A Case Study on the Implementation of the Right of Access in Privacy Dashboards

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12703)


The right of access under Art. 15 of the General Data Protection Regulation (GDPR) grants data subjects the right to obtain comprehensive information about the processing of personal data from a controller, including a copy of the data. Privacy dashboards have been discussed as possible tools for implementing this right, and are increasingly found in practice. However, investigations of real world implementations are sparse. We therefore qualitatively examined the extent to which privacy dashboards of ten online services complied with the essential requirements of Art. 15 GDPR. For this, we compared the information provided in dashboards with the information provided in privacy statements and data exports. We found that most privacy dashboards provided a decent initial overview, but lacked important information about purposes, recipients, sources, and categories of data that online users consider to be sensitive. In addition, both the privacy dashboards and the data exports lacked copies of personal data that were processed according to the online services’ own privacy statements. We discuss the strengths and weaknesses of current implementations in terms of their ability to fulfill the objective of Art. 15 GDPR, namely to create awareness about data processing. We conclude by providing an outlook on what steps would be necessary for privacy dashboards to facilitate the exercise of the right of access and to provide real added value for online users.


GDPR Right of access Privacy dashboards 


  1. 1.
    Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Secur. Priv. 3(1), 26–33 (2005). Scholar
  2. 2.
    Alizadeh, F., Jakobi, T., Boden, A., Stevens, G., Boldt, J.: GDPR reality check - claiming and investigating personally identifiable data from companies. In: 2020 IEEE European Symposium on Security and Privacy Workshops (EuroSPW), pp. 120–129. IEEE (2020).
  3. 3.
    Angulo, J., Fischer-Hübner, S., Pulls, T., Wästlund, E.: Usable transparency with the data track: a tool for visualizing data disclosures. In: Proceedings of the 33rd Annual ACM Conference Extended Abstracts on Human Factors in Computing Systems, pp. 1803–1808. Association for Computing Machinery (2015).
  4. 4.
    Arfelt, E., Basin, D., Debois, S.: Monitoring the GDPR. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 681–699. Springer, Cham (2019). Scholar
  5. 5.
    Bier, C., Kühne, K., Beyerer, J.: PrivacyInsight: the next generation privacy dashboard. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds.) APF 2016. LNCS, vol. 9857, pp. 135–152. Springer, Cham (2016). Scholar
  6. 6.
    Boniface, C., Fouad, I., Bielova, N., Lauradoux, C., Santos, C.: Security analysis of subject access request procedures. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) APF 2019. LNCS, vol. 11498, pp. 182–209. Springer, Cham (2019). Scholar
  7. 7.
    Buchmann, J., Nebel, M., Roßnagel, A., Shirazi, F., Simo, H., Waidner, M.: Personal information dashboard: putting the individual back in control. In: Digital Enlightenment Yearbook 2013, pp. 139–164. IOS Press (2013)Google Scholar
  8. 8.
    Bufalieri, L., Morgia, M.L., Mei, A., Stefa, J.: GDPR: when the right to access personal data becomes a threat. In: 2020 IEEE International Conference on Web Services (ICWS), pp. 75–83 (2020).
  9. 9.
    Cabinakova, J., Zimmermann, C., Mueller, G.: An empirical analysis of privacy dashboard acceptance: the google case. In: Proceeding of the 24th European Conference on Information Systems (ECIS). Research Papers, vol. 114, pp. 1–18. AIS Electronic Library (AISeL) (2016)Google Scholar
  10. 10.
    Cagnazzo, M., Holz, T., Pohlmann, N.: GDPiRated – stealing personal information on- and offline. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 367–386. Springer, Cham (2019). Scholar
  11. 11.
    European Parliament and Council of European Union: Regulation (EU) 2016/679 (2016).
  12. 12.
    Few, S.: Information Dashboard Design: The Effective Visual Communication of Data. O’Reilly Media, Inc. (2006)Google Scholar
