Rights of Data Subjects

Voigt, Paul; von dem Bussche, Axel

doi:10.1007/978-3-319-57959-7_5

Paul Voigt³ &
Axel von dem Bussche⁴

14k Accesses
3 Citations

Abstract

In order to effectively enforce the protection of individuals, data subjects have been granted different rights under the GDPR. Compared to the Data Protection Directive, the controller not only has reinforced information obligations but will also be affected by other new or reinforced data subject rights, such as the right to data portability and the ‘right to be forgotten’. Therefore, entities should identify their new obligations in a timely manner and implement effective mechanisms and internal procedures to respond to data subjects’ requests to exercise their rights. Non-compliance with such request can lead to considerable fines under the GDPR. This chapter gives details on the different data subject rights, including practical implications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Hardcover Book: USD 159.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
v.d.Bussche/Zeiter, EDPL 2016, 576, 579; Gierschmann, ZD 2016,51, 53.
2.
Rec. 39 GDPR; Laue/Nink/Kremer, Datenschutzrecht, Informationspflichten (2016), rec. 1.
3.
Laue/Nink/Kremer, Datenschutzrecht, Informationspflichten (2016), rec. 1; in greater detail Krüger, ZRP 2016, 190, 190 et seq.
4.
Arts. 10, 11 Data Protection Directive.
5.
Rec. 59 GDPR.
6.
Rec. 58 GDPR.
7.
Kamlah, in: Plath, BDSG/DSGVO, Art. 12 (2016), rec. 2.
8.
Paal, in: Paal/Pauly, DSGVO, Art. 12 (2017), rec. 28.
9.
Paal, in: Paal/Pauly, DSGVO, Art. 12 (2017), rec. 26.
10.
Paal, in: Paal/Pauly, DSGVO, Art. 12 (2017), rec. 26.
11.
Rec. 59 GDPR.
12.
Walter, DSRITB 2016, 367, 373.
13.
Rec. 58 GDPR.
14.
Art. 12 Secs. 7, 8 GDPR. Such icons shall be, where presented electronically, machine-readable.
15.
Laue/Nink/Kremer, Datenschutzrecht, Informationspflichten (2016), rec. 20.
16.
Rec. 60 GDPR.
17.
Rec. 60 GDPR.
18.
Arts. 10, 11 Data Protection Directive.
19.
Art. 14 Sec. 3 lit. a GDPR.
20.
Please note that, pursuant to Recital 61 of the Regulation, where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to said recipient.
21.
Walter, DSRITB 2016, 367, 371.
22.
For further details see Paal, in: Paal/Pauly, DSGVO, Art. 13 (2017), recs. 22–23.
23.
Walter, DSRITB 2016, 367, 374.
24.
Rec. 61 GDPR.
25.
Art. 14 Sec. 5 lits. a-d GDPR.
26.
Pursuant to Recital 62 of the Regulation, such disproportionate effort could in particular exist where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration. Moreover, pursuant to Art. 14 Sec. 5 lit. b GDPR, such disproportionate effort could be identified where the information obligation would render impossible or seriously impair the achievement of the objectives of processing.
27.
v.d.Bussche/Zeiter/Brombach, DB 2016, 1359, 1360.
28.
Hunton & Williams, The proposed Regulation (2015), p. 18.
29.
Quaas, in: Wolff/Brink, BeckOK, Art. 12 (2016), rec. 4.
30.
Art. 12 Sec. 3 phrase 4 GDPR.
31.
Walter, DSRITB 2016, 367, 373.
32.
Art. 12 Sec. 5 phrase 2 GDPR.
33.
Quaas, in: Wolff/Brink, BeckOK, Art. 12 (2016), recs. 45–46; Paal, in: Paal/Pauly, DSGVO, Art. 12 (2017), rec. 63.
34.
Kamlah, in: Plath, BDSG/DSGVO, Art. 12 (2016), rec. 20.
35.
Example drawn from Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 21.
36.
Art. 12 Sec. 3 phrase 2 GDPR. The provision by electronic means shall take place, unless otherwise requested by the data subject.
37.
Art. 12 Sec. 3 GDPR.
38.
Kamlah, in: Plath, BDSG/DSGVO, Art. 12 (2016), rec. 15.
39.
Kamlah, in: Plath, BDSG/DSGVO, Art. 12 (2016), rec. 14.
40.
Art. 12 Sec. 4 phrase 2 GDPR.
41.
Paal, in: Paal/Pauly, DSGVO, Art. 12 (2017), rec. 60.
42.
Rec. 63 GDPR; Paal, in: Paal/Pauly, DSGVO, Art. 15 (2017), rec. 3; Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 22.
43.
Art. 15 Sec. 1 lits. a–h, Sec. 2 GDPR.
44.
Walter, DSRITB 2016, 367, 381.
45.
Rec. 63 GDPR.
46.
Art. 12 Sec. 5 GDPR.
47.
Rec. 63 GDPR.
48.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 27.
49.
Art. 15 Sec. 3 phrase 3 GDPR.
50.
Rec. 63 GDPR.
51.
Rec. 64 GDPR. Please note that, nevertheless, a controller should not retain personal data for the sole purpose of being able to react to potential requests.
