Who is taking away your data protection rights?

Your data, your rights: the General Data Protection Regulation (GDPR)

A new addition is the right to a copy of the data. You can request specific information about which personal data are processed by the person responsible (e.g. surname, first name, address, date of birth, occupation, medical findings) and receive this in the form of a copy from the company.

In principle, the information must be provided free of charge. The company must also provide the first copy of the data free of charge. You can assert your right to information against the company informally and without justification.

Here you can create and download our sample letter on the right to information and a copy of your data yourself.

Right to erasure / right to be forgotten

Companies have to delete data under certain conditions. This is the case, for example, if the data is processed unlawfully or is no longer required for the original purpose for which the data was collected. Even if you revoke your consent (sample letter) or object to data processing, the data must be deleted.

The GDPR also strengthens the protection of children. They are usually unable to assess the dangers associated with data processing. You can therefore request the deletion of data that was collected as a child even later as a young person or even as an adult.

The right to be forgotten is also strengthened. Companies not only have to delete the data or links to them on their own website, they also have to take additional measures. As far as possible, you must inform third parties who are also processing the personal data that a consumer has requested the deletion of the data or links.

However, the right to erasure / right to be forgotten can be restricted, for example, by the right to freedom of expression and information.

You can use the following sample letters to delete your data:

Right to object

You can object to data processing at any time and free of charge. If the data is used for direct marketing and the associated profiling, it may then no longer be used. In this case, the objection does not have to be justified. You can also object to the use of data by advertisers and also request that your data be blocked. Blocking then makes more sense than deleting the data, since advertisers could otherwise simply collect the data again, for example through address dealers. There is also a sample letter for this.

If the processing is used for purposes other than direct mail, you must provide a plausible reason for the objection. You can also use our sample letter for this. Whether the company is still allowed to process the data depends on the individual case, e.g. if the processing serves to assert, exercise or defend legal claims.

Right to rectification

You can request that incorrect data about you be corrected immediately. Use our sample letter for this. You also have the right to have your incomplete data completed.

Right to restriction of processing (blocking of data)

Under certain conditions, you can also request that your data be no longer processed. The data is not deleted, but the data processor has to lock the data and cannot continue to use it as usual. This applies, for example, to cases in which there is a dispute about the correctness of the data or if you have objected to the data processing, but it is still unclear whether the compelling legitimate reasons of the company for the further processing prevail. In practice, companies are also often subject to retention requirements. Then data will not be deleted, but at least blocked for further use.

Right to data portability

The new right to data portability makes it easier for you to switch to a new provider. Whether to another social network, another messenger, another e-mail provider or music streaming service - in the future friends, contacts or playlists should be able to move easily with them. To do this, you can ask your provider to hand over the data that you have provided yourself. This includes data that you have left behind as part of a consent or on the basis of a contract. You can also request that the data be transmitted directly to the new provider in a structured, common and machine-readable format, if this is technically feasible.

Because this right is completely new, practice has yet to show how it works. However, providers must inform their users about their right to data portability.