Data Protection Basics - Data Subject Rights

As digitalization and documentation of our daily professional and private lives continue to increase, personal data is increasingly finding its way into the vast expanses of the internet and archives: whether through sending newsletters, performance marketing, or consent management, personal data is collected and archived everywhere. When a company collects and processes personal data of a natural person (or intends to do so), the General Data Protection Regulation (GDPR) comes into play, granting the affected individuals certain rights, known as data subject rights, which you can use to protect your data.

What do we mean by data subject rights?

Data subject rights serve natural persons as tools with which they can influence the use of their data within the framework of informational self-determination. Through increased transparency, individuals whose data is collected for various purposes are meant to gain a clear overview of all their data and make self-determined decisions about its individual use. It is important to understand that data protection requests do not always have to be of a negative nature! For example, if you change your home address in your bank's customer portal, you automatically exercise your right to rectify your own data and submit a data protection request to your bank. But what are the implications of data subject rights for (young) companies?

In general, regardless of the type of request, a person has the right to know the following information about their personal data:

1. What categories of data are involved, and for what purpose is the company collecting data in the present case?
2. Who has access to the collected data and why?
3. What method of data collection was employed, as long as it was not collected directly from the person themselves?
4. What type of data retention is used, and how long is data storage planned?
5. To what extent are personal data subjected to automated profiling, and what impact can this have on the individual?

Armed with this information, affected individuals have the opportunity to exert self-determination over their own data and information using data subject rights. There are a total of six different data subject rights, defined as follows:

1. The right to information

Under the so-called right to information, companies are obliged to inform natural persons transparently and comprehensively about the use of their individual personal data. This can be done in writing, electronically, or orally. The information about individual data usage must be made apparent within a period of one month. Within the framework of the right to information, the affected person only receives information about the data collected.

2. Right to access

The right to access is structured in two stages and grants the affected person the right to access information about the data already processed and the specific circumstances of data processing. In the first stage, a natural person can inquire whether personal data about themselves has been queried and processed. If this is not the case, the company must provide a negative response. If the affected person's data is being processed, they have the right to access and information about the nature and manner of data processing and usage. In addition, a person has the right to receive the data in writing. Compared to the right to information, within the right to access, the requesting person has the opportunity to be informed about data subject rights and possible courses of action (against the use of personal data).

3. Right to rectification

The right to rectification is closely linked to the right to access and the right to information, as affected individuals cannot exercise the right to rectification in most cases without knowledge of their personal data. If discrepancies arise in personal data, the affected person has two options: firstly, data records containing incorrect information about a person can be corrected, and secondly, incomplete data records can be revised and supplemented. Classic requests of this kind include, for example, address changes after moving.

4. Right to be forgotten

The right to be forgotten describes the right to data erasure and allows an affected person to request the immediate deletion of personal data by the data controller. However, this is not unconditional and can only be done considering the following reasons for revoking data:

• The affected person wants to withdraw their consent to data processing or wants to object to further use of their data, as it is no longer necessary (e.g., when changing doctors).
• The affected person can revoke the right to data processing if personal data has been processed unlawfully.
• If the affected person is a child or a young adult who has not reached the age of 16, special legal provisions apply. In addition, there may be further legal regulations or laws that prescribe special treatment of data and their deletion. For example, restaurants may only store data collected from guests during the COVID-19 pandemic for a maximum of two weeks

5. Right to restrict processing of data

The right to restrict processing of data can be seen as a milder means compared to the right to erasure of data, as it restricts the use of personal data by companies. When an affected person exercises the right to restrict data usage, the corresponding data is blocked for general use but can still be used for relevant purposes. Affected persons can block their data for the following reasons:

• The affected person can doubt the accuracy of the data and/or its lawful processing and can request the data to be blocked for further processing.
• Affected individuals can block their data if it cannot be deleted due to legal regulations or if deletion is blocked in connection with the right to withdraw consent.

6. Right to data portability

Companies can be obligated by an affected person to transfer collected and already processed data to third parties, such as another provider. Since the information of an affected person can also contain information about third parties, it must be ensured that the rights of third parties are not violated when transferring data.

Consequences of disregarding data protection regulations or missing deadlines

Mistakes happen quickly, and the overview of complex topics, such as data protection in this case, can be easily lost. While the consequences of a spilled coffee cup usually do not have significant repercussions, it's a different story when it comes to data protection: Violating the General Data Protection Regulation can result in fines of up to 20 million euros or 4% of the annual total turnover for companies. For subsidiaries, the annual turnover of the parent company is also used as the basis for calculation. If you feel unsure about handling data protection requests or the general implementation of data protection in your company's processes, seek professional assistance. Are you concerned about a data protection request or feel uncertain about implementing data protection? HeyData offers the opportunity to inform you about the proper implementation of the General Data Protection Regulation in a non-binding conversation.