Zurück

Article 15 – 21 Rights of the data subject

The data subject has several rights outlined in Article 15 to 21 of the GDPR. These are: The data subject has several rights outlined in …

Zurück

The data subject has several rights outlined in Article 15 to 21 of the GDPR.
These are:

  • The data subject has several rights outlined in Article 15 to 21 of the GDPR. These are:
  • The right of access by the data subject
  • The right to rectification
  • The right to erasure (“right fo be forgotten”)
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated individual decision-making, including profiling

Right of access by the data subject

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If this is the case, the data subject has access to the personal data and the following information:

  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from the data subject, any available information as to their source
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

Access to personal data must be granted without undue delay and in any event within a one-month period which can be extended by two further months.

Georgine Berger

“Where the data subject makes the request by electric form means, information must also be provided by electronic means (Article 12 para 3 of the GDPR).”

FAQs

How do I have to inform the data subject?

The controller must provide the information to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.

On a website, the information obligation can be fulfilled in the form of a clearly visible link to a privacy policy at the bottom of each page.

Offline, the information can be provided on a separate information sheet or by reference to a notice board if the data is collected directly (for example, on business premises).

In the case of personal contact – e.g., by filling out a form – an information sheet can be enclosed., if the form refers to the additional sheet.

In the case of a telephone call in which data is collected, certain information must be provided directly in the conversation, and additional information can be referred to the website or a subsequent mailing.

How can I check the identity of the data subject?

To check the identity of the data subject, the controller may only request additional information if he has reasonable doubt about the data subject’s identity. The controller may not request an identification document by the data subject.

For example, if there was already e-mail communication between the controller and the data subject and the request came via the same e-mail, this is sufficient verification of the identity

Can I charge the information to the data subject?

The information must be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee or refuse to act on the request.

The data controller must provide a free copy of the personal data upon request by the data subject. For any additional copies requested by the data subject, the data controller may charge a reasonable fee.

In what form must the information be given?

The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.

What happens if I give the information to the wrong person?

If you provide the information required under the GDPR to the wrong person, instead of the intended data subject, it can be considered a breach of the data subject’s privacy rights (“data breach”) and a violation of the GDPR. For more information see the article on [data breach].

In what period do I have to give information to the data subject?

The controller must provide information to the data subject without undue delay after his or her request and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In the case of such extension, the controller must inform the data subject about the extension within one month of receipt of the request, together with the reasons for the delay.

What happens if I give wrong information to the data subject?

Besides a potential reputational damage, if you provide incorrect or inaccurate information to a data subject, you might violate the GDPR.

Data subjects have various rights under the GDPR, such as the right of access, rectification, erasure, and restriction of processing. If you provide incorrect information regarding these rights or fail to provide the necessary information to exercise these rights, the data subject may be unable to effectively exercise their rights or take appropriate actions to control their personal data.

This can lead to investigations, and potential fines or penalties imposed by the relevant data protection authority.

To mitigate the potential consequences, it is important to promptly rectify any incorrect information provided to data subjects. This may involve issuing corrected information, clarifying any misunderstandings, and ensuring that the accurate and updated information is provided to the data subjects in a timely manner. Taking corrective actions and demonstrating a commitment to rectifying the situation can help alleviate the negative impact and restore trust with the data subjects.

It is crucial to have proper data management processes in place, including data quality control mechanisms, regular data audits, and staff training, to minimize the likelihood of providing incorrect information to data subjects and to maintain compliance with the GDPR.

What must be considered when providing information?

The information must be provided to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.

The controller must provide information to the data subject without undue delay after his or her request and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In the case of such extension, the controller must inform the data subject about the extension within one month of receipt of the request, together with the reasons for the delay.

What can I do to avoid oversharing of information?

Employees should receive training on how to act from a data protection perspective. This is crucial to reduce the risk that employees will release data rashly in response to requests.

Does a processor have information obligations vis-à-vis the data subject?

The primary responsibility for fulfilling the information obligations lies with the controller. The processor does not have direct information obligations vis-à-vis the data subjects under the GDPR.

If a request is mistakenly addressed to a processor, the processor does not have an explicit duty to forward the request to the controller. However, the processor has a duty to assist the controller.

Forwarding a request for information to the controller is therefore recommended.

Recommended Readings

Data Protection

Software distributor, Dedalus Biologie faced a 1.5 million fine for data breach and other GDPR violations.

The French Data Protection Authority had identified multiple GDPR infringements...

Data Protection

The EU-U.S. Data privacy Framework is here: U.S. companies can now self-certify to participate in cross-border transfers of personal data.

On July 10, 2023, the European Commission announced the adoption of its adequacy decision under the EU-U.S. Data Privacy Framework (DPF)...

Data Protection

Five-digit fine for unlawful use of GPS tracking software in company vehicles

The Data Protection Authority of Bremen, Germany has imposed a five-digit...

Data Protection

The Italian data protection authority has imposed a fine of EUR 1.4 million on Douglas Italia S.p.a., a European beauty and cosmetics retailer for various GDPR violations.

Douglas asked their customers to give their consent to the privacy notes, the cookie policy, and the General Terms and Conditions all at once. The Data Protection Authority considered this a violation ...

Wo We Are

Savvy humans - good to know

Mariella Stubhan

Co-Founder/CEO

Georgine is specializing in data protection law and law with regards to new technology. She studied law at the University of Salzburg and at the University of the Pacific, McGeorge School of Law (California).

Peter Harlander

Co-Founder/CEO

Peter Harlander is registered attorney both in Austria and Germany. He has dedicated his professional career as a lawyer for 20 years entirely to the legal aspects of data protection, IT, the internet, and marketing.

Sebstian Riedlmair

Co-Founder/CEO

Sebastian Riedlmair is specializing in various legal aspects, including data protection law and the legal implications of new technologies. As data protection attorney he brings a wealth of legal expertise to our team.

Matthias Redl

Co-Founder/CEO

Matthias is an experienced software architect and CEO of legal web GmbH, a company that implementing a legally compliant CMP. His expertise supports us in the areas of software architecture and development with regard to compliance and implementation of legal requirements.

Schedule a Free Video Call

Pick your preferred time-slot directly

Bayerhamerstraße 14, 5020 Salzburg - AUSTRIA

+43 662 243130

office@dataprotectionofficer.io

Contact | Imprint | Terms & Conditions | Privacy

legalweb.io
Imprint Privacy
Privacy
Thank you for visiting dataprotectionofficer.io, the website of Formamentum Technology GmbH in Austria. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
Other content (1)
Integration of additional information
Calendly Terminvereinbarung
Calendly, Inc., USA
Detailsto Calendly Terminvereinbarung
back to overview
asd as asd