The General Data Protection Regulation (AVG) enables data subjects to maintain control over their own personal data. With the passage of the Privacy Act, data subjects, from customers and employees to patients and clients, have gained more and expanded rights. Organizations are increasingly receiving requests from data subjects to invoke their privacy rights. Complying with this as an organization is an important part of a responsible privacy policy, which in turn contributes to trust in organizations.

AVG rights of data subjects

The AVG defines rights for data subjects. The data subject is the person whose personal data are processed. (19). The data subject's rights are:

• Right of inspection (Art. 15 AVG): the right to receive a copy of personal data processed, among other things;

• Right to oblivion (Art. 17 AVG): the right to be "forgotten," or the erasure of personal data;

• Right to rectification (Art. 16 AVG): the right to have personal data changed.

• The right to data portability (Art. 20 AVG). The right to have personal data transferred to another party.

• The right to restrict processing (Art. 18 AVG): The right to have less data processed.

• The right not to be subjected to automated individual decision-making and profiling (Art. 22 AVG). In other words, the right to a human eye in decisions.

• The right to object to data processing (Art. 21 AVG).

• The right to information (Art. 13 and 14 AVG): The right to clear information about what an organization will do with personal data and why. It must be made clear what personal data is being processed, why this is being done (what purpose) and with whom data is shared or sold on to other organizations and to which organizations exactly. (2)

Identification of stakeholders

Data subjects have rights only with respect to their own personal data. Therefore, when someone makes a request, it is important for organizations to establish the identity of the data subject. For this purpose, organizations may almost never request a full copy of an identity document. In many cases, less far-reaching measures exist to establish a person's identity.

When identifying, an appropriate method must be sought and the privacy sensitivity of a request must be taken into account. For example, in the case of access to a medical file, identification will weigh more heavily than when someone wants to view his or her data in a web shop. In the latter case, requesting the customer number, for example, in combination with name and address will suffice. (3)

Heeding the rights of data subjects

The controller is responsible for fulfilling a data subject's request and must respond to a request within one month. Even if the request is not acted upon. Organizations must therefore ensure that they design their systems, processes and internal organizations to accommodate these rights. It should be clear who is internally responsible for fulfilling a request, where the personal data is stored and how the various requests should be handled.

Footnotes

(1) Art. 4 (1) AVG.

(2) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/algemene-informatie-avg/rechten-van-betrokkenen#wat-houdt-het-recht-op-informatie-in-7409
(3) https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/identificatie/identiteitsbewijs#welke-informatie-moet-ik-als-organisatie-geven-als-ik-een-kopie-van-een-identiteitsbewijs-vraag-6860