The rights of the data subject are found in Chapter 3 of the GDPR, Articles 12-23. Attached is the list at the end of the article. One of the imperatives of the GDPR is the obligation of transparency. Consequently, the data subject(s) must be informed at all times in the data processing process about what happens to the data and what options the customer has, according to case law, to ensure sovereignty over his or her data. Thus, the rights of the data subject are basically clear. Now the question arises as to how a company can meet these requirements.
It may be hard to believe, but the right to erasure is claimed relatively frequently in Europe. What’s more, it’s not just an empty phrase, but a real right that customers also make use of. This is illustrated by the high number of requests for deletion of URLs from Google’s search results that Google has received so far. A total of 2.7 million EU citizens have already requested deletion. About one million have also been deleted. 88.6% of the applicants are private individuals. This underlines the importance of this right for private individuals.
What does the implementation of transparency and information requirements mean for companies?
As a business owner, you must:
- inform them about the right.
- Offer a possibility to make a request for deletion.
- assign a person to accept and process these requests.
In addition, it is important to build systems and processes so that data can also be deleted. Of course, this becomes especially complex when processing data and also transferring data to third parties.
The following is a brief summary of Articles 12 to 23 of the GDPR:
Article 12: The data subject must be informed in a precise, transparent and comprehensible manner.
This can be done on request in oral form after identification of the data subject. Electronic information is also possible. In addition, the controller has the option of refusing to provide the information if he cannot credibly identify the data subject.
Normally, the responsible party must be able to provide information within a period of 4 weeks. However, the deadline can be extended by up to two months upon request. Nevertheless, it is part of the rights of the data subject to file a complaint with an authority. The controller, in turn, may also refuse to provide information if the request is manifestly disproportionate.
Article 13: Data collection from the data subject
Defines quite clearly what the data controller must inform about when collecting data.
Article 14: Data collection from non-data subjects
This article defines what the data controller must inform about when collecting data if the data collection did not take place from the data subject.
Article 15: Right of access to the data subject
Goes into detail about the data subject’s right of access.
Article 16: Right of rectification
Defines the right to rectification if data has been stored incorrectly or incompletely.
Article 17: Right to erasure
Defines the right to erasure. This article explains in detail the conditions under which a request for deletion must be made. The paragraphs of this article can be used to check whether and which data must be deleted in the event of a request for deletion.
In principle, however, the data subject’s right to erasure.
Article 18: Right to restriction of processing
Defines the conditions under which the data subject may request a restriction of processing from the controller.
Article 19: Notification obligation in connection with the rectification or erasure of personal data or the restriction of processing.
This Article establishes the notification obligation for erasure, rectification or restriction of processing by the controller.
Article 20: Right to data portability
Defines the right to data portability. Accordingly, it applies that the data subject may request the data stored about him or her out upon termination and upon request. However, this right cannot always be guaranteed due to non-existent proportionality and a lack of technical requirements on the part of the company.
Article 21: Right to object
Defines the right to object. In addition, this article clarifies that the data subject may withdraw his or her given consent at any time and may require the data controller to inform the data subject of this right when giving consent. Moreover, this right is limited only by public interest .
Article 22: Automated decisions in individual cases, including profiling.
Defines the right of the data subject with regard to automated decisions. The data subject has the right to object to decisions taken on an automated basis that legally affect him or her. Here is an example of how this article secures your rights in online banking. You have the right to have automated decisions reviewed by a person.
Article 23: Restrictions
Clarifies under what conditions the rights of data subjects are restricted with regard to the above articles and what obligations the legislator has in this regard. Among the grounds for restriction are National Security, National Defense and Public Safety.
Here you can find the articles 12 to 23 GDPR