The General Data Protection Regulation grants certain rights to individuals and defines their conditions and limitations.
The controller has to make sure that data subjects can exercise the following rights:
1. Information to the data subject
You must inform data subjects that their personal data are processed, as well as who processes the data and why they are being processed. The information must be provided using clear and plain language and must be given at the time when the data are collected. Where the data are not collected directly from the data subject, the information must generally be provided within a reasonable period of time, but no later than a month after the collection.
2. The right to contest a decision based solely on automated processing
If you adopt a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects the data subject (e.g. the approval for a loan or an insurance contract), you must grant the data subject the right to express his or her point of view and to contest the decision. You must also inform the data subject of the logic involved in the decision-making.
3. The right of access
If a data subject asks whether you hold information on him or her, you must state whether you do and, if requested, you must give the person a complete copy of the personal data relating to him or her.
4. The right to rectification
You must only collect and process data that are accurate and up to date. At the request of a data subject, you must rectify any incorrect data.
5. The right to be forgotten
Where a person no longer wishes for their personal data to be processed, you must delete the data, unless you have a legitimate reason to keep them. For example, a data subject may request the immediate removal of personal data, which were collected or published on a social network, while the data subject was a child.
6. The right to data portability
A data subject must be able to receive the personal data, which have been provided to an organisation, in a structured, commonly used and machine-readable format and to transmit those data to another organisation (social network, Internet access provider, streaming website, etc.).
7. The right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data, which is necessary for the purposes of the legitimate interests of your organisation or which is necessary for the performance of a task carried out in the public interest. In such a case, you can no longer process the personal data, unless there are compelling legitimate grounds to continue the processing activity.
You must also respect the right of the data subject to object to the use of his or her personal data for direct marketing purposes or canvassing purposes (political parties, unions, religious organisations, etc.), without requiring the data subject to justify the objection.
8. The right to restriction of processing
The data subject can request the restriction of processing:
- if the person contests the accuracy of the personal data, for the time required to check the accuracy,
- if the processing is unlawful and the person objects to the erasure of the data,
- if you no longer need the personal data, but the data subjects needs it for the establishment, exercise or defence of legal claims.
Where the processing has been restricted, the data can no longer be processed. The method used to restrict the process may vary depending on the situation (temporary move to another file, locking of data, temporary removal from a website, etc.).