  13. 13.
    Fischer-Hübner, S., Angulo, J., Pulls, T.: How can cloud users be supported in deciding on, tracking and controlling how their data are used? In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 77–92. Springer, Heidelberg (2014). Scholar
  14. 14.
    Gerber, N., Gerber, P., Volkamer, M.: Explaining the privacy paradox: a systematic review of literature investigating privacy attitude and behavior. Comput. Secur. 77, 226–261 (2018). Scholar
  15. 15.
    Gluck, J., et al.: How short is too short? Implications of length and framing on the effectiveness of privacy notices. In: 12th Symposium on Usable Privacy and Security (SOUPS), pp. 321–340. USENIX Association (2016)Google Scholar
  16. 16.
    Goodman, B., Flaxman, S.: European union regulations on algorithmic decision-making and a “Right to Explanation”. AI Mag. 38(3), 50–57 (2017). Scholar
  17. 17.
    Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security), pp. 531–548. USENIX Association (2018)Google Scholar
  18. 18.
    Herder, E., van Maaren, O.: Privacy dashboards: the impact of the type of personal data and user control on trust and perceived risk. In: Adjunct Publication of the 28th ACM Conference on User Modeling, Adaptation and Personalization (UMAP), pp. 169–174. Association for Computing Machinery (2020).
  19. 19.
    Kang, R., Dabbish, L., Fruchter, N., Kiesler, S.: “My data just goes everywhere:” user mental models of the internet and implications for privacy and security. In: 11th Symposium On Usable Privacy and Security (SOUPS), pp. 39–52. USENIX Association (2015)Google Scholar
  20. 20.
    Kani-Zabihi, E., Helmhout, M.: Increasing service users’ privacy awareness by introducing on-line interactive privacy features. In: Laud, P. (ed.) NordSec 2011. LNCS, vol. 7161, pp. 131–148. Springer, Heidelberg (2012). Scholar
  21. 21.
    Karegar, F., Pulls, T., Fischer-Hübner, S.: Visualizing exports of personal data by exercising the right of data portability in the data track - are people ready for this? In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 164–181. Springer, Cham (2016). Scholar
  22. 22.
    Kolter, J., Netter, M., Pernul, G.: Visualizing past personal data disclosures. In: 2010 International Conference on Availability, Reliability and Security (ARES), pp. 131–139. IEEE (2010).
  23. 23.
    Le Pochat, V., Van Goethem, T., Tajalizadehkhoob, S., Korczyński, M., Joosen, W.: Tranco: a research-oriented top sites ranking hardened against manipulation. In: Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS). The Internet Society (2019)Google Scholar
  24. 24.
    Mannhardt, F., Oliveira, M., Petersen, S.A.: Designing a privacy dashboard for a smart manufacturing environment. In: Pappas, I.O., Mikalef, P., Dwivedi, Y.K., Jaccheri, L., Krogstie, J., Mäntymäki, M. (eds.) I3E 2019. IAICT, vol. 573, pp. 79–85. Springer, Cham (2020). Scholar
  25. 25.
    Markos, E., Milne, G.R., Peltier, J.W.: Information sensitivity and willingness to provide continua: a comparative privacy study of the United States and Brazil. J. Public Policy Market. 36(1), 79–96 (2017). Scholar
  26. 26.
    Martino, M.D., Robyns, P., Weyts, W., Quax, P., Lamotte, W., Andries, K.: Personal information leakage by abusing the GDPR ‘Right of Access’. In: 15th USENIX Symposium on Usable Privacy and Security (SOUPS). USENIX Association (2019)Google Scholar
  27. 27.
    Matzutt, R., et al.: myneData: towards a trusted and user-controlled ecosystem for sharing personal data. In: 47. Jahrestagung Der Gesellschaft Für Informatik, pp. 1073–1084 (2017).
  28. 28.
    Milne, G.R., Pettinico, G., Hajjat, F.M., Markos, E.: Information sensitivity typology: mapping the degree and type of risk consumers perceive in personal data sharing. J. Consum. Aff. 51(1), 133–161 (2017). Scholar
  29. 29.
    Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017). Scholar
  30. 30.
    Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79(1), 1119–157 (2004)Google Scholar
  31. 31.
    Pavur, J., Knerr, C.: GDPArrrrr: Using Privacy Laws to Steal Identities. arXiv:1912.00731 [cs] (2019)
  32. 32.