52.
Walter, DSRITB 2016, 367, 385.
53.
Rec. 63 GDPR.
54.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 30; Zikesch/Kramer, ZD 2015, 565, 566–567.
55.
Rec. 63 GDPR.
56.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 31.
57.
v.d.Bussche/Zeiter, EDPL 2016, 576, 579.
58.
Wybitul, BB 2016, 1077, 1079.
59.
Walter, DSRITB 2016, 367, 386.
60.
Rec. 65 GDPR.
61.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 39.
62.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 41.
63.
Kamlah, in: Plath, BDSG/DSGVO, Art. 16 (2016), rec. 2.
64.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 34.
65.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 46.
66.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 49; Paal, in: Paal/Pauly, DSGVO, Art. 16 (2017), rec. 15.
67.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 53.
68.
See also Mallmann, in: Simitis, BDSG, § 20 (2014), rec. 17 et seq.
69.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 56; see also Mallmann, in: Simitis, BDSG, § 20 (2014), rec. 19.
70.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 56; see also Mallmann, in: Simitis, BDSG, § 20 (2014), rec. 19 et seq.
71.
Kamlah, in: Plath, BDSG/DSGVO, Art. 16 (2016), rec. 7.
72.
Kamlah, in: Plath, BDSG/DSGVO, Art. 16 (2016), rec. 10.
73.
Paal, in: Paal/Pauly, DSGVO, Art. 16 (2017), rec. 18; Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 36; Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), rec. 58; see also Brink, in: Wolff/Brink, BeckOK, § 35 (2016), rec. 13.
74.
Worms, in: Wolff/Brink, BeckOK, Art. 16 (2016), recs. 58–60.
75.
Paal, in: Paal/Pauly, DSGVO, Art. 16 (2017), rec. 20.
76.
Kamlah, in: Plath, BDSG/DSGVO, Art. 16 (2016), rec. 13.
77.
ECJ, ruling of 13 May 2014, Google Spain, C-131/12.
78.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 38; Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 2.
79.
Art. 17 Sec. 1 lits. a-f GDPR.
80.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 25.
81.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 41.
82.
Example drawn from Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 22.
83.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 38.
84.
Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 40.
85.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 11.
86.
Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 41.
87.
Rec. 65 GDPR; Laue/Nink/Kremer, Datenschutzrecht, Recht der betroffenen Person (2016), rec. 43; Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 12.
88.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 13.
89.
Arguing in this direction are Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016) rec. 13; Härting, DSGVO (2016), rec. 696; negatively see Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), recs. 45–48.
90.
Rec. 65 GDPR.
91.
Rec. 65 GDPR.
92.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), recs. 50–53; identifying the exception as an obligation to erasure of the controller without the need of such a request by the data subject: Schantz, NJW 2016, 1841, 1845; negatively as regards such a kind of obligation is Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 28; disapprovingly as regards a separate scope of application of this exception is Härting, DSGVO (2016), recs. 698.
93.
Trying to differentiate between withdrawal and erasure under this provision: Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), recs. 50–53.
94.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 45; Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 23.
95.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 52; Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), recs. 5–6.
96.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 5.
97.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 17; Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 81.
98.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 17.
99.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 17.
100.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec.17.
101.
