Zum Inhalt
Smartphone in der Hand, Straße in Abendstimmung im unscharfen Hintergrund
Do you know your rights under the GDPR? Image: ImYanis / Shutterstock

Rights and obligations in the GDPR - an overview

The EU's General Data Protection Regulation (GDPR) has been in force since 25 May 2018. Here we provide a brief and summarised overview of your most important rights:

Defintion of personal data

Personal data falls within the scope of the General Data Protection Regulation:

  • These always refer to an identified or identifiable living person
  • Can be partial information from the sum of which a person can be determined
  • Can be anonymised, encrypted or pseudonymised data that enables re-identification

Examples: Surname and first name; a private address; an e-mail address such as firstname.lastname@company.com an ID number; location data (e.g. location of the smartphone); an IP address; a cookie identifier; advertising identifier on the smartphone; patient data in the hospital or on a doctor's computer...

On the other hand, data that has been irreversibly (!) anonymised in such a way that the data subject can no longer be identified is not considered personal data

Light blue pictogram with three people next to each other, the last one marked with a ticked checkbox

GDPR: Identified person

Right to be informed

Anyone who stores personal data is obliged to inform the data subjects about this. It is irrelevant whether they collect it themselves or receive it from third parties or pass it on to them. They must be informed who collects which data, where, how, when and why, and how long it is stored.

Light blue pictogram showing two large hands protecting the letter "i" in the middle

GDPR: Right to be informed

Right to get information

EU citizens are entitled to information about what is stored about them. If you have proven your identity, you must be provided with the following information free of charge and in writing within one month of submitting your application:

  • Name of the company / organisation collecting the data
  • Purpose of collecting / processing the dataCategories of data being processed
  • Legal basis for collecting the data
  • Duration of storage
  • Whether data has been passed on to third parties
  • Whether data has been transferred outside the EU
  • Information about your data protection rights

Details on the obligation to provide information and any exceptions can be found on the ARGE Daten information page (German language), along with a sample letter.

Light blue pictogram showing two large hands protection a person with a speach bubble

GDPR: Right to get information


The ‘right to be forgotten’ was already decided in 2014 in an EU lawsuit against Google. In general, data collectors have been obliged to delete data since 2018, either

  • automatically, as soon as the purpose of data collection no longer applies orimmediately 
  • or if the data subject withdraws their consent to data storage.

You can submit your request for deletion of personal data using the following form from the Austrian Data Protection Authority (German language form):

Light blue pictogram with two large hands protecting the text in the centre, which is being erased by an eraser.

GDPR: Right to erasure


If the data collected about you is incorrect or incomplete, you have the right to have it corrected or supplemented if you so wish. For example, it may make sense to supplement your data if an incomplete data record repeatedly leads to problems, for example when delivering mail or when travelling if a name has changed.

Light blue pictogram with two large hands protecting the crossed-out date ‘30.03.1985’ with the date ‘03.03.1985’ handwritten above it in the centre

GDPR: Right to rectification


You can object to the processing of your personal data for marketing purposes or for other reasons arising from your particular situation. This is also the reason why websites must ask you for your consent to set cookies that are not technically necessary.

Light blue pictogram with three people next to each other, holding protest signs, surrounded by two hands protecting them

GDPR: Right to object

Limitation of processing

You can ask data-collecting organisations or companies to restrict this activity. This can make sense if you are not sure whether entries collected about you are correct or if you suspect that the processing is unlawful. The main benefit of this right, however, is that some data collectors cannot carry out a complete deletion because the data is required by public authorities (e.g. for tax or criminal law reasons). If erasure is refused for this reason, your next logical request is a restriction.

Light blue pictogram with two large hands protecting a crossed-out file folder in the centre

GDPR: Right to restriction of processing

Right to data transfer

At your request, one company must transfer the data stored about you to another. This is very practical when changing service providers, such as telephone providers, insurance companies or online shops.

Light blue pictogram with two people next to each other, in between a disc and an arrow pointing to the right surrounded by two large protective hands

GDPR: Right to transfer


Share this post

Facebook Twitter Drucken E-Mail

This could also be of interest:

Online gambling in Austria

Online gambling in Austria

Many affected gamblers do not even know that they can reclaim gambling debts they have incurred at foreign casinos or online casinos. These foreign companies do not have a licence in Austria. Our article explains the background and possibilities.

Parship loses lawsuit over excessive subscription revocation

Parship loses lawsuit over excessive subscription revocation

Those who want to find new life partners through Parship could be confronted with high costs as soon as they change their mind and only use the service for a short time. European Court of Justice declares offsetting practice invalid.

European Order for Payment Procedure

European Order for Payment Procedure

The European order for payment procedure simplifies the process of litigation in cross-border cases for consumers. It was established on 12.12.2008 in all EU Member States, except for Denmark.

AK lawsuit against payment service Klarna

AK lawsuit against payment service Klarna

The Chamber of Labour registers countless complaints about the payment service Klarna and is now suing this Swedish bank, which grew strongly during the Corona pandemic. Klarna handles online transactions for purchases in online shops and enables payment on account. The ECC also has daily complaint calls about Klarna and is eagerly awaiting the verdict.

Zum Seitenanfang