Updated last 26.03.2021
What are the rights of the data subjects?
The data subjects are always natural persons. Natural persons’ right to personal data protection is their basic right. It is not absolute and may be limited proportionately to the rights and freedoms of the other persons.
First, the data subjects are entitled to know how their personal data is processed (right to information).
Important to know | |
The controller is obliged to provide the data subjects with brief and understandable information, in an easily accessible form. It must be provided to the natural person, both when his personal data is provided by such person, and if obtained from a third person. Тhe information, which must be provided to the natural persons, is listed in art. 13 and 14 of the Regulation and the requirements for its provision are compulsory. Тhe Transparency Guidelines of 11 April 2018 contain important information on notification. |
Important to know | |
The data subject may not be notified, when personal data is not obtained from him and notification proves impossible or requires excessive efforts. |
Second, the data subjects have the right to access their personal information, stored by the controller, as well as to receive confirmation of whether or not their data is processed.
Third, The data subject has the right to request from the controller to rectify without undue delay any inaccurate personal data, related to him (right to rectification).
Fourth, the data subject has the right to request the personal data, related to him to be erased. Another name of this right is “the right to be forgotten“.
Important to know | |
The controller is obliged to erase the personal data, in each of the following cases:
|
Fifth, the data subject has the right to request from the controller to limit the personal data processing (right to restriction of processing).
The controller is obliged to notify each and every recipient, to whom such data was disclosed, of any rectification, erasing and limitation of the subject’s personal data processing.
Sixth, the data subject has the right to receive the personal data, concerning her/him and which he has provided to the controller (right to data portability). When the data is processed based on consent or contract obligation and processing takes place in automated manner, the data may be requested and must be received in a common electronic format, so that it is possible that this data is provided to a new controller. Also, the data subject may request the direct transfer of the personal data from one controller to another.
Seventh, the natural persons have the right to object against the processing of personal data, related to them, based on public interest or legitimate interest of the controller. Тhe controller must discontinue the processing, unless he is able to prove that the legal grounds for the processing prevail over the interests, rights and freedoms of the data subject. For example, the data subjects have the right to object to the personal data processing, related to direct marketing, where the personal data processing is legitimate interest of the employer and the controller must discontinue the processing.
Eighth, the data subject has the right not to be subject of automated individual decision-making, including profiling.
Profiling is defined in article 4, item 4 of the Regulation as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Automated decision-making means the analysing and assessment of personal aspects of a natural person, based only on a decision, made through automated means, without the involvement of or analysis, performed by an actual person, but of a machine only. Тhe data subject may become the subject of automated individual decision-making, if this is necessary for the signing of a contract or if the data subject has expressly agreed to be the subject of such a decision or of another of the grounds for processing. In all other cases, the data subject may refuse such processing of information, concerning him. In this case the controller must apply appropriate measures to protect the rights and freedoms of the data subject, as the minimum requirement is to ensure human involvement in the performance of the analysis.
For more information | |
For more information, please visit the websites of the:
- archive „1997 – 2016“ Text of the Regulation |