The General Data Protection Regulation (GDPR) attracted media attention in 2018, creating a great deal of uncertainty. Legal expert Manuel Münchhausen is Head of Data Protection and Compliance at TÜV TRUST IT GmbH, TÜV AUSTRIA Group and also serves TÜV AUSTRIA as Group Data Protection Officer. In this interview, he focuses specifically on Article 15 of the GDPR and explains what the “data subject’s right to information” is all about.
“The data subject’s right to information” sounds very legalistic at first sight. What does this Art. 15 GDPR say?
For responsible companies, the right to information means above all to be aware of which data files they process and for what purpose, and also to be willing and able to communicate the whole thing fully on demand. Every data subject has a right to this request – at any time and from any company, without the need for a specific reason. An informal request is sufficient and the relevant information will be provided within 30 days. That is the right to information.
Which information can the data subject ask for exactly?
First of all, all the information that the company has stored about the person and a range of accompanying information that is listed quite explicitly in Article 15. This includes, among other things, the individual categories such as contact data, bank details, etc., but also the purpose of the data processing, where the data came from and to whom it was forwarded, if applicable, and how long the data is stored. Many companies quickly ask themselves: What data do we actually have?
So data from a central data collection system in the company is not sufficient?
No, this is not only about data that has been well organised in a central system, but also, for example, about internal e-mails and file storage on various computers. Or information that is stored in paper form in any number of folders. If the person concerned happens to be an employee of the responsible company, he or she naturally has insider knowledge, knows the processes and internal communication and can ask very specific questions. But external enquiries must of course also be dealt with conscientiously.
With such a wealth of data and storage locations, what about the issue of security? Are there obligatory protective measures for companies and do data subjects also have the right to obtain information about them?
Data security is of course an issue, but it is not included in the right to information itself. A data subject therefore does not have the right to receive information on how his or her data is specifically secured. There are also no binding requirements for this, as long as the protective measures taken are appropriate. To what extent depends on the data being processed. A data protection management system (DMS) can help to define clean processes in order to determine appropriate measures and implement them sustainably. However, the use of a DMS is not obligatory. However, many companies are obliged to appoint a data protection officer (DPO) who is responsible for ensuring data protection in the company. This can be an internal employee or an external one. The provision of an external DPO is one of the services offered by TÜV TRUST IT.
Which tasks does this person then take on in the company?
The DPO advises those responsible, for example the management, and monitors compliance with the regulations. Although the DPO himself is not responsible for the implementation, he must have the appropriate expertise and a certain social and communicative competence in order to be heard at all. After all, the content must be received by the target group and it is usually a matter of finding reasonable compromises that comply with the specifications and that those responsible can live with. This is not so easy and takes time. Of course, the actual work of the employee must not be neglected. Therefore, an experienced external DPO who takes over exactly these tasks is often a good solution.
How can TÜV TRUST IT support companies with regard to the right to information?
We increase companies’ awareness of what the right to information means for them. For example, that an employee’s request does not only include data that is in the HR file. Such requests are sometimes left unanswered because companies have 30 days to respond and it is often unclear at first what exactly needs to be done. That is why we are happy to help with the next steps: What needs to be done? Where could data be located? How can this data be exported? Afterwards, we accompany the follow-up of an enquiry and look at where there were problems, what can be done better and how the effort could be reduced for future enquiries. In doing so, we specifically address the needs of the respective company; there is no one-size-fits-all solution here. If required, we are happy to receive a non-binding enquiry and discuss the further procedure individually with each client.
Thank you very much for the interview, Mr Münchhausen!