Rights and obligations in the GDPR - an overview

Personal data falls within the scope of the General Data Protection Regulation:

• These always refer to an identified or identifiable living person
• Can be partial information from the sum of which a person can be determined
• Can be anonymised, encrypted or pseudonymised data that enables re-identification

Examples: Surname and first name; a private address; an e-mail address such as firstname.lastname@company.com an ID number; location data (e.g. location of the smartphone); an IP address; a cookie identifier; advertising identifier on the smartphone; patient data in the hospital or on a doctor's computer...

On the other hand, data that has been irreversibly (!) anonymised in such a way that the data subject can no longer be identified is not considered personal data

Anyone who stores personal data is obliged to inform the data subjects about this. It is irrelevant whether they collect it themselves or receive it from third parties or pass it on to them. They must be informed who collects which data, where, how, when and why, and how long it is stored.

EU citizens are entitled to information about what is stored about them. If you have proven your identity, you must be provided with the following information free of charge and in writing within one month of submitting your application:

• Name of the company / organisation collecting the data
• Purpose of collecting / processing the dataCategories of data being processed
• Legal basis for collecting the data
• Duration of storage
• Whether data has been passed on to third parties
• Whether data has been transferred outside the EU
• Information about your data protection rights

Details on the obligation to provide information and any exceptions can be found on the ARGE Daten information page (German language), along with a sample letter.

The ‘right to be forgotten’ was already decided in 2014 in an EU lawsuit against Google. In general, data collectors have been obliged to delete data since 2018, either

• automatically, as soon as the purpose of data collection no longer applies orimmediately 
• or if the data subject withdraws their consent to data storage.

You can submit your request for deletion of personal data using the following form from the Austrian Data Protection Authority (German language form):

If the data collected about you is incorrect or incomplete, you have the right to have it corrected or supplemented if you so wish. For example, it may make sense to supplement your data if an incomplete data record repeatedly leads to problems, for example when delivering mail or when travelling if a name has changed.

You can object to the processing of your personal data for marketing purposes or for other reasons arising from your particular situation. This is also the reason why websites must ask you for your consent to set cookies that are not technically necessary.

You can ask data-collecting organisations or companies to restrict this activity. This can make sense if you are not sure whether entries collected about you are correct or if you suspect that the processing is unlawful. The main benefit of this right, however, is that some data collectors cannot carry out a complete deletion because the data is required by public authorities (e.g. for tax or criminal law reasons). If erasure is refused for this reason, your next logical request is a restriction.

At your request, one company must transfer the data stored about you to another. This is very practical when changing service providers, such as telephone providers, insurance companies or online shops.