Background knowledge

Laws

from

Affected parties.

Rights of data subjects under the GDPR

The General Data Protection Regulation (GDPR) gives every data subject extensive laws to determine how their personal data is used. These data subject rights in data protection law enable every data subject to gain insight into data processing, have incorrect data corrected or even request the deletion of their data. Companies are obliged to implement these laws within strict deadlines – violations can lead to severe fines.

Right to information

The right of access enables the data subject to obtain confirmation from the controller as to whether and which personal data concerning him or her is being processed. In addition, the data subject is entitled to information on the processing purposes, the categories of data, the recipients and the planned storage period. This forms the basis for exercising further laws such as rectification or erasure.

Law on rectification

If the data of the data subject is incorrect or incomplete, he or she has the law to demand that it be corrected without delay. This law is closely linked to the right to information, as the data subject can only have incorrect data corrected once a complete overview has been provided.

Law on deletion (“right to be forgotten”)

The right to erasure enables the data subject to request the erasure of their personal data if it is no longer required for the purposes for which it was collected or if it has been processed unlawfully. However, there are exceptions, for example if there are statutory retention periods or the data is required for the defense of legal claims.

Law on restriction of processing

This law grants the data subject the option of restricting the further processing of their data under certain conditions. For example, the data subject can request a restriction if the data subject disputes the accuracy of their data and wishes the company to check it.

Law on data portability

With the law on data portability, the data subject can request that the data provided by them be transmitted in a structured, commonly used and machine-readable format or forwarded directly to another controller. This makes it easier to switch between providers and promotes competition.

Right of objection

The data subject may object to the processing of their personal data if this is based on the company’s legitimate interests or for direct marketing purposes. In the event of an objection, processing must either cease or compelling legitimate grounds for further processing must be demonstrated.

Law not to be subject exclusively to automated decisions

This law protects the data subject from being disadvantaged solely on the basis of automated procedures, such as profiling or AI-based decisions. It ensures that a human review always takes place in such cases.

Significance for companies

Companies must set up internal processes in order to respond to requests from data subjects in a timely (usually within one month) and comprehensive manner. Careful documentation and, if necessary, the appointment of an (external) data protection officer are important building blocks for meeting the legal requirements.