ECJ, ruling of 13 May 2014, Google Spain, C-131/12, rec. 93; Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 17.
102.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 18.
103.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 50.
104.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 19.
105.
Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 19.
106.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 87.
107.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 87; Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 20.
108.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 55; Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 45; Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 30.
109.
Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 30.
110.
Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 56.
111.
Rec. 66 GDPR; Schantz, NJW 2016, 1841, 1845; Gierschmann, ZD 2016, 51, 54.
112.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 47.
113.
Härting, DSGVO (2016), rec. 723; Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 33.
114.
For details see ECJ, ruling of 13 May 2014, Google Spain, C-131/12, recs. 21, 89–99; Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), recs. 70–71; Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 37
115.
Under the GDPR, the concepts of Privacy by Design & Privacy by Default must be taken into account. For details see Sect. 3.7.
116.
For details see Worms, in: Wolff/Brink, BeckOK, Art. 17 (2016), rec. 71; Japsers, DuD 2012, 571, 572–573.
117.
Arguing for the use objective criteria is Kamlah, in: Plath, BDSG/DSGVO, Art. 17 (2016), rec. 15; and for the use of subjective criteria is Paal, in: Paal/Pauly, DSGVO, Art 17 (2017), rec. 36; Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 48.
118.
See recs. 13, 98, 132, 167 GDPR.
119.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 48.
120.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 48.
121.
Paal, in: Paal/Pauly, DSGVO, Art. 17 (2017), rec. 37.
122.
For details see Paal, in: Paal/Pauly, DSGVO, Art 17 (2017), rec. 37; Holznagel/Hartmann, MMR 2016, 228, 232; Leutheusser-Schnarrenberger, ZD 2015, 149, 150.
123.
Paal, in: Paal/Pauly, DSGVO, Art. 18 (2017), rec. 3; Worms, in: Wolff/Brink, BeckOK, Art. 18 (2016), recs. 1–2.
124.
Paal, in: Paal/Pauly, DSGVO, Art. 18 (2017), rec. 3; Worms, in: Wolff/Brink, BeckOK, Art. 18 (2016), recs. 1–2.
125.
Kamlah, in: Plath, BDSG/DSGVO, Art. 18 (2016), rec. 5.
126.
Paal, in: Paal/Pauly, DSGVO, Art. 18 (2017), rec. 16.
127.
Kamlah, in: Plath, BDSG/DSGVO, Art. 18 (2016), rec. 8.
128.
Apparently positively Härting, DSGVO (2016), rec. 710; negatively see Worms, in: Wolff/Brink, BeckOK, Art. 18 (2016) rec. 35; and demanding an erasure of the personal data as the result of an unsuccessful verification: Kamlah, in: Plath, BDSG/DSGVO, Art. 18 (2016), rec. 8.
129.
Kamlah, in: Plath, BDSG/DSGVO, Art. 18 (2016), recs. 6–7.
130.
Worms, in: Wolff/Brink, BeckOK, Art. 18 (2016), rec. 39; Kamlah, in: Plath, BDSG/DSGVO, Art. 18 (2016), rec. 10.
131.
Paal, in: Paal/Pauly, DSGVO, Art. 18 (2017), rec. 14; Worms, in: Wolff/Brink, BeckOK, Art. 18 (2016), rec. 47.
132.
Rec. 67 GDPR.
133.
Rec. 67 GDPR.
134.
Kamlah, in: Plath, BDSG/DSGVO, Art. 18 (2016), rec. 16.
135.
Worms, in: Wolff/Brink, BeckOK, Art. 18 (2016), rec. 50.
136.
Worms, in: Wolff/Brink, BeckOK, Art. 19 (2016), recs. 1, 6; Paal, in: Paal/Pauly, DSGVO, Art. 19 (2017), rec. 3.
137.
Kamlah, in: Plath, BDSG/DSGVO, Art. 19 (2016), rec. 6.
138.
Worms, in: Wolff/Brink, BeckOK, Art. 19 (2016), rec. 6.
139.
Rec. 68 GDPR.
140.
Gierschmann, ZD 2016, 51, 54; Paal, in: Paal/Pauly, DSGVO, Art. 20 (2017), rec. 4.
141.
Schantz, NJW 2016, 1841, 1845; Art. 29 Data Protection Working Party, WP 242 (2016), pp. 3–4.
142.
Gierschmann, ZD 2016, 51, 54; Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 59.
143.
Examples drawn from Paal, in: Paal/Pauly, DSGVO, Art. 20 (2017), rec. 6; Schantz, NJW 2016, 1841, 1845; Wybitul/Rauer, ZD 2012, 160, 162; Jülicher/Röttgen/v. Schönfeld, ZD 2016, 358, 361; Schätzle, PinG 2016, 71, 72–73.
144.
