Art 13. EU-GDPR Information to be provided where personal data are collected from the data subject.
Data controller must inform the data subject about the purpose of data processing.
Example: A company collects personal data on its stand during the exhibition. Concerned subjects must be notified about how the data is to be processed, whether for a newsletter or informational purposes. Processing the data for other purposes, e.g. selling it to a third party, is prohibited.
Art. 14. EU-GDPR Information to be provided where the personal data have not been obtained from the data subject.
Data controller has the duty to notify the data subject about the source of personal data and whether its publicly accessible, if that data have not been obtained from the subject itself directly.
Example: In an event of receiving a self-disclosure with wrong or incomplete information, the data subject has the right to apply for rectification of that data, since negative or incomplete references can potentially result in higher interest rates or declined credits.
Art. 15 EU-GDPR Right of access by the data subject
Data subject has the right to know which personal data is being processed, for how long and for which purpose.
Everyone has the right to know whether his personal data are being processed. If that is actually the case, then the following data must be provided
the purpose of data processing
the categories of personal data concerned
the recipients or groups thereof, to whom the data have been or will be disclosed, particularly those in third countries or international organizations
envisaged duration of data processing, if not applicable, the criteria for that period should be provided ( formal contract closing, for instance)
Additionally, the data subject is to be informed about his right
to rectify, delete or restrict the processing of personal data
to file a complaint with a supervisory authority
to obtain any information about the source of the personal data, if it was not provided directly
Art. 16 EU-GDPR Right to rectification
Data subject is entitled to immediate rectification of personal data without undue delay.
Example: Change of name and/or address has to be processed in the system immediately.
Art. 17 EU-GDPR Right to erasure („right to be forgotten“)
Data subjects can now enforce the erasure of the personal data without undue delay, if one of the following reasons applies
data are no longer necessary for the purpose for which they were collected
data subject withdraws its consent and there are no other legal grounds for processing
data subject objects to the processing pursuant to Art. 21 (1) or Art. 21 (2)
personal data have been processed illegally
personal data have to be erased for compliance with a legal obligation in national/EU law to which data collector is the subject.
Example: A customer can have his personal data deleted after canceling the newsletter.
The reasons above do not apply, if the processing is still required for
exercising the right of freedom of expression and information
compliance with a legal obligation
reasons of public interest or in the exercise of official authority, if the controller is vested with such.
archiving, statistical, scientific or historic purposes
establishment, exercise or defense of legal claims
Example: Customer has no right to erasure of personal data after the contract expires, if contradictory legal regulations apply.
Art. 18 EU-GDPR Right to restriction of processing
The data subject has the right to restrict the personal data processing. Where processing has been restricted, such personal data shall only be processed, with the exception of storage, with data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. Otherwise, following applies
data subject contests the accuracy of the personal data
processing is unlawful, but the data subject requests the restriction of processing, instead of erasure
data controller no longer needs the personal data for the original purpose, but the data subject requires them for the establishment, exercise and defense of legal claims
data subject objected to processing, pending the verification whether legitimate grounds of the controller override those of the data subject.
Example: Customer has an optional customer card in addition to his valid contract. He can apply for erasure of personal data connected to this card, but the personal data processing for the original contract will not be affected.
Art. 19 EU-GDPR Notification obligation regarding rectification or erasure of personal data or restriction of processing
The data controller has the obligation to inform any third party recipient about the rectification or erasure of personal data which was disclosed, unless it proves impossible or involves disproportionate effort. The controller also must inform the data subject about the recipients, if the data subject requests it.
Example: An additional Amazon account is required to unlock a further service by the retailer. If details such as customer address or name have been disclosed to Amazon for that purpose, one has to rectify the data and inform Amazon upon any changes.
Art. 20 EU-GDPR Right to data portability
The data subject has the right to receive her/his personal data in a structured, common and machine-readable format. Data subject has also the right to transfer that data to another controller.
Example: Customer has the right to take her/his mobile number to a different carrier.
Art. 21 EU-GDPR right to object
Data subject has the right to object to personal data processing, including profiling measures in direct marketing based on his personal data. Data subject has to be instantly notified about his right to object in a clear and separate manner.
Example: A customer has to be informed about his right to object immediately on first contact.
Art. 22 EU-GDPR Automated individual decision-making, including profiling
Data subject has the right to contest any automated decision, including profiling, and request a review.
Example: Large banks implement IT systems that use statistical elicitation and repercussions to determine the credit risk value.
In summary, it can be stated that violations of GDPR can result in significant sanctions for companies and private entrepreneurs (up to 4% of worldwide turnover). We recommend our customers to review their company’s past control measures to prevent heavy financial loss and image damage.