The General Data Protection Regulation not only lays down obligations for data processing companies, but also addresses persons affected by data processing directly and grants them extensive rights. When it comes to the right to information, there are important points to consider for companies. In this blog article and the accompanying video you will find out what you have to consider when it comes to the right to information under Art. 15 GDPR.
In this video we answer the FAQs on the right to information according to Art. 15 GDPR from our everyday consulting work. At the end of the video, you will know everything you need to know about the content, restrictions, deadlines, forms and standards for information.
Basic right to information
The most important data subject rights are set out in the third chapter of the GDPR in Articles 12 to 23. Among these rights, the right to information according to Art. 15 GDPR once again occupies a prominent position.
The right to information is the fundamental right of a data subject vis-à-vis a data processing company and essential for the protection of the right to informational self-determination. Only if a data subject knows what data the company is using is the person in a position to assess the legality of the data processing. In addition, without this knowledge it would not be possible for a data subject to be informed about the exercise of other rights, such as to decide on the right to delete data.
Content of the information
The content of a proper response to a request for information is determined in Art. 15 GDPR. It is essential that the data subject is given all information that enables them to assess the legality of the data processing. Therefore, information is to be given here in particular about which data is used by the company for which purposes.
On closer inspection of Art. 15 GDPR, it becomes apparent that the right to information is to be understood very broadly. Answering the right answer for a company can take some effort. Does the company use e.g. Personal data of the data subjects not only internally, but also passes them on to other bodies, according to Art. 15 para. 1 lit. c GDPR information obligation.
Options for restriction
Do all personal information really have to be listed and released? Basically yes. From the point of view of the GDPR, there is no insignificant personal data, no information that is so unimportant that it does not have to be communicated to the data subject.
Nevertheless, there are ways to limit the scope of the information provided. One way of doing this is to ask the person making the request to specify the request. Recital 63 of the General Data Protection Regulation expressly states that a restriction can be made, especially if the controller processes a large amount of personal data.
Another important aspect of the scope of the right to information is the provision of Art. 15 Para. 4 GDPR. This stipulates that the rights and freedoms of other people, at least when a copy of the processed data is released, must not be impaired by the information released. The consequence of this is that the claim is limited to the extent that no data may be released that concern third parties or with regard to which third parties have a legitimate interest in confidentiality.
Deadline for providing information
When fulfilling a right to information, in particular if extensive research on the origin and disclosure of the data should be necessary, it must not be lost sight of the fact that a legal period has been set for companies to answer the request for information. Art. 12 (3) sentence 1 GDPR stipulates that the right to information must also be fulfilled within one month.
Form of information
In addition to the deadline for answering, Art. 12 GDPR sets out further requirements for the form of an answer.
You must pay particular attention to the fact that you provide information about the processed data transparently and in an easily understandable form and language. Therefore, the transmission of information by a company must also be structured and appropriately prepared; a mere listing of the data is just not sufficient.
In order to meet these high legal requirements, the establishment of a standardized process flow for answering the right to information is essential in every company. This is the only way to ensure that all employees are aware of the explosive nature of this topic and that the answer is structured and, above all, complete.
Are you also interested in the topic of entitlement to information in the employment relationship? Also read our blog article about it.
As an external data protection officer or data protection advisor, our interdisciplinary team of specialists is available to answer any questions you may have about the right to information. Do you need support in the area of data protection or information security? Simply contact us using our inquiry form. Alternatively, just write us an email to email@example.com or call us on +49 (0) 851 / 91927-0.
Nadja-Maria Becke leitet unser Inhouse-Juristen-Team. Sie studierte an der Universität Passau Rechtswissenschaften mit anschließendem Referendariat sowie erstem und zweitem Staatsexamen. Ihr Spezialgebiet ist Datenschutzrecht. Ihr fundiertes Wissen hält sie jederzeit aktuell. Für unsere Kunden und unser Team hat sie so immer einen Rat für eine passgenaue Lösung parat.
This post is also available in: German