Qualitative In-Depth Analysis of GDPR Data Subject Access Requests and Responses from Major Online Services
By: Daniela Pöhn, Nils Gruschka
Potential Business Impact:
Checks if companies give your data back right.
The European General Data Protection Regulation (GDPR) grants European users the right to access their data processed and stored by organizations. Although the GDPR contains requirements for data processing organizations (e.g., understandable data provided within a month), it leaves much flexibility. In-depth research on how online services handle data subject access request is sparse. Specifically, it is unclear whether online services comply with the individual GDPR requirements, if the privacy policies and the data subject access responses are coherent, and how the responses change over time. To answer these questions, we perform a qualitative structured review of the processes and data exports of significant online services to (1) analyze the data received in 2023 in detail, (2) compare the data exports with the privacy policies, and (3) compare the data exports from November 2018 and November 2023. The study concludes that the quality of data subject access responses varies among the analyzed services, and none fulfills all requirements completely.
Similar Papers
The European Union general data protection regulation: what it is and what it means
Computers and Society
Protects your personal information online.
Lawful and Accountable Personal Data Processing with GDPR-based Access and Usage Control in Distributed Systems
Artificial Intelligence
Helps companies follow privacy rules automatically.
A Cross-Country Analysis of GDPR Cookie Banners and Flexible Methods for Scraping Them
Computers and Society
Finds websites tricking you into sharing data.