Schantz, NJW 2016, 1841, 1845; Albrecht, CR 2016, 88, 93; Paal, in: Paal/Pauly, DSGVO, Art. 20 (2017), rec. 5; rec. 68 GDPR.
145.
Jaspers, DuD 2012, 571, 573; Härting, BB 2012, 459, 465.
146.
Kamlah, in: Plath, BDSG/DSGVO, Art. 20 (2016), rec. 4.
147.
Rec. 63 GDPR.
148.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 7.
149.
Paal, in: Paal/Pauly, DSGVO, Art. 20 (2017), rec. 17; Schätzle, PinG 2016, 71, 73; Härting, DSGVO (2016), rec. 729.
150.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 8; Jaspers, DuD 2012, 571, 573; Jülicher/Röttgen/v. Schönfeld, ZD 2016, 358, 359; negatively see Kamlah, in: Plath, BDSG/DSGVO, Art. 20 (2016), rec. 6.
151.
Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 359.
152.
Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 359.
153.
Schild, in: Wolff/Brink, BeckOK, Art. 4 (2016), rec. 34.
154.
Jaspers, DuD 2012, 571, 573.
155.
Art. 29 Data Protection Working Party, WP 242 (2016), pp. 8–9; Gierschmann, ZD 2016, 51, 54; v.d.Bussche/Zeiter, EDPL 2016, 576, 579; Kamlah, in: Plath, BDSG/DSGVO, Art. 20 (2016), rec. 6.
156.
Art. 29 Data Protection Working Party, WP 242 (2016), pp. 7–9.
157.
According to Art. 20 Sec. 3 phrase 2 GDPR and rec. 68 GDPR, the data subject’s right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or for compliance with a legal obligation to which the controller is subject or in the exercise of official authority vested in the controller.
158.
Schantz, NJW 2016, 1841, 1845; Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 359.
159.
Art. 29 Data Protection Working Party, WP 242 (2016), pp. 7–8; v.d.Bussche/Zeiter, EDPL 2016, 576, 579; Schantz, NJW 2016, 1841, 1845; negatively Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 359.
160.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 8.
161.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 9.
162.
Art. 29 Data Protection Working Party, WP 242 (2016), pp. 9–10.
163.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 10.
164.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 10.
165.
Rec. 63 GDPR.
166.
Rec. 63 GDPR.
167.
Paal, in: Paal/Pauly, DSGVO, Art. 20 (2017), recs. 26–27; Schätzle, PinG 2016, 71, 74; Art. 29 Data Protection Working Party, WP 242 (2016), p. 10.
168.
Bitkom, Position paper (2017), p. 7.
169.
Bitkom, Position paper (2017), pp. 7–8.
170.
Art. 20 Sec. 1 GDPR; rec. 68 GDPR.
171.
Schätzle, PinG 2016, 71, 74.
172.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 13.
173.
Rec. 68 GDPR.
174.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 66.
175.
Kamlah, in: Plath, BDSG/DSGVO, Art. 20 (2016), rec. 8; Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 66.
176.
Art. 29 Data Protection Working Party, WP 242 (2016), p. 5.
177.
Gierschmann, ZD 2016, 51, 54.
178.
Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 360.
179.
Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 360.
180.
Schantz, NJW 2016, 1841, 1845; Kamlah, in: Plath, BDSG/DSGVO, Art. 20 (2016), rec. 10.
181.
Jülicher/Röttgen/v.Schönfeld, ZD 2016, 358, 360.
182.
Schätzle, PinG 2016, 71, 73; Kamlah, in: Plath, BDSG/DSGVO, Art. 20 (2016), rec. 9.
183.
Schätzle, PinG 2016, 71, 73 who deems at least any contractual exclusion unlawful that excludes the right to data portability beyond the termination of the contract between the data subject and the controller.
184.
See also Kingreen, in: Calliess/Ruffert, EUV/AEUV, Art. 8 EU-GrCharta (2016), rec. 9.
185.
Albrecht/Jotzo, Datenschutzrecht, Individuelle Datenschutzrechte (2017), rec. 19; Kühling/Martini, EuZW 2016, 448, 450; Schantz, NJW 2016, 1841, 1845.
186.
The GDPR does not establish a general right to data portability. Art. 29 Data Protection Working Party, WP 242 (2016), p. 7.
187.
v.d.Bussche/Zeiter, EDPL 2016, 576, 579.
188.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), recs. 1–2; Kamlah, in: Plath, BDSG/DSGVO, Art. 21 (2016), rec. 1.
189.
Kamlah, in: Plath, BDSG/DSGVO, Art. 21 (2016), rec. 5.
190.
Kamlah, in: Plath, BDSG/DSGVO, Art. 21 (2016), rec. 6; Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 31.
191.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 30.
192.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 30.
