{"id":478,"date":"2021-06-11T10:08:00","date_gmt":"2021-06-11T10:08:00","guid":{"rendered":"https:\/\/vanleeuwenlawfirm.eu\/?p=478"},"modified":"2026-06-15T06:40:43","modified_gmt":"2026-06-15T06:40:43","slug":"general-data-protection-regulation-gdpr-rights-and-challenges","status":"publish","type":"post","link":"https:\/\/vanleeuwenlawfirm.eu\/en\/expertises\/tech-and-digital\/privacy-data-and-cybersecurity\/general-data-protection-regulation-gdpr-rights-and-challenges\/","title":{"rendered":"General Data Protection Regulation (GDPR): Rights and Challenges"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

The General Data Protection Regulation has not only tightened the legal framework for data protection, but has also made clear that digital legal protection only has real substance where the rights of data subjects are practically accessible, intelligible and enforceable. An organisation may have policies, registers, procedures and contractual clauses in place, but where a data subject cannot effectively determine which personal data are being processed, why that processing takes place, how long the data are retained, with which third parties the data are shared and on what basis the data can be rectified, erased or restricted, data protection remains largely formal. The rights of data subjects are therefore not an annex to privacy compliance, but the operational core of the system. They reveal whether the organisation treats personal data as controllable, traceable and bounded information, or as a dispersed digital residue that no one can fully explain in terms of location, meaning, purpose or decision-making impact. The central question addressed in this chapter is therefore not whether rights exist on paper, but whether the organisation is arranged in such a way that those rights can be realised in a timely, complete, verifiable and comprehensible manner.<\/p>\n

That question is directly connected to Integrated Digital Crime Risk Management, because the exercise of GDPR rights cannot be separated from Digital Crime Risks, data integrity, identity verification, access management, logging, incident response, supplier oversight and executive accountability. A data access request may reveal, for example, that data are retained in more locations than previously assumed; a rectification request may show that multiple systems contain different versions of the same identity; an erasure request may expose insufficient control over backups, subprocessors or historical reports; and a data portability request may raise questions about data quality, interoperability and traceability. The rights of data subjects are therefore not merely individual claims, but also test moments for the quality of digital governance. Where the handling of requests depends on scattered emails, manual searches, informal knowledge held by individual employees or unclear system ownership, a structural risk emerges. The General Data Protection Regulation therefore requires a sharper form of digital integrity management: personal data must not only be processed lawfully, but must also remain findable, explainable, correctable, transferable and capable of being effectively limited.<\/p>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\n

The Right of Access as the Foundation of Transparency<\/h4>\n

The right of access is one of the most fundamental rights under the General Data Protection Regulation, because without access almost no other right can be exercised effectively. A data subject can only request rectification, restriction, erasure or objection once it is clear whether personal data are being processed, which categories of data are involved, which purposes underlie the processing, which recipients have received access, which retention periods apply and which logic may be involved in automated processing. Access is therefore more than the administrative provision of copies. It is a legal instrument designed to reduce the information asymmetry between the organisation and the data subject. The organisation has systems, files, data flows and internal knowledge; the data subject often has only suspicions, fragments or the visible outcome of processing. The right of access addresses that imbalance by requiring the organisation to provide insight into the processing in a manner that is sufficiently specific, complete and comprehensible.<\/p>\n

In practice, data access requests create considerable tension. Personal data are rarely located in a single orderly file. They may exist in customer databases, email inboxes, CRM systems, compliance files, fraud monitoring tools, logging environments, contract systems, complaints registers, call recordings, cloud storage, supplier reports and historical archives. A limited search may therefore easily produce an incomplete picture. Equally problematic is a response that contains a large quantity of technical data but no meaningful explanation. A voluminous export file without context may overwhelm the data subject with information while leaving the central question unanswered: which data are actually being used, for what purpose, by whom and with what consequences? The duty of transparency therefore requires more than a data dump or standard letter. It requires a careful translation of internal data processing into a verifiable explanation that the data subject can understand.<\/p>\n

Within Integrated Digital Crime Risk Management, the right of access has particular significance because access requests often operate as a stress test for data lineage, access management, documentation and internal allocation of responsibility. An organisation that cannot reconstruct which data have been processed about a data subject will often also struggle to demonstrate convincingly that those data have been properly secured, kept subject to limited access or protected against unauthorised use. That has direct relevance for Digital Crime Risks such as identity misuse, account takeover, internal data breaches, unauthorised consultation and uncontrolled onward transfer to third parties. A strong access process therefore requires a coherent framework of data inventory, clear process ownership, reliable search protocols, identity verification, assessment of third-party rights, documentation of decisions and timely communication. The right of access is therefore not only a right of the data subject, but also a mirror reflecting the administrative controllability of the digital organisation.<\/p>\n

