter or concluding a purchase contract online, but possibly even before concluding a purchase contract, e.g. when registering for a user account. Art. 12(1) GDPR requires that the information to be provided to the data subject is presented in a “transparent, intelligible and easily accessible form, using clear and plain language”. This means that the respective addressees must be able to understand the information – so privacy notices, for example, should avoid ambiguous wording, foreign words and complicated syntax and instead use more everyday language. Under the GDPR, the information can be provided orally, in writing or electronically. Particularly with regard to children, attention must be paid not only to the aforementioned obligation to use simple language, but also so the fact that the language is appropriate for the age group. According to Art. 13(4) GDPR, the obligation to provide information only does not apply if the data subject already has the necessary information when their data is processed. If there is any doubt, it is up to companies to prove this.
Art. 14 GDPR also regulates corresponding information obligations in the event that the data was not collected by the controller itself, but by third parties (e.g. information about creditworthiness obtained from credit agencies). Where data was collected from third parties, the company’s information obligations are basically comparable to those under Art. 13 GDPR. In addition, the company has a duty to disclose the source of the information. Unlike under Art. 13 GDPR, the information does not have to be provided immediately in all cases, but at the latest within a maximum period of one month after obtaining the data. If, however, the personal data is to be used to communicate with the data subject, the notification has to be given no later than when the first contact is made.
2. The controller’s active duty to inform corresponds to the data subject’s extensive right of access (Art. 15 GDPR)
Art. 15 GDPR grants a right to comprehensive information regarding the personal data processed as well as specific circumstances of the data processing. This right of access is limited by conflicting rights of third parties. This has the particular consequence that access does not have to be given to information pertaining to trade secrets. Art. 15 GDPR is highly relevant in practice and is likely to become even more so in the future.
The right of access is structured in two stages. The first stage gives the data subject the right to know whether or not personal data concerning them is being processed. If this is not the case, the controller must inform the data subject accordingly. If the data subject’s data is being processed, then the second stage gives the data subject a right of access to that personal data and to certain additional information.
In order to establish this right, the data subject may request access to information about data processing at reasonable intervals. In principle, there are no formal requirements for requesting access. In the event of a data subject access request, the controller must above all provide information about the purpose of the data processing, the categories of personal data processed and the recipients or categories of recipients to whom the data may have been disclosed.
In addition, the right of access covers further information such as
- The envisaged storage period or the criteria used to determine that period
- Information about the individual rights of the data subject (such as the right to rectification, erasure, restriction of processing, right to object, right to lodge a complaint with a supervisory authority)
- The existence of automated decision-making, including profiling, and any further consequences
- In the case of data transfers to third countries or to international organisations, information about appropriate safeguards.
In addition, pursuant to Art. 15(3) GDPR, the data subject has a right to receive a copy of the personal data undergoing processing free of charge. The controller may charge a reasonable fee for any further copies. The data subject is not considered to be requesting a “further” copy if they submit a new request for access and the data held by the controller has changed significantly since the last copy was sent. However, there is still a great deal of controversy in terms of what and how much exactly is covered by the right to a copy of the data. The information to be provided by the controller can be very extensive indeed, depending on the amount of data involved. In these cases, it is advisable to prepare the data accordingly as part of the access process – a process which should be integrated into ongoing business processes well in advance.
3. The right to rectification (Art. 16 GDPR)
If the data subject’s personal data has been processed incorrectly, the data subject has the right to rectification without undue delay. The right of the data subject to rectification is closely related to the right of access under Art. 15 GDPR. Without the right of access to the personal data concerning them, the data subject would not be able to exercise their right to rectification. The right to rectification has two components: the data subject may request both that inaccurate data be rectified and that incomplete data be completed or supplemented.
4. The right to erasure (Art. 17 GDPR)
The right to erasure (Art. 17 GDPR) is also known as the “right to be forgotten”. The data subject has the right to obtain from the controller the erasure of personal data concerning them without undue delay and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
- Storing the data is no longer necessary in relation to the purposes for which it was collected
- The data subject withdraws the consent to data processing which they gave previously
- The data subject has objected to the processing and there is no legitimate interest in the processing (in the case of Art. 21(2) GDPR, erasure must take place regardless of the controller’s interest in the processing)
- The data has been unlawfully processed
- The company is obliged to erase the data due to a legal obligation (under EU law or the national law of a Member State).
