Currently, many companies still lack a defined process for requests for information within a specified period of time.
In order to be in a secure position at this point, a company should have precise knowledge of who can make the requests, through which channels (post, e-mail, fax, online) they are received, who is responsible for processing them and how the complete processing of the request for information pursuant to Art. 15 para. 1 lit. a) – h) GDPR is ensured and ultimately also documented (Art. 5 para. 2 GDPR).
You can read here about the consequences of not giving information or not giving it in time:
Who is the person concerned?
The GDPR stipulates that any EU citizen and any citizen of a third country – who purchases goods in the EU from a company in a third country – can be affected. This also applies if the company does not have a registered office within the EU and the geographical scope of the GDPR has been opened up with Art. 3 para. 2 GDPR (market place principle). This means that a data subject from the third country may be entitled to more rights within the EU than they would have been in their home country.
What does a right to information apply to?
The right to information extends to all personal data stored about the person concerned in accordance with Art. 4 No. 1 GDPR. This also includes metadata according to Art. 15 para. 1 sentence 1 GDPR.
Information already provided in the past does not entitle the company to deny the user the right to information, as the data may have changed in the meantime. The information is also not limited to a one-time response.
Are there time limits for processing a request for information?
Art. 12 para. 3 and 4 GDPR regulate the requirement to reply. This applies to both positive and negative replies. In principle, actions must be taken without delay, i.e. the person concerned must be informed and their request (e.g. deletion) must be complied with without delay. The maximum period of time that the responsible party may need for this is one month from receipt of the request. In the event of a positive reply, the responsible party may extend the information period by a further two months in accordance with Art. 12 para. 3 sentence 2 GDPR. However, the reasons for this should be strictly interpreted.
How is compensation for failure to meet the deadline?
Delay without a reminder according to § 286 BGB in connection with Art. 12 para. 3 sentence 1 GDPR always occurs when the one-month deadline is missed. In this case, the affected party can, after the expiry of the deadline, engage a lawyer to assert the claim for information before the courts and claim the costs incurred for this as damages caused by default in accordance with § 280 in conjunction with Art. 12 para. 3 sentence 1 GDPR. § 286, 288 para. 4 BGB. Attorney’s fees are then additional costs caused by the delay and are to be reimbursed according to § 249 BGB. In Germany EUR 5.000 was determined by the Munich First District Court as the amount in dispute for the pre-court activity of a lawyer, irrespective of the possible consequences under data protection law in the event of a complaint to the supervisory authority.
Unfortunately, there are always people who deliberately subscribe e.g. to newsletters pro forma at a large number of companies in order to send requests for information to these companies. Their aim is to assert claims with the help of a lawyer, for example, in the event of inactivity of a company.
A functioning process within the company, which ensures that incoming requests for information are processed on time, is therefore essential.
Your contact to ePrivacy