The Right to Rectification as a Safeguard for Data Quality and Accuracy<\/h4>\n

The right to rectification protects the data subject against the consequences of inaccurate, incomplete or outdated personal data. This right is of considerable importance because, in digital processes, personal data are often not passively stored but actively used for assessment, selection, segmentation, risk weighing, customer acceptance, service provision, enforcement, fraud prevention or decision-making. An incorrect address, wrong date of birth, incomplete file, incorrectly linked telephone number, inaccurate payment detail or unjustified risk signal may have far-reaching consequences. The problem is not only that the data are factually wrong, but that digital systems can rapidly repeat, distribute and reinforce inaccurate data. A single incorrect registration may, through links, exports, internal reports and supplier chains, develop into a structural problem. Rectification is therefore not a cosmetic adjustment, but a necessary safeguard against digital decision-making based on defective information.<\/p>\n

For organisations, rectification is often more complex than it first appears. The question is not only whether a data item must be corrected, but also where that correction must take place, which derivative files are affected, which historical records may lawfully be retained, which third parties must be informed and how recurrence of the same error must be prevented. Especially in complex digital environments, the same personal registration may exist in multiple locations, each with its own function and technical logic. A correction in the primary customer file does not resolve the problem where old data remain present in marketing lists, risk profiles, correspondence archives or reports to service providers. The organisation must therefore not merely respond to the request itself, but examine which data relationships have been affected by the error. Rectification requires that data quality be treated not as a technical afterthought, but as a legal and managerial requirement.<\/p>\n

In the context of Integrated Digital Crime Risk Management, the right to rectification is closely linked to the integrity of digital data. Digital Crime Risks increase where systems contain inaccurate or polluted data, because incorrect data may lead to flawed risk scores, unjustified blocks, missed signals, incorrect customer identification or vulnerable authentication processes. Data pollution may also facilitate misuse where false, duplicate or outdated identities are not corrected in time. Rectification is therefore not only an individual legal protection measure, but also a control measure against operational and integrity risks. An organisation that takes rectification requests seriously simultaneously strengthens its ability to use reliable data, isolate errors, correct source records and limit future harm. The right to rectification therefore demonstrates that data protection and risk management do not exclude each other, but reinforce each other.<\/p>\n

The Right to Erasure as a Limit on Unnecessary Processing<\/h4>\n

The right to erasure expresses the principle that personal data must not continue to circulate indefinitely once the basis for processing has fallen away. Where data are no longer necessary for the original purpose, where consent has been withdrawn, where an objection succeeds, where data have been unlawfully processed or where a legal obligation to erase exists, the organisation must be able to act effectively. This right protects the data subject against the risk that digital traces continue to exist without limit and are later reused in another context. In a data economy in which storage is inexpensive and reuse may be attractive, erasure forms an essential boundary. Without that boundary, there is a risk that organisations retain data out of convenience, uncertainty, commercial value or future speculation. The General Data Protection Regulation requires, however, that processing remain tied to purpose, necessity and time.<\/p>\n

The practical implementation of erasure is often complex. Data may exist in active systems, backups, audit logs, correspondence, reports, supplier datasets, compliance files and historical transaction registers. Full erasure may also conflict with statutory retention duties, evidentiary interests, tax obligations, contractual disputes or security purposes. The organisation must then determine precisely which data must actually be erased, which data may temporarily be retained, which data must be shielded and how this will be clearly explained to the data subject. A general reliance on retention obligations or technical impossibility is insufficient where no assessment has been made per data category as to why retention remains necessary. Erasure therefore requires differentiation, documentation and managerial discipline. It is not a simple press of a button, but a controlled process in which legal basis, technical feasibility and operational responsibility converge.<\/p>\n

Within Integrated Digital Crime Risk Management, erasure is an important instrument for reducing excessive data risk. The more personal data are retained without necessity, the greater the impact of data breaches, ransomware, insider threats, account takeover and unauthorised access. Unnecessary data constitute a silent risk reserve: they often provide no current value, but increase the harm when security fails or systems are compromised. Erasure therefore contributes to data minimisation, reduction of the attack surface and limitation of liability risks. At the same time, erasure must be carefully assessed where data are required for fraud investigations, incident analysis or legal defence. The challenge lies in finding a verifiable balance: not retaining data longer than necessary, while also avoiding premature erasure where compelling legal or legitimate interests require continued retention. That balance requires clear retention periods, decision rules, escalation routes and audit trails.<\/p>\n

