The rights of data subjects are one of the most controversial data protection issues. This page gives you an overview and answers important questions:
Intro: What are the most important facts about the rights of data subjects?
Requirements: What does the law say about the rights of data subjects?
Duties: What specific measures need to be implemented when it comes to data subject rights?
With the so-called data subject rights, the GDPR enables individuals to influence the processing of their data.
The rights of data subjects include the rights to erasure, rectification, restriction, revocation, objection, information and data copying, data portability and the right not to be subject to a purely automated individual decision. Furthermore, the data subject has the right to lodge a complaint with a data protection supervisory authority at any time. This authority is then obliged to investigate the complaint.
Each right has its own function and may influence the exercise of other rights. For example, the right of access enables a person to obtain information about the data stored about them. This knowledge in turn forms the basis for requesting the erasure and/or rectification of certain data. If erasure is not possible because the data is subject to retention obligations, for example, there may be a right to restrict processing, i.e. to block access to the data.
With the rights of revocation and objection, the data subject can “stop” individual data processing in certain cases (e.g. marketing).
All rights can be exercised free of charge and cannot be withdrawn from the person. It is also not possible to have the person consent to a waiver of their rights. A deadline of one month from receipt of the request applies for responding to the rights.
In the GDPR, the individual rights are listed transparently, starting with Art. 11 GDPR and ending with Art. 22 GDPR. In addition to these articles of the GDPR, the German Federal Data Protection Act specifies the scope and exercise of individual rights. At an even more granular level, individual sector-specific laws contain specifications of the individual rights.
The company must ensure that it is able to respond to all rights in a timely manner. Appropriate technical and organizational precautions must be taken to this end. For example, all data processing employees should be informed (e.g. by means of guidelines) about who, how and when data subject rights are to be fulfilled.
ᐅ Find out which other privacy clusters have to be considered with respect to European data protection law.
familiar with the characteristics of small and large companies
experienced in communicating with data protection authorities
active in data protection for over 10 years.
