Main Categories | Law | GDPRSchutzg├╝ter:Data Subjects

DS.14 Control over Data


Various GDPR provisions specify risk and damage categories. From this it can be deduced which "rights and freedoms" the GDPR wants to protect, which risks it wants to avoid and which damages it wants to prevent.


It follows from Recitals 7 (2), 68 (1), 75 and 85 (1) GDPR, that the GDPR also wants to prevent data subjects from losing control over "their" data. Control over "one's own" data is thus explicitly addressed only in a hidden manner in the recitals. Thus, at first glance, it only plays a subordinate role in the GDPR.


On the other hand, control over one's "own" data is an essential component of the right to informational self-determination [Tile GL.02]. According to the case law of the German Federal Constitutional Court, this right to informational self-determination includes the right of the individual to determine for himself or herself the disclosure and use of "his or her" personal data.


The fact that the GDPR only hints at this idea of control in a few recitals could lead to the conclusion that the "German" right to informational self-determination has not found central recognition at EU level.


And indeed, if the idea of control is overemphasised, data protection threatens to become an end in itself and to lose its connection to the rights it actually seeks to protect. At any rate, for relationships between private individuals, the German Federal Constitutional Court accordingly restricts the idea of informational self-determination somewhat: The right to informational self-determination gives individuals the possibility "of influencing, in a differentiated manner, the context and manner in which their data is accessible to and can be used by others". It thus guarantees “the individual substantial influence in deciding what information is attributed to their person" [Decision of 6.11.2019 - 1 BvR 16/13 -, para. 87].


However, even without explicit reference to the terms "informational self-determination" or “control” the GDPR's legal grounds for processing personal data contain various degrees of control, which, however, vary greatly in their intensity. While the degree of control for consent is very high (consent may be withdrawn at any time), for contracts it depends on the possibilities of terminating the contract. In the case of data processing based on law and also in the case of data processing based on legitimate interest, the control options of the data subject are generally low and are limited to the right to object.

Winfried Veil
Social Media
Last update: 2021-06-11 10:18:51
By: Winfried Veil
Created at: 2021-05-12 09:26:16