193.
Rec. 69 GDPR.
194.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 39.
195.
Pursuant to Art. 4 No. 4 GDPR, profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
196.
Piltz, K&R 2016, 557, 565; Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 40.
197.
Art. 14 subsection 1 lit. b Data Protection Directive.
198.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 55.
199.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 54.
200.
Rec. 162 GDPR.
201.
Albrecht/Jotzo, Datenschutzrecht, Allgemeine Bestimmungen (2017), recs. 71–72.
202.
Rec. 162 GDPR.
203.
Laue/Nink/Kremer, Datenschutzrecht, Einführung (2016), rec. 119; Grages, in: Plath, BDSG/DSGVO, Art. 89 (2016), rec. 7.
204.
Art. 21 Sec. 6 GDPR.
205.
Laue/Nink/Kremer, Datenschutzrecht, Rechte der betroffenen Person (2016), rec. 74.
206.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 33.
207.
Martini, in: Paal/Pauly, DSGVO, Art. 21 (2017), rec. 33.
208.
Gierschmann, ZD 2016, 51, 54.
209.
The prohibition was provided for in § 6a BDSG.
210.
Kamlah, in: Plath, BDSG/DSGVO, Art. 22 (2016), rec. 4.
211.
Albrecht/Jotzo, Datenschutzrecht, Allgemeine Bestimmungen (2017), rec. 61; see also v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 1.
212.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 29; see also Gola/Klug/Körffer, in: Gola/Schomerus, BDSG, § 6a (2015), rec. 1; Scholz, in: Simitis, BDSG, § 6a (2014), rec. 1; v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), recs. 1, 1.1; negatively see Laue/Nink/Kremer, Datenschutzrecht, Zulässigkeit der Verarbeitung (2016), recs. 71–72; Kamlah, in: Plath, BDSG/DSGVO, Art. 22 (2016), rec. 4.
213.
Rec. 71 GDPR.
214.
Rec. 71 GDPR.
215.
See also v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 15; Scholz, in: Simitis, BDSG, § 6a (2014), recs. 14–16.
216.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), recs. 17–19; see also Kamlah, in: Plath, BDSG/DSGVO, § 6a (2016), rec. 12; Scholz, in: Simitis, BDSG, § 6a (2014), recs. 14–16; v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 17; negatively see Laue/Nink/Kremer, Datenschutzrecht, Zulässigkeit der Verarbeitung (2016), rec. 75.
217.
See also Scholz, in: Simitis, BDSG, § 6a (2014), recs. 14–15.
218.
See also Kamlah, in: Plath, BDSG/DSGVO, § 6a (2016), rec. 13; v. Lewinski, in: Wolff/Brink, BeckOK, §6a (2016), recs. 16, 17; Scholz, in: Simitis, BDSG, § 6a (2014), rec. 16.
219.
See also v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 18.
220.
Art. 4 No. 4 GDPR.
221.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 21.
222.
Rec. 71 GDPR; Laue/Nink/Kremer, Datenschutzrecht, Zulässigkeit der Verarbeitung (2016), recs. 73–74; Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), recs. 21–23.
223.
See also v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), recs. 24–25; Gola/Klug/Körffer, in: Gola/Schomerus, BDSG, § 6a (2015), rec. 11.
224.
See also Gola/Klug/Körffer, in: Gola/Schomerus, BDSG, § 6a (2015), rec. 11; v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 26.
225.
See also Scholz, in: Simitis, BDSG, § 6a (2014), rec. 28; v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 33.
226.
See also v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), recs. 32, 34; Scholz, in: Simitis, BDSG, § 6a (2014), rec. 28.
227.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 23.
228.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 23; see also v. Lewinski, in: Wolff/Brink, BeckOK, § 6a (2016), rec. 37.
229.
Art. 22 Sec. 2 lits. a–c GDPR.
230.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 31.
231.
See also Simitis, in: Simitis, BDSG, § 28 (2014), rec. 61; Scholz, in: Simitis, BDSG, § 6a (2014), rec. 31.
232.
Kamlah, in: Plath, BDSG/DSGVO, Art. 22 (2016), rec. 9; Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 33.
233.
Rec. 71 GDPR.
234.
Art. 22 Sec. 3 GDPR; rec. 71 GDPR.
235.
Martini, in: Paal/Pauly, DSGVO, Art. 22 (2017), rec. 39.
236.
Rec. 71 GDPR.
237.
Grages, in: Plath, BDSG/DSGVO, Art. 23 (2016), rec. 3; Paal, in: Paal/Pauly, DSGVO, Art. 23 (2017), rec. 1.
238.
Grages, in: Plath, BDSG/DSGVO, Art. 23 (2016), rec. 6.

