ABSTRACT
Loyalty programs are early examples of companies commercially collecting and processing personal data. Today, more than ever before, personal information is being used by companies of all types for a wide variety of purposes. To limit this, the General Data Protection Regulation (GDPR) aims to provide consumers with tools to control data collection and processing. What this right concretely means, which types of tools companies have to provide to their customers and in which way, is currently uncertain because precedents from case law are missing. Contributing to closing this gap, we turn to the example of loyalty cards to supplement current implementations of the right to claim data with a user perspective. In our hands-on approach, we had 13 households request their personal data from their respective loyalty program. We investigate expectations of GDPR in general and the right to access in particular, observe the process of claiming and receiving, and discuss the provided data takeouts. One year after the GDPR has come into force, our findings highlight the consumer's expectations and knowledge of the GDPR and in particular the right to access to inform design of more usable privacy enhancing technologies.
- Abras, C. et al. 2004. User-centered design. Bainbridge, W. Encyclopedia of Human-Computer Interaction. Thousand Oaks: Sage Publications. 37, 4 (2004), 445--456.Google Scholar
- Acharya, A.S. et al. 2013. Sampling: why and how of it? Indian Journal of Medical Specialities. 4, 2 (Jul. 2013).Google ScholarCross Ref
- Cavoukian, A. and others 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada. (2009).Google Scholar
- Coll, S. 2013. Consumption as biopower: Governing bodies with loyalty cards. Journal of Consumer Culture. 13, 3 (Nov. 2013), 201--220.Google ScholarCross Ref
- European Parliament and the Council 2016. REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Google Scholar
- European Parliament and Council of the European Union 1995. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.Google Scholar
- Fischer, B. Bonuskarten: Das System Payback.Google Scholar
- Gürses, S.F. et al. 2011. Engineering Privacy by Design. Computers, Privacy & Data Protection. (2011), 25 pages.Google Scholar
- Jakobi, T. et al. 2018. Privacy-By-Design für das Connected Car: Architekturen aus Verbrauchersicht. Datenschutz und Datensicherheit-DuD. 42, 11 (2018), 704--707.Google ScholarCross Ref
- Langheinrich, M. 2001. Privacy by design---principles of privacy-aware ubiquitous systems. Ubicomp 2001: Ubiquitous Computing. (2001). Google ScholarDigital Library
- Morey, T. et al. 2015. Customer Data: Designing for Transparency and Trust. Harvard Business Review.Google Scholar
- Olausson, M. 2018. User control of personal data: A study of personal data management in a GDPR-compliant grahpical user interface.Google Scholar
- Raschke, P. et al. 2018. Designing a GDPR-Compliant and Usable Privacy Dashboard. Privacy and Identity Management. The Smart Revolution: 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers. M. Hansen et al., eds. Springer International Publishing. 221--236.Google Scholar
- Resch-Edermayr, P. 2018. DSGVO. Digitale Welt. 2, 1 (Jan. 2018), 61--65.Google ScholarCross Ref
- Seufert, A.-M. and Vitt, N. 2019. Medien zur DSGVO: Die Berichterstattung vor und seit dem Stichtag im Vergleich. Wirtschaftsinformatik & Management. (2019), 1--9.Google Scholar
- Spagnuelo, D. et al. 2018. Accomplishing Transparency within the General Data Protection Regulation. 5th International Conference on Information Systems Security and Privacy. To appear (2018).Google Scholar
- Stevens, G. et al. 2014. Mehrseitige, barrierefreie Sicherheit intelligenter Messsysteme. Datenschutz und Datensicherheit. 38, 8/2014 (2014), 536--544.Google ScholarCross Ref
- Chapter 3 -- Rights of the data subject. General Data Protection Regulation (GDPR).Google Scholar
Index Terms
-
GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies
-
Recommendations
-
Human-GDPR Interaction: Practical Experiences of Accessing Personal Data
CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing SystemsIn our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals’ control over their data, but its practical impact is not well understood. We present a 10-...
-
The right to access information under the GDPR
The present paper offers a critique of the General Data Protection Regulation in the realm of access to information. Even though the GDPR supports the constitutionally obvious position that the right to data protection does not outweigh other equally ...
-
Exploring the Impact of GDPR on Big Data Analytics Operations in the E-Commerce Industry
AbstractThis research explores the impact of data privacy and protection laws on e-commerce companies in the Netherlands. Specifically, this study focuses on the General Data Protection Regulation (GDPR). The purpose of this regulation is to refine ...
Comments