short-paper

GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies

Authors:
Fatemeh Alizadeh

Information systems and new media, University of Siegen, Siegen, Germany

Information systems and new media, University of Siegen, Siegen, Germany
View Profile

,
Timo Jakobi

Information systems and new media, University of Siegen, Siegen, Germany

Information systems and new media, University of Siegen, Siegen, Germany
View Profile

,
Jens Boldt

Information systems and new media, University of Siegen, Siegen, Germany

Information systems and new media, University of Siegen, Siegen, Germany
View Profile

,
Gunnar Stevens

Information systems and new media, University of Siegen, Siegen, Germany

Information systems and new media, University of Siegen, Siegen, Germany
View Profile

Authors Info & Claims

MuC '19: Proceedings of Mensch und Computer 2019September 2019Pages 811–814https://doi.org/10.1145/3340764.3344913

Published:08 September 2019Publication History

Get Citation Alerts

New Citation Alert added!

This alert has been successfully added and will be sent to:

You will be notified whenever a record that you have chosen has been cited.

To manage your alert preferences, click on the button below.
Manage my Alerts

New Citation Alert!

Please log in to your account
Publisher Site

Get Access

MuC '19: Proceedings of Mensch und Computer 2019

Pages 811–814

ABSTRACT

Loyalty programs are early examples of companies commercially collecting and processing personal data. Today, more than ever before, personal information is being used by companies of all types for a wide variety of purposes. To limit this, the General Data Protection Regulation (GDPR) aims to provide consumers with tools to control data collection and processing. What this right concretely means, which types of tools companies have to provide to their customers and in which way, is currently uncertain because precedents from case law are missing. Contributing to closing this gap, we turn to the example of loyalty cards to supplement current implementations of the right to claim data with a user perspective. In our hands-on approach, we had 13 households request their personal data from their respective loyalty program. We investigate expectations of GDPR in general and the right to access in particular, observe the process of claiming and receiving, and discuss the provided data takeouts. One year after the GDPR has come into force, our findings highlight the consumer's expectations and knowledge of the GDPR and in particular the right to access to inform design of more usable privacy enhancing technologies.

References

Abras, C. et al. 2004. User-centered design. Bainbridge, W. Encyclopedia of Human-Computer Interaction. Thousand Oaks: Sage Publications. 37, 4 (2004), 445--456.Google Scholar
Acharya, A.S. et al. 2013. Sampling: why and how of it? Indian Journal of Medical Specialities. 4, 2 (Jul. 2013).Google ScholarCross Ref
Cavoukian, A. and others 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada. (2009).Google Scholar
Coll, S. 2013. Consumption as biopower: Governing bodies with loyalty cards. Journal of Consumer Culture. 13, 3 (Nov. 2013), 201--220.Google ScholarCross Ref
European Parliament and the Council 2016. REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).Google Scholar
European Parliament and Council of the European Union 1995. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.Google Scholar
Fischer, B. Bonuskarten: Das System Payback.Google Scholar
Gürses, S.F. et al. 2011. Engineering Privacy by Design. Computers, Privacy & Data Protection. (2011), 25 pages.Google Scholar
Jakobi, T. et al. 2018. Privacy-By-Design für das Connected Car: Architekturen aus Verbrauchersicht. Datenschutz und Datensicherheit-DuD. 42, 11 (2018), 704--707.Google ScholarCross Ref
Langheinrich, M. 2001. Privacy by design---principles of privacy-aware ubiquitous systems. Ubicomp 2001: Ubiquitous Computing. (2001). Google ScholarDigital Library
Morey, T. et al. 2015. Customer Data: Designing for Transparency and Trust. Harvard Business Review.Google Scholar
Olausson, M. 2018. User control of personal data: A study of personal data management in a GDPR-compliant grahpical user interface.Google Scholar
Raschke, P. et al. 2018. Designing a GDPR-Compliant and Usable Privacy Dashboard. Privacy and Identity Management. The Smart Revolution: 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers. M. Hansen et al., eds. Springer International Publishing. 221--236.Google Scholar
Resch-Edermayr, P. 2018. DSGVO. Digitale Welt. 2, 1 (Jan. 2018), 61--65.Google ScholarCross Ref
Seufert, A.-M. and Vitt, N. 2019. Medien zur DSGVO: Die Berichterstattung vor und seit dem Stichtag im Vergleich. Wirtschaftsinformatik & Management. (2019), 1--9.Google Scholar
Spagnuelo, D. et al. 2018. Accomplishing Transparency within the General Data Protection Regulation. 5th International Conference on Information Systems Security and Privacy. To appear (2018).Google Scholar
Stevens, G. et al. 2014. Mehrseitige, barrierefreie Sicherheit intelligenter Messsysteme. Datenschutz und Datensicherheit. 38, 8/2014 (2014), 536--544.Google ScholarCross Ref
Chapter 3 -- Rights of the data subject. General Data Protection Regulation (GDPR).Google Scholar

Index Terms

GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

Human-GDPR Interaction: Practical Experiences of Accessing Personal Data

CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals’ control over their data, but its practical impact is not well understood. We present a 10-...

Read More
The right to access information under the GDPR

The present paper offers a critique of the General Data Protection Regulation in the realm of access to information. Even though the GDPR supports the constitutionally obvious position that the right to data protection does not outweigh other equally ...

Read More
Exploring the Impact of GDPR on Big Data Analytics Operations in the E-Commerce Industry

Abstract
This research explores the impact of data privacy and protection laws on e-commerce companies in the Netherlands. Specifically, this study focuses on the General Data Protection Regulation (GDPR). The purpose of this regulation is to refine ...

Read More

Comments

comments powered by Disqus.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MuC '19: Proceedings of Mensch und Computer 2019

September 2019

863 pages

ISBN:9781450371988

DOI:10.1145/3340764

Editors:

Florian Alt,

Andreas Bulling,

Tanja Döring
Copyright © 2019 ACM

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher

Association for Computing Machinery

New York, NY, United States
Publication History
- Published: 8 September 2019
Permissions

Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Claim personal data

Data takeout

GDPR

Usable Privacy
Qualifiers
- short-paper
- Research
- Refereed limited
Conference
Funding Sources
Other Metrics

View Article Metrics

Article Metrics
- 20
  Total Citations
  View Citations
- 571
  Total Downloads
- Downloads (Last 12 months)69
- Downloads (Last 6 weeks)6
Other Metrics

View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies

MuC '19: Proceedings of Mensch und Computer 2019

ABSTRACT

References

Cited By

Index Terms

Recommendations

Human-GDPR Interaction: Practical Experiences of Accessing Personal Data

The right to access information under the GDPR

Exploring the Impact of GDPR on Big Data Analytics Operations in the E-Commerce Industry