    Polst, S., Kelbert, P., Feth, D.: Company privacy dashboards: employee needs and requirements. In: Moallem, A. (ed.) HCII 2019. LNCS, vol. 11594, pp. 429–440. Springer, Cham (2019). Scholar
  33. 33.
    Popescu, A., et al.: Increasing transparency and privacy for online social network users – USEMP value model, scoring framework and legal. In: Berendt, B., Engel, T., Ikonomou, D., Le Métayer, D., Schiffner, S. (eds.) APF 2015. LNCS, vol. 9484, pp. 38–59. Springer, Cham (2016). Scholar
  34. 34.
    Presthus, W., Sørum, H.: Consumer perspectives on information privacy following the implementation of the GDPR. Int. J. Inf. Syst. Project Manag. (IJISPM) 7(3), 19–34 (2019)Google Scholar
  35. 35.
    Raschke, P., Küpper, A., Drozd, O., Kirrane, S.: Designing a GDPR-compliant and usable privacy dashboard. In: Hansen, M., Kosta, E., Nai-Fovino, I., Fischer-Hübner, S. (eds.) Privacy and Identity 2017. IAICT, vol. 526, pp. 221–236. Springer, Cham (2018). Scholar
  36. 36.
    Schomakers, E.M., Lidynia, C., Müllmann, D., Ziefle, M.: Internet users’ perceptions of information sensitivity - insights from Germany. Int. J. Inf. Manag. 46, 142–150 (2019). Scholar
  37. 37.
    Schufrin, M., Reynolds, S.L., Kuijper, A., Kohlhammer, J.: A visualization interface to improve the transparency of collected personal data on the internet. IEEE Trans. Vis. Comput. Graph. 27(2), 1840–1849 (2021). Scholar
  38. 38.
    Scudder, J., Jøsang, A.: Personal federation control with the identity dashboard. In: de Leeuw, E., Fischer-Hübner, S., Fritsch, L. (eds.) IDMAN 2010. IAICT, vol. 343, pp. 85–99. Springer, Heidelberg (2010). Scholar
  39. 39.
    Siljee, J.: Privacy transparency patterns. In: Proceedings of the 20th ACM European Conference on Pattern Languages of Programs (EuroPLoP), pp. 1–11. ACM (2015).
  40. 40.
    The European Comission: ICT usage in households and by individuals. Technical report, The European Union (2019).
  41. 41.
    The European Comission: Digital Economy and Society Index (DESI) 2020 - Use of internet services. Technical report. DESI 2020, The European Union (2020).
  42. 42.
    Tolsdorf, J., Dehling, F.: In our employer we trust: mental models of office workers’ privacy perceptions. In: Bernhard, M., et al. (eds.) FC 2020. LNCS, vol. 12063, pp. 122–136. Springer, Cham (2020). Scholar
  43. 43.
    Tolsdorf, J., Dehling, F., Lo Iacono, L.: Take back control! the use of mental models to develop privacy dashboards. ITG News 8(3), 15–20 (2020)Google Scholar
  44. 44.
    Urban, T., Tatang, D., Degeling, M., Holz, T., Pohlmann, N.: A study on subject data access in online advertising after the GDPR. In: Pérez-Solà, C., Navarro-Arribas, G., Biryukov, A., Garcia-Alfaro, J. (eds.) DPM/CBT -2019. LNCS, vol. 11737, pp. 61–79. Springer, Cham (2019). Scholar
  45. 45.
    Utz, C., Degeling, M., Fahl, S., Schaub, F., Holz, T.: (un)informed consent: studying GDPR consent notices in the field. In: Proceedings of the 26th ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 973–990. Association for Computing Machinery (2019).
  46. 46.
    Wilson, S., et al.: Crowdsourcing annotations for websites’ privacy policies: can it really work? In: Proceedings of the 25th International Conference on World Wide Web (WWW), pp. 133–143. International World Wide Web Conferences Steering Committee (2016).
  47. 47.
    Wong, J., Henderson, T.: How portable is portable? Exercising the GDPR’s right to data portability. In: Proceedings of the 2018 ACM International Joint Conference and 2018 International Symposium on Pervasive and Ubiquitous Computing and Wearable Computers (UbiComp), pp. 911–920. Association for Computing Machinery (2018)Google Scholar
  48. 48.
    Zimmermann, C., Accorsi, R., Müller, G.: Privacy dashboards: reconciling data-driven business models and privacy. In: Proceedings of the 9th International Conference on Availability, Reliability and Security (ARES), pp. 152–157. IEEE Computer Society (2014).

Copyright information

© Springer Nature Switzerland AG 2021

Authors and Affiliations

  1. 1.Data and Application Security GroupH-BRS University of Applied SciencesSankt AugustinGermany

Personalised recommendations