Data subjects' rights under the GDPR: An overview

What are data subjects' rights?

The rights of data subjects describe the rights of data subjects affected by data processing in accordance with Art. 12 et seq. GDPR. They protect informational self-determination (Art. 2 para. 1 GG in conjunction with Art. 1 para. 1 GG) and serve to provide information and transparency.

Art. 12 para. 3 GDPR stipulates that requests from data subjects must be answered "at the latest" within one month. In exceptional cases, an extension of a further two months is possible. However, this extension cannot be generally justified by excessive workload, but requires a case-by-case assessment.

What are the rights of data subjects under the GDPR?

The controller's obligation to provide information (Art. 13, 14 GDPR)

Art. 13 GDPR and Art. 14 GDPR form a common complex. Together with Art. 15 GDPR, these provisions constitute an essential part ("Magna Charta") of the rights of data subjects. Only with the information provided by Art. 13 GDPR, can the data subject properly assess the data processing and properly exercise his or her rights as a data subject. Art. 13 GDPR is therefore of fundamental importance.

The EU legislator has specified the principles of fair and transparent processing by defining certain information as an "obligation" of the controller towards the data subject. In this sense, Art. 13 para. 1 GDPR stipulates that the data subject must be provided with the contact details of the controller, the purpose (separately for each data processing operation) and the duration of the data processing, as well as information on the recipients of the personal data, the legal basis for the data processing and a comprehensible balancing of interests.

According to Art. 13 (1) and (2) GDPR, the data subject must also be informed about all data subject rights, i.e. the existence of a right of access, rectification, erasure, restriction, objection and data portability. In addition, the data subject must be informed of the extent to which the decision-making process is based solely on automated data processing (in particular, profiling). It should be noted that the information must be provided to the data subject when the data are collected, e.g. when ordering a newsletter or concluding a purchase contract in the context of e-commerce, but possibly also before the purchase contract is concluded, e.g. when registering for a user account.

Art. 12 para. 1 GDPR requires that the information to be provided to the data subject be presented in a "transparent, intelligible and easily accessible manner, using clear and plain language". This means that the information must be understandable to the respective addressees, e.g. by avoiding ambiguous formulations, foreign words and complicated sentence constructions in data protection notices and formulating them in everyday language. According to the GDPR, it is sufficient to communicate the information orally, in writing or electronically.

In addition to the above-mentioned obligation to use simple language, particular attention must be paid to the use of age-appropriate and child-friendly language, especially when dealing with children. According to Art. 13 para. 4 GDPR, the obligation to provide information only does not apply if the data subject already has the necessary information in the case of data processing. Companies bear the burden of proof in this regard.

Art. 14 GDPR also regulates corresponding information obligations in the event that the data was not collected by the data controller itself, but by third parties (e.g. credit agencies regarding creditworthiness). The company's information obligations in the event of data collection by third parties are generally comparable to those under Article 13 GDPR. In addition, the company is required to disclose the source of the information.

In contrast to Article 13 GDPR, the information does not have to be provided immediately in all cases, but at the latest within a maximum period of one month after obtaining the data. However, if the personal data are to be used for communication with the data subject, the information must be provided at the latest at the time of the first contact.

2. The active information obligation of the data controller corresponds to an extensive right of access (Art. 15 GDPR) of the data subject

Art. 15 GDPR grants a right to comprehensive information about the processed personal data and the specific circumstances of the data processing. The right of access is limited by conflicting rights of third parties. In particular, this means that information on business secrets must not be provided. Art. 15 GDPR is highly relevant in practice and is likely to become even more so in the future.

The right of access is structured in two steps. In the first stage, the data subject has the right to be informed whether personal data relating to him or her are being processed. If not, the controller must provide negative information. In the second stage, if processing is taking place, the data subject has a right of access to the personal data being processed and to certain additional information.

The data subject may request information about the data processing at reasonable intervals. In principle, the request may be made in any form. When requesting information, the controller must provide information on the purposes of the data processing, the categories of personal data being processed and the recipients or categories of recipients to whom the data may have been disclosed.

The right of access also covers other information such as

• the intended conservation period or the criteria for determining this period,
• information on the individual rights of data subjects (such as the right to rectification, erasure, restriction of processing, the right to object, the right to lodge a complaint with a supervisory authority)
• the existence of automated decision making, including profiling and, where applicable, other effects
• information on adequate safeguards for data transfers to third countries or international organisations

In addition, the data subject has the right to obtain, free of charge, a copy of the personal data processed about him or her pursuant to Art. 15 (3) GDPR. The controller may charge a reasonable fee for further copies. The data subject shall not request a "further" copy if he/she submits a new request for information and the controller's database has changed significantly since the last copy was sent. However, the content and scope of the right to a copy of the data is still highly controversial in detail. The provision of information can be very extensive, depending on the amount of data involved. In these cases, it is advisable to prepare the data as part of the information process, which should be integrated into the ongoing business processes beforehand.

