Rights of data subjects: What you need to know about the protection of personal data
In principle, this is not a completely new topic. There are already rules in the Federal Data Protection Act (BDSG) which deal with the rights of data subjects. These include, for example:
Art. 12 of the General Data Protection Regulation, however, clarifies and extends them. As soon as you collect personal data, you are obliged to comply with the GDPR guidelines. These include, among others, information and transparency regulations. In this guide, we discuss each individual point and explain to you which security measures you must take with regard to the rights of data subjects.
1. Right to information
You are accountable not only to supervisory authorities, but also to the persons whose data you collect. This is regulated by law in Art. 13 GDPR. You must therefore inform customers, employees and/or business partners about the following points:
- Contact details of the controller (company or data protection officer)
- Processing purpose
- Processing duration
- Right of objection
- Legal basis
- Rights of data subjects
- Automatic data processing
- Categories of recipients
- Transfer to third countries
- Legitimate interest
You are obliged to disclose to the data subjects all information relating to the processing of personal data at the very moment when you start collecting it. Here is an example:
- When a customer registers on your website, data is collected. You must inform them of this.
- If they place an order after registration, you must inform them of the processing.
- If you want to protect the rights of data subjects, this must be done in a transparent and comprehensible manner.
A data protection declaration is the preferred medium for many companies to comply with their duty to provide information.
2. Right to information
Every data subject has the right to know more about the personal data processed. You may not deny them this right. Art. 15 GDPR stipulates that this procedure may be repeated at appropriate intervals. If someone therefore exercises their right of access, you must tell them what data was collected, at what time and for what reason. Many people now use this area of data subjects’ rights to find out where their data is stored. For years now, Facebook platform members have been trying to gain a comprehensive insight into the information that has been collected. The new GDPR now makes this possible. Information can be provided in writing, electronically or orally.
3. Right to rectification
It can quickly happen that data is transmitted incorrectly or incompletely. If someone becomes aware of this fact, they can exercise their data subject right in accordance with Art. 16 GDPR and order a rectification. You must comply with this.
4. Erasure of data
With Art. 17 GDPR, the EU has responded to the wishes of the people and now made it possible for you to be forgotten. If you collect personal data, you must explicitly draw the attention of customers, employees and business partners to this fact and delete it from existing data at their request. As a rule, this should be done without delay, provided there is no conflict with the legally prescribed storage obligations.
To exercise this right, however, you must have at least one of the following reasons:
- The necessity of data storage expires.
- Everyone has the right to revoke their consent. If this happens, you must delete the information.
- You process content unlawfully and without permission.
- The data subject has lodged an objection.
- The consent was given by a minor who is now claiming their right to deletion.
If you have used a third-party company to collect personal data, you must also inform them of the deletion.
However, as soon as there is a legal obligation (e.g., contracts), you do not have to delete the data. The same applies if a scientific purpose predominates, if there is a public interest (health data) or if processing takes place in the name of freedom of opinion and information.
5. Processing restriction
Data subject rights also apply if someone explicitly objects to the processing. Art. 18 GDPR permits this procedure under the following circumstances:
- The data collected is incorrect.
- The processing was unlawful.
- The purpose of use is no longer given.
6. Data portability
Data subjects now have the possibility to give permission to the data controller to transfer the collected information to another provider. Facebook serves as an example. If users decide to switch platforms, they now have the right to change the content that is displayed. Facebook is then obligated to display the content in the selected way. Art. 20 GDPR also states that anyone can request the disclosure of the collected personal data.
Right of objection
Of course, the right of objection enshrined in Art. 21 GDPR is also one of the data subject rights. This gives everyone the opportunity to object to the use of their own data for advertising purposes. If it turns out that you nevertheless use the collected information for advertising purposes, a GDPR warning may be issued. The consequences are horrendous fines.
Take data subject rights seriously
Start by informing your users, customers, employees and business partners in detail about their rights. A data protection declaration is suitable for this purpose. A data protection expert will be on hand to help you when you complete your GDPR checklist.
Create a procedure directory in which you list all the data collected. Then you will have it quickly at hand if someone makes use of their rights.
Follow the request of the data subject immediately (if possible) in order to avoid a warning or fine.