The General Data Protection Regulation (AVG) is at the heart of citizens' digital rights in a society in which data is becoming increasingly defining. Data subjects - whether customers, employees, patients or users of digital services - have more control over their personal data thanks to the AVG. This say is more topical than ever now that organizations are fully engaged in data-driven decision-making, artificial intelligence and profiling.
The AVG grants data subjects a set of fundamental rights. These rights allow individuals to maintain control over how their personal data is collected, used and shared:
Right of inspection (Art. 15 AVG): the right to understand the personal data being processed and to receive a copy thereof.
Right to rectification (Art. 16 AVG): the right to have incorrect or incomplete data corrected.
Right to oblivion (Art. 17 AVG): the right to have personal data deleted, such as when they are no longer needed for the purpose for which they were collected.
Right to restriction of processing (Art. 18 AVG): the right to have less data processed (temporarily), for example, pending an objection or correction.
Right to data portability (Art. 20 AVG): the right to receive or transfer personal data to another party in a structured, common format.
Right to object (Art. 21 AVG): the right to object to the processing of personal data, for example for marketing purposes or profiling.
Right not to be subjected to automated decision-making (Art. 22 AVG): the right to human judgment in decisions that have significant consequences, such as credit or job application procedures.
Right to information (Art. 13 and 14 AVG): the right to clear and understandable information about the processing of personal data, including the purposes, bases and any transfers to third parties.
Because these rights apply only to one's own personal data, organizations must carefully determine whether a request actually comes from the data subject. In doing so, the identification process must be proportional: not requesting more data than necessary. In many cases, verification via customer data, login credentials or a limited form of identification is sufficient. Only in the case of sensitive data - such as medical records - may a heavier form of identification be used.
The timely and careful handling of data subject requests is an essential part of a transparent and reliable privacy policy. The data controller must respond to a request within one month, even if it is rejected. This requires well-established processes:
A clear point of contact within the organization.
Understanding where personal data resides within systems.
Procedures for recording, reviewing and handling requests.
By taking these rights seriously and designing processes accordingly, organizations demonstrate that they are taking responsibility for data handling at a time when digital autonomy and trust are under pressure.
AP supports European push to reduce regulatory burden, but not at the expense of citizens
News press releaseEU promised to improve AVG cooperation - and only made things worse
BlogEDPS strengthens enforcement of privacy rights: focus on right to be forgotten
News press releaseWorking toward a privacy-conscious municipal organization
News press releaseFine of 525,000 euros for Locatefamily.com
News press releaseIn conversation with Anke van de Laar: "It would already make a big difference if inspection requests were exempted from the Penalty for Late Decisions Act."
CareerBKR forfeits fine of EUR 830,000 for violation of inspection rights
ArticleData subjects' right of inspection: Personal Data Authority collects penalty payment from Theodoor Gilissen Bankiers after refusing inspection request
Article