3. The right to rectification (Art. 16 GDPR)

If the data subject's personal data have been processed inaccurately, the data subject has the right to rectification without undue delay. The data subject's right of rectification is closely linked to the right of access under Art. 15 GDPR. Without the right of access to the personal data processed about them, the data subject would not be able to exercise their right to rectification. The right of rectification consists of two components: The data subject may request both the correction of inaccurate data and the completion or addition of incomplete data.

4. The right to data erasure (Art. 17 GDPR)

The right to erasure (Art. 17 GDPR) implements the so-called "right to be forgotten". The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

• Storage of the data is no longer necessary to achieve the purpose for which it was collected.
• The data subject withdraws his or her previously given consent to data processing; or
• The data subject has objected to the processing and there is no legitimate interest in the processing (in the case of Art. 21 (2) GDPR, the deletion must take place irrespective of the interest in the processing)
• The data has been processed unlawfully
• The company is obliged to delete the data due to a legal obligation (under EU law or the national law of a Member State).
• The personal data were collected in connection with the provision of information society services, as referred to in Article 8(1) of the GDPR.

There are also a number of exceptions under Art. 17 (3) GDPR where the obligation to erase does not apply. The most important exception is that the erasure obligation does not apply if there is a legal obligation to do so, for example in the case of retention obligations based on labour, tax or commercial law.

5. Right to restrict processing

According to Art. 18 GDPR, the data subject has the right to restrict the processing. This provision aims to strike a provisional balance between the interests of the data subject in the protection of the right to informational self-determination, and the interests of the controller in the processing of personal data. The data subject has the right to obtain from the controller the restriction of processing in any of the following cases:

• the data subject disputes the accuracy of the data
• the processing is unlawful
• the data are necessary for the assertion of legal claims after the purpose of the data processing has ceased to exist, or
• the data subject has objected to the processing pursuant to Art. 21 (1) GDPR, pending verification of whether the controller's legitimate grounds override those of the data subject.

According to Art. 18 GDPR, data may only be processed on the basis of the restriction of processing under particularly strict conditions and for specific purposes. The personal data in question does not have to be deleted, but may no longer be processed in any other way. For this purpose, the data whose processing is to be restricted must be marked and treated accordingly.

6. The right to data portability (Art. 20 GDPR)

The right to data portability (or "right to data") is a right created for the first time by the GDPR. The provision is intended to give the data subject more effective control over his or her data, and to counter lock-in effects by facilitating "provider switching". This should promote competition. The provision gives the data subject the possibility to receive data stored about them (e.g. in social media) in a portable format for the purpose of transmission or, if necessary, to transmit the data directly to the other provider. This is to prevent monopolies, for example because the data subject might fear that it would take too long to set up a new profile with a competing provider.

However, this provision only covers data that the data subject has provided to the controller. In particular, this is data that the data subject has used himself when creating the user account or when entering "posts" on social media. It is still unclear whether data collected during interaction with the controller's service, such as data collected in 'smart devices' or 'wearables', are also covered.

As the data provided by the data subject may contain information not only about himself but also about third parties, Art. 20 para. 4 of the GDPR stipulates that the right to data portability must not adversely affect the rights and freedoms of others. This means that, in the case of data relating to third parties, the fundamental rights and interests of the data subject must be weighed against those of the other data subject. Finally, the right to data portability does not exist if it is used for unfair or abusive purposes.

7. Do data subjects' rights apply equally in all member states?

One of the objectives of the GDPR is to create a uniform level of data protection in all Member States. However, the GDPR contains so-called "opening clauses" in many places (e.g. Art. 85 para. 2 GDPR), which allow Member States to enact their own national regulations within certain limits. In particular, the so-called media privilege, which the German legislator has regulated in Section 57 of the Interstate Broadcasting Treaty (RStV), must be taken into account. In abstract terms, the media privilege has the effect of largely exempting the press, broadcasting and telemedia from data protection requirements.

Conclusion and recommendations for action: How important are data subjects' rights?

Data subjects' rights are one of the central pillars of the GDPR. Violations will be punished by the supervisory authorities with heavy fines. For the data subject, data subject rights are both a means of communication and a means of oversight in relation to the controller. No company can avoid compliance with the GDPR. It is one of a company's fundamental legal obligations to its customers. For this reason alone, companies must pay close attention to their external perception of data protection law. A well-managed data protection department that fulfils the rights of data subjects quickly, comprehensively and reliably is a strong advertisement. Inquiries from data subjects should therefore always be taken seriously and used to self-regulate and improve the quality of the data protection processes in place.