In our increasingly digital world, data protection plays a more important role every day. With the new General Data Protection Regulation (GDPR), the European Union significantly strengthens your rights with regard to the careful handling of your personal data.
In this article, we want to give you a detailed overview of the rights you have thanks to the GDPR. If you are looking for a short summary instead, have a look at this article.
What is the GDPR?
The GDPR is an EU regulation that will enter into force on May 25, 2018. The aim of the GDPR is to give EU citizens better control over their personal data. As a result uniforming the regulation of data protection throughout the EU, the legal situation for both citizens and companies is to be made clearer and bureaucracy reduced.
The GDPR predominantly replaces previous national data protection law, such as the British Data Protection Act 1998 (DPA) (in individual aspects, however, it still allows the member states an individual interpretation in national legislation. As an EU regulation, it is directly applicable law in all EU member states, without these having to implement it in their national law.
Rights of data subjects
The GDPR recognises the fundamental right of individuals to the protection of their personal data (as defined by Art. 8(1) of the Charter of Fundamental Rights of the European Union). This right is to be balanced with the long-established reality of a world in which the exchange and processing of data play an ever increasing role in the everyday life of every human being and provide us with indispensable advantages:
Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. […] Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
—Rectital 6 for the GDPR
In order to achieve this balancing act, high demands are made on the collection and processing of personal data and extensive rights are guaranteed for the data subjects towards the controllers.
Many of the rights (such as the right to access personal data) also existed in previous legislation in the UK and other countries. However, the GDPR will extend these rights and, most importantly, implement them in an EU-wide and clear manner.
Right transparent information
An important principle of the GDPR is transparency towards you as the data subject. Entities that want to process your personal data have a comprehensive duty to disclose detailed information.
These obligations are specifically laid down in Articles 12 and 13 GDPR. The data controller not only has to provide you with the name and contact data of the responsible body for the processing, but also the purposes for which your data is to be processed, the duration of storage, which recipients it will be forwarded to and if there is the intention to transfer it to a non-EU country (Art. 13(1), (2) GDPR).
This information has to be provided directly at the time of data collection. This ensures fair and transparent processing in which you can make an informed decision as to whether you agree to the processing.
Right of data access
Another important right is the right of data access, which is defined in Art. 15 GDPR. First of all, it enables you to request confirmation from companies and other organisations as to whether personal data relating to you is being stored (Art. 15 (1) sentence 1 GDPR). If this is the case, you can request a free copy of the data stored on you (Art. 15 (3) GDPR).
However, you can also request a great deal of additional information with regard to the processing of your data (Art. 15(1), (2) GDPR). These include, for example:
- the purposes of the processing,
- the categories of personal data concerned,
- the recipients to whom the data have been or will be disclosed,
- the envisaged period for which the personal data will be stored,
- the sources of the data, if they were not collected directly from the controller,
- if scoring is performed: your computed scores and meaningful information about the logic behind them,
- if your data is transferred to a non-EU country: how they ensure that your rights are respected.
Right to data portability
The right to data portability has not existed up until now; it is being introduced by Art. 20 GDPR. It is supposed to enable you to receive your data “in a structured, commonly used and machine-readable format” and “to transmit [it] to another controller”. (Art. 20(1) GDPR).
This right is aimed in particular at users of social networks and cloud services. So far, providers have often used proprietary systems that have prevented moving to another platform for their own benefit. The aim is to put a stop to this, in order to give you greater freedom in choosing the platforms that suit you, but also to prevent monopolies.
Since the right to data transfer is still very new, there are very few details on how it will be implemented in practice. However, some companies such as Facebook and Google are already providing initial solutions in the form of online tools, which you can use to download your data in the JSON format, for instance. It will be exciting to see how this will unfold in the future.
Right to rectification
In some cases, the data a company has stored about you may be incorrect or incomplete. The right to rectification as laid down in Art. 16 GDPR guarantees you the ability to request rectification from the company in this case.
This right is particularly exciting with regard to credit agencies such as Experian and Equifax, who collect data on your payment history, your banking transactions, mobile phone contracts and many other things in order to calculate payment probabilities and the like. If the calculation is based on inaccurate data, this can have very negative consequences for you.
It is important to note that according to Art. 19 GDPR, the controller not only has to correct your data, but also has to communicate the correction to all recipients, such that they also carry it out in their systems accordingly.
Right to be forgotten
If you want a company to delete personal data that they have stored on you, you can use the right to be forgotten, which is defined in Art. 17 GDPR. This right allows you to request the immediate deletion of data concerning you under certain circumstances.
The prerequisites for this are given, for example, if
- the data is no longer necessary for the purposes for which it was collected (art. 17 par. 1 letter a GDPR),
- you revoke your consent to the processing (Art. 17 para. 1 letter b GDPR),
- the data has been processed unlawfully (art. 17 par. 1 letter d GDPR).
However, there are also some cases in which the right is restricted and deletion is not granted. Restrictions include, for example:
- if the right to freedom of expression and information outweighs your right to erasure (Art. 17(3) lit. a GDPR),
- if there is a legal obligation to store the data (Art. 17(3) lit. b GDPR),
- the use for archiving and scientific or historical research purposes in the public interest (Art. 17(3) lit. d GDPR),
- for the assertion of legal claims (Art. 17(3) lit. e GDPR).
Art. 19 GDPR also applies to requests concerning the deletion of data and therefore the controller has to inform all recipients about the deletion, so that they also apply it in their systems.
How do I exercise these rights?
In general, you can assert all of the above rights towards a company by means of an informal request. You can also use our generator to generate requests automatically and at the same time make use of our extensive company database.