- The personal data has been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
In addition, according to Art. 17(3) GDPR, there are a number of derogations where the erasure obligation does not apply. The most important derogation is where the obligation to erase data does not apply due to a legal obligation, for example if there is a duty to retain data for a longer period under employment, tax or commercial law.
5. The right to restriction of processing
According to Art. 18 GDPR, the data subject has a right to restriction of processing. This provision is intended to strike a provisional balance between the data subject’s interests – namely in the protection of their right to “informational self-determination” – and those of the controller in processing the personal data. The data subject has the right to obtain from the controller the restriction of processing where one of the following applies:
- The data subject contests the accuracy of the data
- The processing is unlawful
- The controller no longer needs the personal data for the purposes of the processing, but the data is required for the establishment of legal claims
- The data subject has objected to processing pursuant to Art. 21(1) GDPR pending the verification of whether the legitimate grounds of the controller override those of the data subject.
According to Art. 18 GDPR, once processing has been restricted, data may now only be processed under particularly narrow conditions and for special purposes. The personal data does not have to be erased, but may no longer be processed in any other way. To this end, the data whose processing is to be restricted needs to be marked and treated accordingly.
6. Right to data portability (Art. 20 GDPR)
The right to data portability is a new right created by the GDPR. The provision is intended to give the data subject more efficient control over their data and to counter lock-in effects by facilitating “provider switching”. This is to promote competition. The provision gives the data subject the possibility to obtain data stored about them (for example, on social media) in an appropriate portable format for the purpose of transmission or, where appropriate, to have the data transmitted directly to the other provider. This is to prevent monopolies, for example because the data subject fears that setting up a new profile with a competing provider would take them too much time.
However, this provision only covers data which the data subject has provided to the controller. In particular, this means data that the data subject themselves used when creating the user account or when posting on social media. The question of whether the provision applies to data collected through interaction with the controller’s service, such as data collected by smart devices or “wearables”, has yet to be clarified.
Since it is quite possible for the data provided by the data subject to contain information not only about themselves but also about third parties, Art. 20(4) GDPR specifies that the right to data portability must not adversely affect the rights and freedoms of others. This means that in the case of data concerning third parties, the fundamental rights and interests of the person making the request must be weighed against those other data subjects. After all, the right to data portability does not apply if it would be used for unfair or abusive purposes.
7. Do the rights of the data subject apply equally in all Member States?
One of the aims of the GDPR is to create a uniform level of data protection in all Member States. However, at many points the GDPR contains so-called “opening clauses” (e.g. Art. 85(2) GDPR), which allow Member States to adopt their own national regulations within certain limits. In Germany’s case, it is particularly important here to take what’s known as media privilege into account, which the German legislator has regulated in Sect. 55 of the Interstate Broadcasting Treaty (RStV). In abstract terms, it can be said that this media privilege leads to the extensive exemption of the press, broadcasting and telemedia from data protection requirements.
Conclusion and recommended action: How important are the rights of the data subject?
The rights of the data subject are one of the central pillars of the GDPR. The supervisory authorities punish infringements with hefty administrative fines. For individuals, the rights of the data subject are a means of both communicating with and monitoring controllers. No company can avoid compliance with the GDPR. It is one of the fundamental legal obligations of any company towards its customers. For this reason alone, it is vital that companies attach great importance to how the public perceive their approach to their data protection duties. A well-managed data protection department that swiftly, comprehensively and reliably complies with the rights of all data subjects sends a strong message. Companies should always take requests from data subjects seriously but also use them to self-monitor and improve the quality of their existing data protection processes.
Joint controller agreement: Benefits and challenges of joint controllership
The Joint Controller Agreement (JCA) still seems complicated and cumbersome to many managers in practice. But wrongly so: with the careful design of the agreement, responsible companies can benefit from many advantages, achieve efficiency gains through forward-looking process design and operate a corresponding effective risk management.
The NIS 2 Directive: Key objectives and regulations
Last December, the European Council and the European Parliament adopted the Network and Information Security Directive (NIS 2 Directive), thus initiating a reform of the legal requirements for IT security in the European area. After coming into force on 2023-01-16, Germany and the other EU member states now have 21 months to transpose the regulations…
Anonymisation and pseudonymisation in practice
In this article, we look at how the supposed contradiction between data protection through pseudonymisation and the use of personal data in scientific practice can be dealt with. In addition, we take a look at the special challenges that actors in the health care sector face in this topic.