Rights and obligations of the data subjects
 

Updated last 26.03.2021

What are the rights of the data subjects?

The data subjects are always natural persons. Natural persons’ right to personal data protection is their basic right. It is not absolute and may be limited proportionately to the rights and freedoms of the other persons.

First, the data subjects are entitled to know how their personal data is processed (right to information).

 

Important to know
Important to know

The controller is obliged to provide the data subjects with brief and understandable information, in an easily accessible form. It must be provided to the natural person, both when his personal data is provided by such person, and if obtained from a third person. Тhe information, which must be provided to the natural persons, is listed in art. 13 and 14 of the Regulation and the requirements for its provision are compulsory. Тhe Transparency Guidelines of 11 April 2018 contain important information on notification.

 

Important to know
Important to know

The data subject may not be notified, when personal data is not obtained from him and notification proves impossible or requires excessive efforts.

 

Second, the data subjects have the right to access their personal information, stored by the controller, as well as to receive confirmation of whether or not their data is processed.

Third, The data subject has the right to request from the controller to rectify without undue delay any inaccurate personal data, related to him (right to rectification).

Fourth, the data subject has the right to request the personal data, related to him to be erased. Another name of this right is “the right to be forgotten“.

 

Important to know
Important to know

The controller is obliged to erase the personal data, in each of the following cases:

  • If the personal data is not necessary for the objectives, for which these have been collected;
  • The data subject has given his consent for processing, but has subsequently withdrawn it and there is no other legal ground for processing;
  • The personal data has been processed unlawfully;
  • The data must be erased in conformity with the law.

 

Fifth, the data subject has the right to request from the controller to limit the personal data processing (right to restriction of processing).

The controller is obliged to notify each and every recipient, to whom such data was disclosed,  of any rectification, erasing and limitation of the subject’s personal data processing.

Sixth, the data subject has the right to receive the personal data, concerning her/him and which he has provided to the controller (right to data portability). When the data is processed based on consent or contract obligation and processing takes place in automated manner, the data may be requested and must be received in a common electronic format, so that it is possible that this data is provided to a new controller. Also, the data subject may request the direct transfer of the personal data from one controller to another.

Seventh, the natural persons have the right to object against the processing of personal data, related to them, based on public interest or legitimate interest of the controller. Тhe controller must discontinue the processing, unless he is able to prove that the legal grounds for the processing prevail over the interests, rights and freedoms of the data subject. For example, the data subjects have the right to object to the personal data processing, related to direct marketing, where the personal data processing is legitimate interest of the employer and the controller must discontinue the processing.

Eighth, the data subject has the right not to be subject of automated individual decision-making, including profiling.

Profiling is defined in article 4, item 4 of the Regulation as  any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

Automated decision-making means the analysing and assessment of personal aspects of a natural person, based only on a decision, made through automated means, without the involvement of or analysis, performed by an actual person, but of a machine only. Тhe data subject may become the subject of automated individual decision-making, if this is necessary for the signing of a contract  or if the data subject has expressly agreed to be the subject of such a decision or of another of the grounds for processing. In all other cases, the data subject may refuse such processing of information, concerning him. In this case the controller must apply appropriate measures to protect the rights and freedoms of the data subject, as the minimum requirement is to ensure human involvement in the performance of the analysis.

 

For more information
For more information

For more information, please visit the websites of the:

  • Opinions of the Article 29 Working Party

- „after 2016“

- archive „1997 – 2016“

Text of the Regulation

print this page
 
 


Post comment
Write to us
Ministry of Economy and Industry
8, Slavyanska Str., Sofia 1052, Bulgaria
BULSTAT: 177549105
phone: +359 2 940 7322

fax: +359 2 987 2190
 
Operational Programme This item is available only in Bulgarian
Contacts: 8, Slavyanska Str. Sofia 1000, Bulgaria e-mail: e-docs@mi.government.bg