References

Albrecht JP (2016) Das neue EU-Datenschutzrecht - von der Richtlinie zur Verordnung, CR, pp 88–98
Google Scholar
Albrecht JP, Jotzo F (eds) (2017) Allgemeine Bestimmungen, Rechtmäßigkeit der Datenverarbeitung; Individuelle Datenschutzrechte, Einschränkungen der Rechte. In: Das neue Datenschutzrecht der EU. 1st edn. Nomos, Baden-Baden
Google Scholar
Art. 29 Data Protection Working Party (2016) Guidelines on the right to data portability, WP 242
Google Scholar
Bitkom (2017) Position paper - Stellungnahme zu den Auslegungsrichtlinien der Art.29-Datenschutzgruppe zum Recht auf Datenportabilität (paper in english language). https://www.bitkom.org/Bitkom/Publikationen/Bitkom-Stellungnahme-zur-Datenportabilitaet.html. Accessed 22 Mar 2017
Brink S (2016) § 35 BDSG. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich
Google Scholar
Gierschmann S (2016) Was ‘bringt’ deutschen Unternehmen die DS-GVO? - Mehr Pflichten, aber die Rechtsunsicherheit bleibt, ZD, pp 51–55
Google Scholar
Gola P, Klug C, Körffer B (2015) § 6a BDSG. In: Gola P, Schomerus R (eds) Bundesdatenschutzgesetz Kommentar, 12th edn. C.H.Beck, Munich
Google Scholar
Grages J-M (2016) Arts. 23, 89 DSGVO. In: Plath K-U (ed) BDSG/DSGVO, 2nd edn. Verlag Dr. Otto Schmidt, Cologne
Google Scholar
Härting N (2012) Starke Behörden, schwaches Recht – Der neue EU-Datenschutzentwurf, BB, pp 459–466
Google Scholar
Härting N (ed) (2016) Datenschutz-Grundverordnung, 1st edn. Dr. Otto Schmidt Verlag, Cologne
Google Scholar
Holznagel B, Hartmann S (2016) Das ‘Recht auf Vergessenwerden’ als Reaktion auf ein grenzenloses Internet, MMR, pp 228–232
Google Scholar
Hunton & Williams (2015) The proposed EU general data protection regulation. https://www.huntonregulationtracker.com/files/Uploads/Documents/EU%20Data%20Protection%20Reg%20Tracker/Hunton_Guide_to_the_EU_General_Data_Protection_Regulation.pdf. Accessed 19 Dec 2016
Jaspers A (2012) Die EU-Datenschutzgrundverordnung, DuD, pp 571–575
Google Scholar
Jülicher T, Röttgen C, von Schönfeld M (2016) Das Recht auf Datenübertragbarkeit, ZD, pp 358–362
Google Scholar
Kamlah W (2016) Arts. 12, 16, 17, 18, 19, 20, 21, 22 DSGVO; § 6a BDSG. In: Plath K-U (ed) BDSG/DSGVO, 2nd edn. Verlag Dr. Otto Schmidt, Cologne
Google Scholar
Kingreen T (2016) Art. 8 EU-GrCharta. In: Calliess C, Ruffert M (eds) EUV/AEUV, 5th edn. C.H.Beck, Munich
Google Scholar
Krüger P-L (2016) Datensouveränität und Digitalisierung, ZRP, pp 190–192
Google Scholar
Kühling J, Martini M (2016) Die Datenschutz-Grundverordnung: Revolution oder Evolution im europäischen und deutschen Datenschutzrecht?, EuZW, pp 448–454
Google Scholar
Laue P, Nink J, Kremer S (eds) (2016) Einführung; Informationspflichten; Rechte der betroffenen Personen; Zulässigkeit der Verarbeitung. In: Das neue Datenschutzrecht in der betrieblichen Praxis, 1st edn. Nomos, Baden-Baden
Google Scholar
Leutheusser-Schnarrenberger S (2015) Das Recht auf Vergessenwerden – ein Durchbruch oder ein digitales Unding?, ZD, pp 149–150
Google Scholar
