Due to the increasing digitization and documentation of our daily, professional as well as private life, personal data is increasingly finding its way into the endless expanses of the Internet and file archives: whether when sending newsletters, through performance marketing or consent management, personal data is collected and archived everywhere. As soon as personal data of a natural person is (should) be collected and processed by a company, the General Data Protection Regulation (GDPR) takes effect and grants the data subjects so-called data subject rights, which you can use to protect your data.
What are the rights of the data subject?
Affected rights serve natural persons as tools with which they can influence the use of their data within the scope of informational self-determination. Through increased transparency, natural persons whose data is recorded for various purposes should have a precise overview of the entirety of their data and be able to make self-determined decisions about the individual use of the data. It is important to understand that data protection requests do not always have to be of a negative nature! For example, if you change your home address in the customer portal of your bank, you automatically exercise your right to correct your own data and submit a data protection request to your bank. But what does the implication of data subject rights mean for (young) companies?
In general, regardless of the type of request, a person has the right to know the following information about personal data:
- Which categories of data are involved and for what purpose is the company pursuing the collection of data in the present case?
- Who has access to the collected data and why?
- What type of data collection was used as long as it was not collected from the person himself?
- What type of data storage is used and how and for what period of time is data storage planned?
- To what extent is the personal data subjected to automated profiling and what effects can this have on the respective person?
Against the background of this information, data subjects have the option of using the rights of data subjects to determine their own data and information in a self-determined manner. There are a total of six different rights of data subjects. These can be defined as follows:
- The information obligation
As part of the so-called information obligation, companies are obliged to inform natural persons transparently and comprehensively about the use of individual personal data. This can be done in writing, electronically or orally. Information about individual data usage must be made public within a period of one month. As part of the information obligation, the data subject only receives information about the data collected.
- Right to information
The data subject's right to information is structured in two stages and grants the person concerned a right to information about the data that has already been processed and the specific circumstances of the data processing. In the first stage, a natural person can ask whether personal data about themselves has been requested and processed. If this is not the case, the company must provide negative information. If the data subject's data is processed, the data subject has the right to information and information about the manner in which the data is processed and used. In addition, a person has the right to have the data transmitted in writing. Compared to the duty to provide information, the applicant has the opportunity, within the framework of the right to information, to be informed about the rights of the data subject and possible procedures (against the use of personal data).
- Right to rectification
The right to rectification is closely linked to the right to information and the obligation to provide information, since data subjects without knowledge of the personal data cannot in most cases make use of the right to rectification. If there are discrepancies in the personal data, a data subject has two options: On the one hand, data records that contain incorrect information about a person can be corrected; On the other hand, incomplete data records can be revised and supplemented. The classic requests of this kind include, for example, address changes after moving.
- Right to "be forgotten"
The right to “be forgotten” describes the right to data erasure and enables a data subject to request immediate erasure of personal data from the data processor. However, this is not unrestricted, but only possible under consideration of the following reasons for a revocation of the data:
- The person concerned would like to revoke their consent to data processing or would like to object to the further use of their data, as this is no longer necessary, for example (e.g. when changing a doctor).
- The data subject can revoke the right to data processing should the personal data have been processed unlawfully.
- If the person concerned is a child or a young adult who has not yet reached the age of 16, special legal regulations apply. In addition, there may be other legal regulations or laws that prescribe a special treatment of data and their deletion. For example, restaurants are only allowed to store the data from guests collected as part of the Covid-19 for a maximum period of 2 weeks.
- Right to restricted dissemination of data
The data subject's right, which restricts the company's right to use the respective personal data, can also be viewed as a milder means compared to the right to have the data deleted. If a data subject exercises the right to restrict the use of data, the corresponding data will be blocked for general use, but can still be used for relevant purposes. Affected persons can have their data blocked for the following reasons:
- The data subject can question the accuracy of the data and / or its lawful processing and have their data blocked for further procedures.
- Affected persons can have their data blocked if they cannot be deleted due to legal regulations or if deletion is blocked in connection with the right of withdrawal.
- Right to data portability
Companies can be obliged by a data subject to transfer collected and already processed data to third parties, for example another provider. Since the information of a data subject can also contain information about third parties, it must be ensured that the rights of third parties are not violated when data is transferred.
Consequences of disregarding data protection regulations or violating deadlines
A mistake can happen quickly and the overview of complex topics, such as data protection in this case, is quickly lost. While the consequences of a knocked over coffee cup usually do not have any major consequences, it quickly looks different when it comes to data protection: If you breach the General Data Protection Regulation, companies face fines of up to 20 million euros or 4% of total annual sales . In the case of subsidiaries, the annual turnover of the group is also used as the basis for calculation. Anyone who feels unsafe when processing data protection requests or the general implementation of data protection in company processes should seek professional support. Do you feel addressed, confronted with a data protection request or do you feel unsure about the implementation of data protection? HeyData offers the opportunity to inform you about the correct implementation of the General Data Protection Regulation in a non-binding conversation.