Rights of the data subject

RIGHTS OF THE DATA SUBJECT – ARTS. 15 -22 GDPR

Article 15 Right of ACCESS of the data subject
1. The data subject shall have the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed, and if so, to obtain access to the personal data and the following information:
(a) the purposes of processing;
(b) the categories of personal data in question;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, particularly if recipients in third countries or international organizations;
(d) when possible, the expected period of retention of personal data or, if not possible, the criteria used to determine this period;
(e) the existence of the data subject’s right to request from the data controller the rectification or erasure of personal data or the restriction of the processing of personal data concerning him or her or to object to their processing;
(f) the right to file a complaint with a supervisory authority;
(g) if the data are not collected from the data subject, all available information on their origin;
(h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information about the logic used, as well as the importance and expected consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or international organization, the data subject has the right to be informed of the existence of appropriate safeguards under Article 46 relating to the transfer.
3. The data controller shall provide a copy of the personal data being processed. In case of additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise specified by the data subject, the information shall be provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall not infringe upon the rights and freedoms of others.
*
Article 16 right to RECTIFICATION
The data subject has the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.
*
Article 17 Right to CANCELLATION (“right to OBLIGATION”)
1. The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller shall be obliged to erase the personal data without undue delay, if any of the following grounds exist:
(a) personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) (a), or Article 9 (2) (a) (a), and if there is no other legal basis for the treatment;
(c) the data subject objects to processing under Article 21(1) and there is no overriding legitimate reason for processing, or objects to processing under Article 21(2);
(d) personal data have been processed unlawfully;
(e) personal data must be erased in order to comply with a legal obligation under Union or Member State law to which the data controller is subject; (26)
(f) personal data have been collected in connection with the provision of information society services referred to in Article 8(1).
2. Where a data controller has made personal data public and is obliged under paragraph 1 to erase it, taking into account available technology and the costs of implementation it shall take reasonable measures, including technical measures, to inform data controllers who are processing personal data of the data subject’s request to erase any link, copy or reproduction of his or her personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary:
(a) for the exercise of the right to freedom of expression and information;
(b) for the performance of a legal obligation requiring the processing provided for by the law of the Union or the Member State to which the data controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; (26)
(c) for reasons of public interest in the field of public health in accordance with Article 9, paragraph 2, subparagraphs (h) and (i), and Article 9(3);
(d) for the purpose of archiving in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
(e) for the establishment, exercise or defense of a right in court.
*
Article 18 Right to LIMIT treatment
1. The data subject has the right to obtain from the data controller the restriction of processing when one of the following cases occurs:
(a) the data subject disputes the accuracy of personal data, for the period necessary for the data controller to verify the accuracy of such personal data;
(b) the processing is unlawful and the data subject objects to the deletion of personal data and instead requests that their use be restricted;
(c) although the data controller no longer needs them for the purposes of processing, the personal data are necessary for the data subject to establish, exercise or defend a right in court;
(d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate grounds of the data controller outweigh those of the data subject.
2. Where processing is restricted pursuant to paragraph 1, such personal data shall be processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of a right in court or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
3. A data subject who has obtained the restriction of processing pursuant to paragraph 1 shall be informed by the data controller before such restriction is lifted.
*
Article 20 Right to PORTABILITY of data
1. The data subject shall have the right to receive in a structured, commonly used and machine-readable format personal data concerning him or her that have been provided to a data controller and shall have the right to transmit such data to another data controller without hindrance by the data controller to whom he or she has provided them if:
(a) the processing is based on consent within the meaning of Article 6(1)(a) (a), or Article 9 (2) (a). (a), or on a contract under Article 6(1)(a). (b); and
(b) the processing is carried out by automated means.
2. When exercising his or her rights with regard to data portability under paragraph 1, the data subject has the right to obtain direct transmission of personal data from one controller to another, if technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority vested in the data controller.
4. The right referred to in paragraph 1 shall not infringe on the rights and freedoms of others.
*
Article 21 Right of OPPOSITION
1. The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to Article 6(1), subparagraphs (e) or (f), including profiling on the basis of these provisions. The data controller shall refrain from further processing personal data unless the data controller demonstrates the existence of compelling legitimate grounds for processing that override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of a legal claim.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such direct marketing.
3. If the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of the use of information society services and without prejudice to Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using specific techniques.
6. Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her, except where the processing is necessary for the performance of a task carried out in the public interest.
*
Article 22 AUTOMATED decision-making related to natural persons, including profiling
1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or affects him or her in a similar significant way.
2. Paragraph 1 shall not apply in case the decision:
(a) is necessary for the conclusion or performance of a contract between the data subject and a data controller;
(b) is authorized by the law of the Union or the Member State to which the data controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
(c) is based on the explicit consent of the data subject.
3. In the cases referred to in paragraph 2 (a) and (c), the data controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention by the data controller, to express his or her opinion and to challenge the decision.
4. Decisions under paragraph 2 shall not be based on the special categories of personal data referred to in Article 9(1) unless Article 9(2)(a) or (g) applies and appropriate measures are in place to protect the rights, freedoms and legitimate interests of the data subject.