The General Data Protection Regulation offers individuals whose data is processed extensive rights against the processor. These so-called data subject rights are not a theoretical legal construct, but a regularly occurring issue in day-to-day business. Requests for information from customers, applicants or former employees are on the rise, as are complaints to supervisory authorities. For companies, this means that data subject rights must be prepared in organizational terms and implemented in a legally compliant manner.
Data subject rights under the GDPR: Legal basis
The GDPR aims to create transparency regarding the processing of personal data and to enable individuals to control the use of their data. Companies are therefore obliged not only to provide data subjects with information about the processing, but also to give them specific options to intervene.
Data subjects’ rights are therefore typically explained as part of the data protection information. This is reflected, for example, in corresponding text blocks in data protection declarations or in customer information. There, companies must transparently explain what rights exist and how these can be exercised.
The right of access under Art. 15 GDPR is particularly relevant in practice. Data subjects can request to know whether and which personal data about them is being processed. In addition, according to Art. 15 para. 3 GDPR, data subjects are entitled to a copy of the processed personal data free of charge. In practice, this can involve considerable effort, especially if data is stored in several IT systems. However, the right to information is occasionally restricted by the need to maintain confidentiality for trade secrets. For details of this right, see also “Right of access under the GDPR – requirements for companies“.
Closely linked to this is the right to erasure in accordance with Art. 17 GDPR. It obliges companies to erase personal data if the purpose of the processing no longer applies or consent is withdrawn. Exceptions exist, for example, in the case of statutory retention obligations.
In addition, the GDPR provides for the following rights, among others:
- Right to rectification of data
- Right to restriction of processing
- Right to data portability in a machine-readable format
- Right to object to certain processing, in particular to direct advertising
- Right to revoke consents granted
- Protection against exclusively automated decisions including profiling
- Right to lodge a complaint with a data protection supervisory authority
Requirements and risks
Companies must generally respond to requests from data subjects within one month. In complex cases, the deadline can be extended by a further two months. However, it is important that the person concerned is informed of the extension within the first month.
At the same time, companies must ensure that requests are only processed by authorized persons. Careful identity checks are therefore essential.
In practice, problems often arise where there are no clear internal processes for processing. It is also conceivable that requests for information are used strategically – for example in labor law disputes or in the context of disputes with business partners. Incomplete or delayed responses can not only lead to complaints to supervisory authorities, but also to claims for damages.
Best practice: How companies should implement data subject rights in their organization
Pragmatic and legally compliant handling can be ensured above all with orderly data protection management, flanked by some extended measures such as a central contact point, clear deletion processes, standardized response templates and regular employee training.
Conclusion
Data subject rights are one of the central obligations of data protection law. For companies, this not only means legal responsibility with a potential risk of damages, but also a need for organizational action. Those who establish clear processes, sensitize employees and have their data structures under control significantly reduce legal risks and at the same time strengthen the trust of customers, employees and business partners.