Mallmann O (2014) § 20 BDSG. In: Simitis S (ed) Bundesdatenschutzgesetz, 8th edn. Nomos, Baden-Baden
Google Scholar
Martini M (2017) Arts. 21, 22 DSGVO. In: Paal BP, Pauly DA (eds) Beck’sche Kompaktkommentare Datenschutz-Grundverordnung, 1st edn. C.H.Beck, Munich
Google Scholar
Paal BP (2017) Arts. 12, 13, 15, 16, 17, 18, 19, 20, 23 DSGVO. In: Paal BP, Pauly DA (eds) Beck’sche Kompaktkommentare Datenschutz-Grundverordnung, 1st edn. C.H.Beck, Munich
Google Scholar
Piltz C (2016) Die Datenschutz-Grundverordnung, K&R, pp 557–567
Google Scholar
Quaas S (2016) Art. 12 DSGVO. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich
Google Scholar
Schantz P (2016) Die Datenschutz-Grundverordnung – Beginn einer neuen Zeitrechnung im Datenschutzrecht, NJW, pp 1841–1847
Google Scholar
Schätzle D (2016) Ein Recht auf Fahrzeugdaten, PinG 2016, pp 71–75
Google Scholar
Schild HH (2016) Art. 4 DSGVO. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich
Google Scholar
Scholz P (2014) § 6a BDSG. In: Simitis S (ed) Bundesdatenschutzgesetz, 8th edn. Nomos, Baden-Baden
Google Scholar
Simitis S (2014) § 28 BDSG. In: Simitis S (ed) Bundesdatenschutzgesetz, 8th edn. Nomos, Baden-Baden
Google Scholar
von dem Bussche AF, Zeiter A (2016) Practitioner’s corner – implementing the EU general data protection regulation: a business perspective. EDPL (4):576–581
Google Scholar
von dem Bussche AF, Zeiter A, Brombach T (2016) Die Umsetzung der Vorgaben der EU-Datenschutz-Grundverordnung durch Unternehmen, DB, pp 1359–1365
Google Scholar
von Lewinski K (2016) § 6a BDSG. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich
Google Scholar
Walter S (2016) Die datenschutzrechtlichen Transparenzpflichten nach der EU-DSGVO, DSRITB, pp 367–386
Google Scholar
Worms C (2016) Arts. 16, 17, 18, 19 DSGVO. In: Wolff HA, Brink S (eds) Beck’scher Online-Kommentar Datenschutzrecht, 18th edn. C.H.Beck, Munich
Google Scholar
Wybitul T (2016) EU-Datenschutz-Grundverordnung in der Praxis - Was ändert sich durch das neue Datenschutzrecht?, BB, pp 1077–1081
Google Scholar
Wybitul T, Rauer N (2012) EU-Datenschutz-Grundverordnung und Beschäftigtendatenschutz, ZD, pp 160–164
Google Scholar
Zikesch P, Kramer R (2015) Die DS-GVO und das Berufsrecht der Rechtsanwälte, Steuerberater und Wirtschaftsprüfer, ZD, pp 565–570
Google Scholar

Download references

Author information

Authors and Affiliations

Taylor Wessing, Berlin, Germany
Paul Voigt
Taylor Wessing, Hamburg, Germany
Axel von dem Bussche

Authors

Paul Voigt
View author publications
You can also search for this author in PubMed Google Scholar
Axel von dem Bussche
View author publications
You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Voigt, P., von dem Bussche, A. (2017). Rights of Data Subjects. In: The EU General Data Protection Regulation (GDPR). Springer, Cham. https://doi.org/10.1007/978-3-319-57959-7_5

Download citation

DOI: https://doi.org/10.1007/978-3-319-57959-7_5
Published: 10 August 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57958-0
Online ISBN: 978-3-319-57959-7
eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics