short-paper

GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies

Authors:

Fatemeh Alizadeh,

Gunnar StevensAuthors Info & Claims

MuC '19: Proceedings of Mensch und Computer 2019

Pages 811 - 814

https://doi.org/10.1145/3340764.3344913

Published: 08 September 2019 Publication History

Abstract

Loyalty programs are early examples of companies commercially collecting and processing personal data. Today, more than ever before, personal information is being used by companies of all types for a wide variety of purposes. To limit this, the General Data Protection Regulation (GDPR) aims to provide consumers with tools to control data collection and processing. What this right concretely means, which types of tools companies have to provide to their customers and in which way, is currently uncertain because precedents from case law are missing. Contributing to closing this gap, we turn to the example of loyalty cards to supplement current implementations of the right to claim data with a user perspective. In our hands-on approach, we had 13 households request their personal data from their respective loyalty program. We investigate expectations of GDPR in general and the right to access in particular, observe the process of claiming and receiving, and discuss the provided data takeouts. One year after the GDPR has come into force, our findings highlight the consumer's expectations and knowledge of the GDPR and in particular the right to access to inform design of more usable privacy enhancing technologies.

References

[1]

Abras, C. et al. 2004. User-centered design. Bainbridge, W. Encyclopedia of Human-Computer Interaction. Thousand Oaks: Sage Publications. 37, 4 (2004), 445--456.

[2]

Acharya, A.S. et al. 2013. Sampling: why and how of it? Indian Journal of Medical Specialities. 4, 2 (Jul. 2013).

[3]

Cavoukian, A. and others 2009. Privacy by design: The 7 foundational principles. Information and Privacy Commissioner of Ontario, Canada. (2009).

[4]

Coll, S. 2013. Consumption as biopower: Governing bodies with loyalty cards. Journal of Consumer Culture. 13, 3 (Nov. 2013), 201--220.

[5]

European Parliament and the Council 2016. REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[6]

European Parliament and Council of the European Union 1995. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

[7]

Fischer, B. Bonuskarten: Das System Payback.

[8]

Gürses, S.F. et al. 2011. Engineering Privacy by Design. Computers, Privacy & Data Protection. (2011), 25 pages.

[9]

Jakobi, T. et al. 2018. Privacy-By-Design für das Connected Car: Architekturen aus Verbrauchersicht. Datenschutz und Datensicherheit-DuD. 42, 11 (2018), 704--707.

[10]

Langheinrich, M. 2001. Privacy by design---principles of privacy-aware ubiquitous systems. Ubicomp 2001: Ubiquitous Computing. (2001).

Digital Library

[11]

Morey, T. et al. 2015. Customer Data: Designing for Transparency and Trust. Harvard Business Review.

[12]

Olausson, M. 2018. User control of personal data: A study of personal data management in a GDPR-compliant grahpical user interface.

[13]

Raschke, P. et al. 2018. Designing a GDPR-Compliant and Usable Privacy Dashboard. Privacy and Identity Management. The Smart Revolution: 12th IFIP WG 9.2, 9.5, 9.6/11.7, 11.6/SIG 9.2.2 International Summer School, Ispra, Italy, September 4-8, 2017, Revised Selected Papers. M. Hansen et al., eds. Springer International Publishing. 221--236.

[14]

Resch-Edermayr, P. 2018. DSGVO. Digitale Welt. 2, 1 (Jan. 2018), 61--65.

[15]

Seufert, A.-M. and Vitt, N. 2019. Medien zur DSGVO: Die Berichterstattung vor und seit dem Stichtag im Vergleich. Wirtschaftsinformatik & Management. (2019), 1--9.

[16]

Spagnuelo, D. et al. 2018. Accomplishing Transparency within the General Data Protection Regulation. 5th International Conference on Information Systems Security and Privacy. To appear (2018).

[17]

Stevens, G. et al. 2014. Mehrseitige, barrierefreie Sicherheit intelligenter Messsysteme. Datenschutz und Datensicherheit. 38, 8/2014 (2014), 536--544.

[18]

Chapter 3 -- Rights of the data subject. General Data Protection Regulation (GDPR).

Cited By

Kamikubo RZamiri Zeraati FLee KKacorri H(2024)AccessShare: Co-designing Data Access and Sharing with Blind PeopleProceedings of the 26th International ACM SIGACCESS Conference on Computers and Accessibility10.1145/3663548.3675612(1-16)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3663548.3675612
Gómez Ortega ABourgeois JKortuem G(2024)Sensitive Data Donation: A Feminist Reframing of Data Practices for Intimate Research ContextsProceedings of the 2024 ACM Designing Interactive Systems Conference10.1145/3643834.3661524(2420-2434)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3643834.3661524
Gómez Ortega ABourgeois JKortuem G(2024)Participation in Data Donation: Co-Creative, Collaborative, and Contributory Engagements with Athletes and their Intimate DataProceedings of the 2024 ACM Designing Interactive Systems Conference10.1145/3643834.3661503(2388-2402)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3643834.3661503
Show More Cited By

