General rights of the data subject (EU General Data Protection Regulation)
Data subject
A “data subject” is a natural person whose personal data are being collected or are being used.
General information on data protection (Rights of the data subject)
Each data subject can assert his rights towards the responsible. It is possible to assert rights through Email, post or a provided form. It is possible to assert those rights through Email, post or a provided form. Equally, telephone inquiries are possible. However, they can only be accepted but not answered.
The responsible selects the media for his answer (post, Email, other media) and sends the answer to your question. Answers to data subject inquiries are free. If there are excessive inquiries, costs can be charged. The answer will be given within the legal deadline of one month. In exceptional cases, the deadline can be extended. Those cases are for instance a high number of inquiries or high complexity of inquiries. The extension must be justified.
In the following, the rights of the data subject are listed. To get an overview we listed those rights as bullet points. Every bullet point is a link to explanations. Each bullet point is also a link that leads to the explanation of this right.
- The Right of access
- The Right to rectification
- Right to erasure (“Right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- The Right to withdraw the consent
- Right to object
- Right to lodge a complaint
If the data subject wants to assert his or her rights, he or she has to authenticate himself to the responsible to proof that he or she is legitimized to exercise a right.
The Right of access – Article 15 EU General Data Protection Regulation (EU GDPR)
The data subject can request the confirmation of the responsible that his or her data are processed. If personal data of the data subject are processed by the responsible, the data subject has the Right of access about those personal data and the information below:
- Purpose of data processing
- Category of personal data
- Recipient or categories of recipients; especially recipients in third countries
- Duration of storage or criteria, by which the data is deleted
- Information of the rights of the data subject (rectification, erasure, restriction of processing, Right to object)
- Information of the Right to lodge a complaint
- Information about the origin of the data, if the data was not collected from the data subject
- Information on automated decision making or profiling – if these are applied
The Right of access may not affect the rights and freedoms of others.
Right of rectification – Article 16 EU General Data Protection Regulation (EU GDPR)
It is the data subject’s right, to demand the immediate rectification of his or her personal data from the responsible. For incomplete data, similar right applies.
Any recipient of the personal data have to be informed about that by the responsible. (Article 19 EU GDPR)
The Right of erasure (“Right to be forgotten”) – Article 17 EU General Data Protection Regulation (EU GDPR)
It is the data subject’s right, to demand the immediate erasure of his or her personal data from the responsible, when:
- data is no longer required for the purpose of data processing
- the data subject withdraw his or her consent and there is no other legal basis for processing
- the data subject lodge a complaint against the processing and there are no other priority legitimate reasons for processing
- personal data are processed unlawfully
- erasure of personal data is required to fulfil a legal obligation
- the personal data were collected in relation to the information society services in accordance with Article 8 para. 1 EU GDPR
Any recipient of the personal data have to be informed about that by the responsible. (Article 19 EU GDPR).
Right to restriction of processing – Article 18 EU General Data Protection Regulation (EU GDPR)
It is the data subject right to demand the limitation of the processing from the responsible. For instance, this is possible, if:
- the personal data would be deleted by the responsible, but the data subject would be required to claim, exercise or defend against legal claims.
- the data subject has lodged the Right to object against the process, however, it is not determined yet, whether the legitimate reasons of the responsible outweigh those of the data subject.
Any recipient of the personal data have to be informed about that by the responsible. (Article 19 EU GDPR)
Right to data portability – Article 20 EU General Data Protection Regulation (EU GDPR)
It is the right of the data subject to receive the personal data, which he provided the responsible, if the processing is based on a consent (Article 6 para. 1 lit. a or Article 9 para. 2 lit. a EU GDPR) or a contract (Article 6 para. 1 lit. b EU GDPR). The responsible has to provide the data in a structured, common and machine-readable format for the data subject.
The Right to withdraw the consent – Article 7 EU General Data Protection Regulation (EU GDPR)
At any time it is the data subject’s right to withdraw his or her consent. The withdrawal does not cause the illegality of the processing (until the consent).
Right to object – Article 21 EU General Data Protection Regulation (EU GDPR)
At any time, it is the data subject’s right to object to processing because of personal reasons. If the responsible can proof compelling, worth protecting reasons, which outweigh the rights and freedoms of the data subject, the right to object does not apply..
Right to lodge a complaint – Article 77 EU General Data Protection Regulation (EU GDPR)
In accordance with Article 77 EU GDPR it is the data subject’s right to lodge a complaint with a supervisory authority.
Equally, you can complain or submit a request about the data processing to the data protection officer. Such a request or complaint is usually processed quickly.
In addition to administrative remedies, the data subject has the right to complain to a supervisory authority. Each federal state has its own supervisory authority. The data subject can address the complaint to the supervisory authority in his or her federal state or to the supervisory authority in the federal state of the responsible company. The supervisory authority in Germany is mostly the Landesbeauftragte für Datenschutz und Informationsfreiheit:
- Baden Württemberg: Landesbeauftragter für Datenschutz und Informationsfreiheit Baden Württemberg (»Webseite)
- Bayern: Bayrisches Landesamt für Datenschutzaufsicht (»Webseite)
- Berlin: Berliner Beauftragter für Datenschutz und Informationsfreiheit (»Webseite)
- Brandenburg: Landesbeauftragter für den Datenschutz und für das Recht auf Akteneinsicht Brandenburg (»Webseite)
- Bremen: Landesbeauftragte für Datenschutz (»Webseite)
- Hamburg: Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (»Webseite)
- Hessen: Der Hessische Datenschutzbeauftragte (»Webseite)
- Mecklenburg-Vorpommern: Der Landesbeauftragte für Datenschutz und Informationsfreiheit Mecklenburg-Vorpommern (»Webseite)
- Niedersachsen: Die Landesbeauftragte für Datenschutz NIedersachsen (»Webseite)
- Nordrhein-Westfalen: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (»Webseite)
- Rheinland Pfalz: Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz (»Webseite)
- Saarland: Unabhängiges Datenschutz Zentrum Saarland (»Webseite)
- Sachsen: Der Sächsische Datenschutzbeauftragte (»Webseite)
- Sachsen-Anhalt: Landesbeauftragter für den Datenschutz Sachsen-Anhalt (»Webseite)
- Schleswig Holstein: Unabhängiges Landeszentrum für den Datenschutz (ULD) Schleswig Holstein (»Webseite)
- Thüringen: Thüringer Landesbeauftragter für den Datenschutz und die Informationsfreiheit (»Webseite)
- or: The supervisory authority in your country