The Right to Restriction of Processing as an Interim Protective Measure<\/h4>\n

The right to restriction of processing performs a specific function under the General Data Protection Regulation, because it is often invoked in situations where uncertainty still exists about the accuracy, lawfulness or necessity of processing. The data subject may require that data temporarily not be further actively used where accuracy is contested, where processing may be unlawful, where the data are no longer needed but the data subject requires them for legal claims, or where an objection has been made and it remains to be assessed which interest prevails. Restriction is therefore a protective mechanism against continued use during a dispute. It prevents data from continuing to influence decision-making, profiling, reporting or external disclosure while their lawfulness or quality remains under challenge.<\/p>\n

For organisations, restriction of processing requires a high degree of technical and organisational precision. It is not sufficient merely to note in a file that a request has been received. The relevant data must actually be marked, shielded or otherwise kept outside active processing, except for storage, legal claims, protection of third-party rights or compelling reasons of public interest. This requires systems capable of processing status markers, workflows that alert employees, supplier arrangements that pass on restrictions and controls that prevent data from nevertheless being reused. This is especially difficult in chain environments. Where data have been shared with subprocessors, internal departments or external partners, the restriction must operate across the full relevant processing chain. Otherwise the right remains theoretical and a risk arises that the organisation formally confirms restriction while the data in fact continue to circulate actively.<\/p>\n

For Integrated Digital Crime Risk Management, restriction of processing has a direct integrity function. In relation to Digital Crime Risks, a data subject may for example contest the accuracy of a fraud marker, risk signal, device fingerprint, identity link or transaction indicator. Where such data continue to operate while the dispute is still being examined, this may lead to unjustified exclusion, service blocks, reputational harm or escalation to external parties. At the same time, restriction cannot mean that all risk management comes to a halt as soon as a request is made. The organisation must therefore have a careful assessment framework in which individual rights, security interests, fraud indicators and legal obligations are weighed against one another. The right to restriction requires temporary restraint where uncertainty exists, without abandoning necessary protection against Digital Crime Risks.<\/p>\n

The Right to Data Portability in a Digital Economy<\/h4>\n

The right to data portability gives the data subject the ability, under certain conditions, to receive personal data provided to an organisation in a structured, commonly used and machine-readable format, and to transmit those data to another service provider. This right is particularly relevant in a digital economy in which customers, users and clients often become dependent on platforms, applications, financial services, healthcare portals, subscription systems or other digital environments in which data accumulate over time. Without portability, switching providers may become difficult because relevant data are effectively locked into the original service provider\u2019s system. Data portability therefore strengthens individual control, market access and digital autonomy. The right limits the power of organisations to retain users through data dependency and promotes the principle that personal data should not only be available for processing by the organisation, but should also remain usable by the data subject.<\/p>\n

The implementation of data portability imposes significant demands on data quality, technical standards and scope definition. Not all personal data fall within the right. The right applies in particular to data provided by the data subject where processing is based on consent or contract and is carried out by automated means. The organisation must therefore carefully distinguish between provided data, derived data, internal analyses, risk scores, commercially confidential assessments and data relating to third parties. In addition, the format must be genuinely usable. A portability file that is technically provided but difficult to understand or import only partially serves the purpose of the right. At the same time, the organisation must prevent transfer from leading to infringement of the rights of others, exposure of security information or uncontrolled dissemination of sensitive data. Data portability therefore requires a combination of legal delineation, technical reliability and secure transmission.<\/p>\n

Within Integrated Digital Crime Risk Management, data portability touches on several Digital Crime Risks. The transfer of personal data may raise risks relating to identity verification, phishing, account takeover, unauthorised requests and manipulation of export processes. An organisation must ensure that the person requesting transfer is genuinely authorised, that data are provided securely, that the transfer channel is appropriately protected and that no information is disclosed that could enable misuse. At the same time, data portability can contribute to trust where users experience that data are not being held in an opaque or restrictive manner. The right requires organisations not to treat data solely as a business asset, but also as information over which the data subject must be able to exercise control under statutory conditions. In that sense, data portability is a modern correction to digital dependency: the organisation may use data, but must, under certain circumstances, also be able to release them.<\/p>\n

\n
\n
\n
\n
\n
\n

The Right to Object to Processing<\/h4>\n

The right to object constitutes an essential limitation on data processing that is not based exclusively on consent or contract, but on a balancing of interests by the organisation or on the performance of a task carried out in the public interest. This right requires a reassessment of processing activities that may appear logical, efficient or commercially attractive from the organisation\u2019s perspective, but may have a disproportionate impact on the data subject. Particularly where processing is based on legitimate interests, a tension arises between organisational objectives and individual protection. The organisation may consider processing necessary for fraud prevention, customer management, security, risk modelling, analytics, marketing or service improvement, while the data subject may experience profiling, monitoring, targeting or risk assessment without having given separate consent. The right to object does not require automatic cessation in every situation, but it does require a serious, concrete and individual balancing of interests. General references to business interests, efficiency or standard policy are insufficient where the personal circumstances of the data subject may carry greater weight.<\/p>\n

In the context of direct marketing, the right to object has a particularly strict effect. Where a data subject objects to processing for direct marketing purposes, that processing must cease. This applies not only to the sending of commercial communications, but also to profiling insofar as it is related to direct marketing. This is highly significant in a digital economy in which marketing processes are often fuelled by behavioural data, segmentation models, purchase history, click behaviour, interests, location indicators, customer value classifications and automated targeting. An objection to marketing cannot therefore be reduced to unsubscribing from a single newsletter where underlying profiles, lookalike segments, advertising platforms or customer selections continue to operate. The organisation must be able to demonstrate that the objection takes effect across all relevant marketing channels and that the data subject is not approached again through an alternative route. This requires alignment between privacy requests, CRM systems, consent management, advertising tools, data platforms and supplier processes.<\/p>\n

Within Integrated Digital Crime Risk Management, the right to object has additional significance where data are processed for risk assessment, fraud prevention, monitoring or security analysis. Digital Crime Risks may constitute a compelling interest, but that interest does not relieve the organisation of the obligation to assess objections carefully. Where a data subject argues that a risk signal is inaccurate, disproportionate or outdated, the organisation must be able to explain which data are being used, why continued processing remains necessary, what impact the processing has and which safeguards prevent misuse or incorrect assessment. At the same time, objection must not become a mechanism by which necessary security or fraud prevention is simply disabled. The legal core therefore lies in a verifiable balancing exercise: on the one hand, protection against identity misuse, account takeover, online payment fraud, misuse of services and other Digital Crime Risks; on the other hand, protection against opaque, disproportionate or insufficiently controlled processing of personal data. A robust objection process requires clear assessment criteria, escalation to privacy and risk functions, documentation of the balancing exercise and comprehensible feedback to the data subject.<\/p>\n

Protection Against Solely Automated Decision-Making<\/h4>\n

Protection against solely automated decision-making concerns one of the most sensitive areas of modern data processing: the situation in which a person is significantly affected by a decision made without meaningful human intervention. This may arise in credit acceptance, insurance assessment, fraud detection, access decisions, risk classifications, recruitment, platform moderation, customer blocks, service provision, price differentiation or enforcement selection. The legal concern is not that automation as such is prohibited, but that automation can create distance, opacity and a lack of corrective possibilities. Where a decision is made entirely by a system, there is a risk that the data subject will not understand why an outcome has been reached, will have no effective opportunity to challenge it and will be confronted with a digital conclusion that is treated internally as objective or neutral. The General Data Protection Regulation therefore requires appropriate safeguards, including the right to human intervention, the right to express a point of view and the right to contest the decision.<\/p>\n

The practical challenge lies in distinguishing between automated support and solely automated decision-making. Many organisations use models, scores, signals or rule-based systems as input for human decision-making. Yet human involvement is only meaningful where the employee genuinely has room to assess the outcome, correct it and depart from it with reasons. A formal review by an employee who routinely follows the system recommendation may be insufficient. Human intervention must have substance: access to relevant information, understanding of the criteria used, authority to reach a different decision and responsibility for the final outcome. In addition, the organisation must be able to explain what role automated processing plays, which categories of data are used, what logic is applied in broad terms and what consequences the processing may have for the data subject. A black box that produces decisions without explainability and without genuine reassessment sits uneasily with effective legal protection.<\/p>\n

Within Integrated Digital Crime Risk Management, this issue is particularly relevant because organisations increasingly deploy automated systems to identify, block or predict Digital Crime Risks. Examples include transaction monitoring, anomaly detection, device intelligence, behavioural analytics, sanctions screening, fraud scoring, identity verification and pattern recognition. Such systems may be necessary to combat digital crime, but they may also produce false positives, unjustified exclusion, account blocking or escalation to investigation without sufficient human review. The challenge is therefore not to avoid automation, but to subject automation to controllable safeguards. Criteria must be tested, outcomes must be monitored, error margins must be known, human review must be genuine and data subjects must have an effective channel through which to raise errors. Protection against solely automated decision-making therefore functions as a corrective mechanism against digital decision-making that becomes too detached from the individual.<\/p>\n

Organisational Challenges in the Exercise of Rights<\/h4>\n

The exercise of data subject rights creates significant organisational challenges because, within modern organisations, personal data are often distributed across departments, applications, suppliers, cloud environments, project files, communication channels and historical systems. A request from a data subject may appear simple from the outside: access, rectification, erasure, restriction, portability or objection. Internally, however, the same request may require a sequence of searches, verifications, legal assessments, technical actions, supplier instructions, balancing exercises and documentation steps. The organisation must not only determine which rights are engaged, but also identify which data are relevant, which systems must be consulted, which exceptions apply, which third-party interests are affected and which deadlines must be strictly monitored. Without a clear allocation of tasks, delay, inconsistency or incompleteness can quickly arise.<\/p>\n

A key problem is that data subject rights are often treated as incident-driven privacy tasks, while their execution depends on structural digital control. Where data inventories are outdated, records of processing activities remain too abstract, system owners are unclear, retention periods have not been translated into operational practice or supplier arrangements are insufficiently executable, every request becomes an ad hoc project. This not only increases the likelihood of missed deadlines, but also the risk of substantive errors. An organisation may, for example, consult only the most visible systems while relevant data remain in email archives, audit logs, reports, data lakes, backups or external environments. Equally problematic is the possibility that different departments apply divergent interpretations to the same request. The data subject may then receive fragmented, contradictory or insufficiently reasoned responses, undermining confidence in the handling of the request.<\/p>\n

Integrated Digital Crime Risk Management requires that data subject rights be connected to broader digital control processes. Digital Crime Risks, privacy risks and operational risks intersect in this domain. A request may come from a malicious actor attempting to obtain personal data through social engineering, but it may also be a legitimate request from a data subject seeking protection against inaccurate processing. Identity verification, access control, logging, four-eyes review, secure communication and clear escalation criteria are therefore indispensable. At the same time, security must not be used as a standard reason to frustrate rights. The organisation must strike a balance between protection against misuse of rights procedures and effective access to legal protection. That balance requires trained personnel, clear process steps, legally defensible template responses, technical executability, central coordination and verifiable documentation of decisions.<\/p>\n

The Tension Between Formal Rights and Practical Executability<\/h4>\n

The General Data Protection Regulation grants data subjects a broad and powerful set of rights, but the actual quality of data protection is determined by the extent to which those rights can be realised in practice. Formal rights have limited value where the organisation cannot determine where data are located, cannot explain why processing takes place, cannot distinguish between active and historical data, does not apply reliable retention periods or lacks control over data processed by suppliers. The tension arises above all because legal norms are often clearly formulated, while digital processes are technically, organisationally and contractually fragmented. The data subject sees one organisation; behind that organisation there may be dozens of systems, departments and service providers. The obligation nevertheless remains with the organisation responsible for the processing, which must be able to demonstrate that rights are effectively respected.<\/p>\n

Practical executability requires more than willingness. It requires the organisation to have considered in advance findability, data quality, retention periods, system links, logging, access rights, supplier instructions, exceptions and communication with data subjects. Where these foundations are absent, the handling of requests depends on individual employees, historical knowledge or manual reconstruction. That is vulnerable, particularly where requests are complex or involve multiple rights at the same time. An access request may evolve into rectification, restriction or objection. A request for erasure may raise questions about retention obligations, pending disputes or security logs. A claim to data portability may conflict with the protection of commercially confidential analyses or the rights of third parties. The organisation must then not only respond correctly in legal terms, but also be technically able to implement what is promised. Otherwise, a gap arises between the written response and operational reality.<\/p>\n

Within Integrated Digital Crime Risk Management, this tension is especially visible. Digital Crime Risks require rapid detection, intensive monitoring, data analysis and sometimes the prolonged retention of certain signals. At the same time, the GDPR requires data minimisation, transparency, purpose limitation, restriction and the exercise of rights. These norms are not mutually opposed, but require a carefully structured balance. Risk management without legal protection may lead to excessive surveillance, inaccurate risk profiles and insufficient explainability. Legal protection without security awareness may lead to misuse of request procedures, unauthorised disclosure of data or the undermining of necessary fraud prevention. The organisation must therefore determine, per category of data, per process and per risk situation, which processing is necessary, which rights may be exercised, which limitations are justified and how the balancing exercise is recorded. The tension between formal rights and practical executability is therefore not a technical detail, but a central issue of digital integrity management.<\/p>\n

Rights and Challenges as the Core of Strategic Digital Integrity Management<\/h4>\n

The rights of data subjects form a core component of strategic digital integrity management because they reveal whether an organisation actually has personal data under control. Access, rectification, erasure, restriction, portability, objection and protection against solely automated decision-making are separate rights, but together they function as a test of the integrity of the entire data environment. An organisation that can effectively give effect to these rights demonstrates that data are findable, processes are explainable, responsibilities are allocated, systems operate in a controllable manner and balancing exercises can be legally justified. An organisation that cannot do so faces not only the risk of complaints, proceedings or supervisory measures, but also reputational damage and loss of trust. The core therefore lies not in the mere existence of a privacy procedure, but in the ability to connect individual legal protection with daily digital operations.<\/p>\n

Strategic management requires that data subject rights not be isolated within a legal or privacy function, but integrated into governance, product development, supplier management, data governance, information security, incident response and internal control. In new digital processes, it must be determined in advance how access will be provided, how corrections will take effect, how erasure will be made technically possible, how restriction of processing will be recorded, how objections will be assessed and what role automated decision-making plays. Where such questions arise only after a request has been submitted, there is a significant risk that the organisation will have to improvise. A robust digital organisation therefore treats rights as design requirements, not as aftercare. This means that systems, contracts, roles, data models and reports must from the outset take account of the question of how data subjects can exercise their rights.<\/p>\n

Integrated Digital Crime Risk Management provides a necessary framework in this respect, because Digital Crime Risks, data protection and executive responsibility cannot be managed in isolation from one another. The same data needed for service provision, compliance or fraud prevention may also become the target of cyberattacks, internal misuse scenarios, social engineering or unauthorised onward transfer. The same systems that enable efficient processing may make the exercise of rights more difficult where they are insufficiently transparent, poorly connected or overly dependent on suppliers. The same automated models that identify risks may place legal protection under pressure where their operation is not explainable or correctable. The General Data Protection Regulation therefore makes clear that digital integrity consists not only of security or compliance, but of the ability to process personal data in a manner that remains verifiable, proportionate, explainable and respectful. Data subject rights are not an obstacle to digital development, but a necessary condition for trust in digital systems.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\r\n\r\n
\r\n \r\n
\r\n \r\n \n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Prevention\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article>\n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Detection\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article>\n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Investigation\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article>\n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Response\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article>\n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Advising\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article>\n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Litigating\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article>\n
\n\n
\n \n \n \n
\n\n
\n\n
\r\n

\r\n \r\n Negotiating\r\n <\/a>\r\n<\/h2><\/div>\n <\/div>\n\n<\/div>\n\n\n \n <\/div>\n\n<\/article> \r\n \r\n <\/div>\r\n \r\n \r\n<\/div>\r\n\r\n \t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

The General Data Protection Regulation has not only tightened the legal framework for data protection, but has also made clear that digital legal protection only has real substance where the rights of data subjects are practically accessible, intelligible and enforceable. An organisation may have policies, registers, procedures and contractual clauses in place, but where a data subject cannot effectively determine which personal data are being processed, why that processing takes place, how long the data are retained, with which third parties the data are shared and on what basis the data can be rectified, erased or restricted, data protection remains<\/p>\n","protected":false},"author":3,"featured_media":34527,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[515],"tags":[],"class_list":["post-478","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy-data-and-cybersecurity"],"acf":[],"_links":{"self":[{"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/posts\/478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/comments?post=478"}],"version-history":[{"count":25,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/posts\/478\/revisions"}],"predecessor-version":[{"id":34567,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/posts\/478\/revisions\/34567"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/media\/34527"}],"wp:attachment":[{"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/media?parent=478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/categories?post=478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vanleeuwenlawfirm.eu\/en\/wp-json\/wp\/v2\/tags?post=478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}