When it was introduced, the General Data Protection Regulation triggered a lot of resentment and uncertainty - but more so among companies. For consumers, it's a wild card to play.
Mainz (dpa / tmn) - Two years ago, clubs were suddenly unsure whether they could still print the birthdays of their members in the Vereinsblatt. And educators blackened the faces of children in daycare photos.
The European General Data Protection Regulation (GDPR) has been in force since May 2018. Back then, hardly anyone really knew what the GDPR actually means in detail.
Benjamin Bergemann is a board member of the Digital Society. "The regulation gives consumers more rights," he explains. You can find out more precisely what data a company or a public organization has about them, you can also have them deleted or object to their processing. In addition, he emphasizes, companies are forced to handle the information more sensitively.
The GDPR regulates in which cases personal data may be collected and used at all - and that it must be stored securely. "This is all information that belongs to the natural person," explains Julia Gerhards from the Rhineland-Palatinate Consumer Center. "So general information such as name, address or date of birth." But also personal preferences and special knowledge, for example an IP address.
The core of the General Data Protection Regulation
The core of the GDPR is that companies and organizations, including authorities, associations or a day care center, are not allowed to collect and process personal data without justification. "But that doesn't mean that you always have to give your express consent," says Gerhards. The data collection can also be justified otherwise.
"An online shop, for example, needs some information in order to be able to make the purchase at all. When ordering, for example, the consumer specifies his address. He knows that this will be charged and implicitly gives his consent," explains Bergemann. On the other hand, active consent is required if the data is to be used differently later.
The GDPR also gives users the right to be forgotten. Companies have to delete data on request. This is particularly useful if you no longer use a service or shop. "However, a company has to keep some information by law for a certain time, such as invoices," says Gerhards.
The rules do not only apply to companies
But private individuals also have to handle data with care. If you want to put a photo of the private birthday party online, you actually need the consent of the people in the photo. "With a group selfie that is made especially for Instagram, the consent is clear," explains Gerhards. "But if there is no explicit reference to the publication, you cannot use it." Especially when children are pictured, it is better to ask again.
Even those who operate a website privately have to deal with the GDPR. As soon as it collects any data, for example the IP address of the visitors, a data protection declaration is required on the page, says Bergemann. So far, the maximum judge has not yet clarified when consent is required for cookies. Most recently, the Federal Court of Justice (BGH) negotiated here.
Right to information for consumers
The right to information is an important part of the GDPR. Consumers have the right to learn from companies and organizations what data they have stored about them and for what. According to the law (Art. 15 GDPR) there must be a response within one month. There will only be a delay of a maximum of three months in exceptional cases.
In principle, everything must be disclosed free of charge - in a simple, understandable form: what is stored, for how long and where the data comes from. The request can be made informally and without justification. The consumer advice centers also provide sample letters. Incorrect information must also be corrected when the consumer requests it. If problems arise, consumers can contact their state's data protection officer.
Interactive sample letter for GDPR requests
Right to information in the GDPR