Index Terms

GDPR-Reality Check on the Right to Access Data: Claiming and Investigating Personally Identifiable Data from Companies
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

Human-GDPR Interaction: Practical Experiences of Accessing Personal Data
CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

In our data-centric world, most services rely on collecting and using personal data. The EU's General Data Protection Regulation (GDPR) aims to enhance individuals’ control over their data, but its practical impact is not well understood. We present a 10-...
The right to access information under the GDPR

The present paper offers a critique of the General Data Protection Regulation in the realm of access to information. Even though the GDPR supports the constitutionally obvious position that the right to data protection does not outweigh other equally ...
Exploring the Impact of GDPR on Big Data Analytics Operations in the E-Commerce Industry
Abstract
This research explores the impact of data privacy and protection laws on e-commerce companies in the Netherlands. Specifically, this study focuses on the General Data Protection Regulation (GDPR). The purpose of this regulation is to refine ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

MuC '19: Proceedings of Mensch und Computer 2019

September 2019

863 pages

ISBN:9781450371988

DOI:10.1145/3340764

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 08 September 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper
Research
Refereed limited

Conference

MuC'19

MuC'19: Mensch-und-Computer

September 8 - 11, 2019

Hamburg, Germany

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

25
Total Citations
View Citations
606
Total Downloads

Downloads (Last 12 months)70
Downloads (Last 6 weeks)12

Reflects downloads up to 21 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kamikubo RZamiri Zeraati FLee KKacorri H(2024)AccessShare: Co-designing Data Access and Sharing with Blind PeopleProceedings of the 26th International ACM SIGACCESS Conference on Computers and Accessibility10.1145/3663548.3675612(1-16)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3663548.3675612
Gómez Ortega ABourgeois JKortuem G(2024)Sensitive Data Donation: A Feminist Reframing of Data Practices for Intimate Research ContextsProceedings of the 2024 ACM Designing Interactive Systems Conference10.1145/3643834.3661524(2420-2434)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3643834.3661524
Gómez Ortega ABourgeois JKortuem G(2024)Participation in Data Donation: Co-Creative, Collaborative, and Contributory Engagements with Athletes and their Intimate DataProceedings of the 2024 ACM Designing Interactive Systems Conference10.1145/3643834.3661503(2388-2402)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3643834.3661503
Gomez Ortega ANoortman RBourgeois JKortuem GCiolfi LHogan TDöring TJenkins Tvan Dijk JHuron SLi ZCoyle DSigner B(2024)Dataslip: Into the Present and Future(s) of Personal DataProceedings of the Eighteenth International Conference on Tangible, Embedded, and Embodied Interaction10.1145/3623509.3633388(1-14)Online publication date: 11-Feb-2024
https://dl.acm.org/doi/10.1145/3623509.3633388
Pins DWalther MKrüger JStevens GKrauss VAmirkhani S(2024)Digitaler VerbraucherschutzVerbraucherinformatik10.1007/978-3-662-68706-2_4(135-201)Online publication date: 25-Mar-2024
https://doi.org/10.1007/978-3-662-68706-2_4
Löbel ASchäfer RPüschel HGüney EMeyer U(2024)Access Your Data... if You Can: An Analysis of Dark Patterns Against the Right of Access on Popular WebsitesPrivacy Technologies and Policy10.1007/978-3-031-68024-3_2(23-47)Online publication date: 4-Sep-2024
https://dl.acm.org/doi/10.1007/978-3-031-68024-3_2
Li WLi ZLi WZhang YLi A(2023)Mapping the Empirical Evidence of the GDPR's (In-)Effectiveness: A Systematic ReviewSSRN Electronic Journal10.2139/ssrn.4615186Online publication date: 2023
https://doi.org/10.2139/ssrn.4615186
Pöhn DMörsdorf NHommel W(2023)Needle in the Haystack: Analyzing the Right of Access According to GDPR Article 15 Five Years after the ImplementationProceedings of the 18th International Conference on Availability, Reliability and Security10.1145/3600160.3605064(1-10)Online publication date: 29-Aug-2023
https://dl.acm.org/doi/10.1145/3600160.3605064
Gómez Ortega ABourgeois JKortuem G(2023)What is Sensitive About (Sensitive) Data? Characterizing Sensitivity and Intimacy with Google Assistant UsersProceedings of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544548.3581164(1-16)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544548.3581164
Lou JBhat SHuang N(2023)Blockchain-based privacy-preserving data-sharing framework using proxy re-encryption scheme and interplanetary file systemPeer-to-Peer Networking and Applications10.1007/s12083-023-01529-216:5(2415-2437)Online publication date: 11-Aug-2023
https://doi.org/10.1007/s12083-023-01529-2
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents