GDPR Reality Check - Claiming and Investigating Personally Identifiable Data from Companies

Today, more personal data than ever before Is being collected and stored by companies of all types for a wide variety of purposes. The General Data Protection Regulation (GDPR) aims to strengthen the rights of consumers by providing them with tools for controlling data collection and processing. While companies are now subject to legal obligations, precedent cases are still missing. At the same time. It remains unclear how the right to access data can be concretely implemented in practical and technical terms. Our study intends to address this problem by investigating the case of loyalty card providers - an established branch that collects the purchase data of users in exchange for discounts. For our study, we asked 13 households to request their personal data from their respective loyalty program providers. Based on interviews, we investigate the expectations of these users of the GDPR and the right to access data. Furthermore, we analyze the currently implemented process of claiming and receiving data as well as the sensemaking of said data by the users. Based on our analysis, we make the following contributions: We shed light on what users know about and expect from the GDPR, particularly concerning the right to access, we report user expectations regarding the process to claim access to data and the data archives provided, and finally, we also show why also companies could benefit from actively designing the data takeout to demonstrate their data collection practices.