GDPR: Affected five times over
Compared to the German Federal Data Protection Act (BDSG), the GDPR brings little that is new in terms of 'data subject rights' - with the exception of the right to data portability. However, it often specifies the vague requirements of the BDSG considerably. The new data subject rights in detail:
1. The obligation to provide information (Art. 13 and 14 GDPR): This already exists in principle in the BDSG. However, it is no longer sufficient to simply state the identity of a data controller. In future, it will also be mandatory to provide contact details for both the processor and the responsible data protection officer. The legal basis on which data is collected and the intended duration of storage must also be stated. The biggest innovation is probably the fact that information must be provided unsolicited about every data transfer to a third country or an international organization. It must also be possible to withdraw consent at any time.
2. The right of access (Art. 15 GDPR): Every data provider has the right to know whether their personal data is being processed and to whom it is being forwarded. This corresponds roughly to Section 34 BDSG. However, the GDPR extends the scope of information. In principle, the duration of storage, the purpose of use and the origin of the data must be stated. The person whose data has been collected has the right to rectification, erasure and complaint. All information must be provided free of charge (Art. 12 para. 5 GDPR).
3. The 'right to be forgotten' (Art. 17 para. 2 GDPR): Individuals whose data has been collected can request the erasure of their data, unless statutory retention periods apply (e.g. in criminal records). It is not yet clear whether data collectors must also enforce erasure with the subsequent institutions to which data has been forwarded - or whether there is only an obligation to inform them of the request.
4. The right to data portability (Art. 20 GDPR): This is a provision that the BDSG was previously unaware of. Data collectors must make their collected data available to the data subject on request in a 'structured, commonly used and machine-readable format'. This paragraph is primarily aimed at 'social networks'. Anyone who wants to switch from Facebook to another provider, for example, must receive their collected 'data treasure trove' (photos, texts, etc.) in a readable form that is compatible with the technical conditions on the new platform. The popular excuse of 'technical hurdles' therefore no longer applies. How this will work in practice is still unclear.
5. The right to object (Art. 21 GDPR): Any person who provides their data must be able to object to any form of further processing, for example for advertising purposes. However, this provision can already be found in the BDSG (Section 28 (4)).