Rights of data subjects under Regulation (EU) 2016/679 (GDPR)

Protection and processing of personal data have been reformed with the adoption of the new Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, which shall apply from May 25, 2018. The Regulation introduces a number of changes to the current legal framework, which concern all companies processing personal data of customers, staff and other counterparts. In order to comply with the requirements of the Regulation, controllers shall prepare their business both legally and technically.

Before defining the rights of the data subjects, a definition of the terms “personal data”, “processing of personal data” and “controller” shall be provided.  According to the definition given in the General Data Protection Regulation, personal data means any information relating to an identified or identifiable natural person (‘data subject’). This is most often the name, address, phone number, e-mail, etc. Processing  means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

1. Right to information

When personal data relating to a data subject is collected from the data subject, at the moment of receipt of the personal data, the data subject is entitled to receive all the following information in a concise, understandable and easily accessible form, clear and simple language. The information shall be provided in writing or otherwise, including, where appropriate, by electronic means. If the data subject has requested this, the information may be given orally, provided that the identity of the data subject is proven by other means. The information is provided free of charge.

– the data identifying the controller and the contact details of the controller and, where applicable, those of the controller’s representative;

– the contact details of the Data Protection Officer, where applicable;

– the purposes of the processing for which the personal data are intended and the legal basis for the processing;

– recipients or categories of recipients of personal data, if any;

– where applicable, the controller’s intention to transmit the personal data to a third country or an international organization and the existence or absence of a Commission decision on the adequate level of protection.

– the period for which personal data will be stored and, if that is not possible, the criteria used to determine that period. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are being processed. This requires, in particular, to ensure that the period for which personal data are stored is limited to a strict minimum;

– the existence of a right to require the controller to access, correct or erasure personal data, or to restrict the processing of personal data relating to the data subject, or the right to object to the processing, as well as the right to data portability and the means to exercise these rights;

– the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of consent-based processing before it is withdrawn;

– the right of appeal to a supervisory authority;

– whether the provision of personal data is a mandatory or contractual requirement or a requirement necessary for the conclusion of a contract, and whether the data subject is required to provide the personal data and the possible consequences if such data are not provided;

– information regarding profiling and the consequences of this profiling.

Where the controller intends further to process the personal data for a purpose other than the one for which it was collected, before further processing, the data subject shall be entitled to obtain information for that other purpose and the following additional information: – the time limit for which will store personal data and, if that is not possible, the criteria used to determine that period; – the existence of a right to require the controller to access, correct or erasure personal data, or to restrict the processing of personal data relating to the data subject, or the right to object to the processing, as well as the right to data portability and the means to exercise these rights; – the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of consent-based processing before it is withdrawn; – the right of appeal to a supervisory authority, – whether the provision of personal data is a mandatory or contractual requirement or a requirement necessary for the conclusion of a contract, and whether the data subject is required to provide the personal data and the possible consequences if such data are not provided; – information about profiling and the consequences of this profiling. The additional information listed above is also provided.

2.Right to access of data subjects to data relating to them

The data subject has the right to receive within one month of submitting a request a confirmation if personal data relating to the data subject is being processed and, if so, to access the data and the following information:

– the purpose of the processing;

– the relevant categories of personal data;

– recipients or categories of recipients to whom personal data are or will be disclosed, in particular recipients in third countries or international organizations;

– where applicable, the period for which the personal data will be stored and, if that is not possible, the criteria used to determine that period;

– the existence of a right to require the controller to correct or erasure personal data or to restrict the processing of personal data relating to the data subject or to object to such processing;

– the right of appeal to a supervisory authority;

– where personal data are not collected by the data subject, any available information on their source;

– information on profiling and the consequences of this profiling;

Where personal data is transferred to a third country or an international organization, the data subject shall have the right to be informed of the appropriate safeguards under Article 46 of the Regulation in relation to the transmission.

3. Right of rectification

The data subject shall have the right to request the controller to correct inaccurate personal data related to him at the request of the data subject without undue delay. Given the purposes of the processing, the data subject may have incomplete personal data filled in, including by adding a declaration.

4. Right to erasure (right to be forgotten)

The data subject shall have the right to request the controller to erasure personal data related to the data subject without undue delay at the request of the data subject.

The controller erasures the data only if one of the following conditions applies:

– personal data are no longer necessary for the purposes for which they were collected or otherwise processed;

– the data subject withdraws his / her consent on which the processing of the data is based;

– the data subject objects to the processing under Article 21 (1) of the Regu- lation and there are no legitimate grounds for the processing that prevail or the data subject objects to the processing of personal data for the purposes of direct marketing;

– personal data has been tampered with;

– personal data must be erasured in order to comply with a legal obligation under Union law or the law of a Member State applicable to the controller;

– personal data were collected in connection with the provision of information society services to a child.

When the controller has made data publicly available and is obliged to reassure personal data , taking into account the available technology and implementation costs, take reasonable steps, including technical measures to inform controllers processing personal data that the data subject is asked erasure all links, copies, or replicas of these personal data from these controllers.

No erasure is required as far as processing is required:

– for the exercise of the right to freedom of expression and the right to information;

– compliance with a legal obligation requiring treatment provided for in Union law or the law of the Member State applicable to the controller or in the performance of a task in the public interest or in the exercise of official authority conferred on the controller;

– for reasons of public interest in the field of public health;

– for purposes of archiving in the public interest, for scientific or historical research or for statistical purposes;

or

– for the establishment, exercise or protection of legal claims.

5. Right to Restrict Processing

The data subject has the right to request the controller to restrict the processing of the data.

The limitation should be made when one of the following conditions applies:

– the accuracy of the personal data is disputed by the data subject for a period which allows the controller to verify the accuracy of the personal data;

– processing is illegal, but the data subject does not want to erasure the personal data but instead requires a limitation of its use;

– the controller no longer needs personal data for the purpose of processing, but the data subject requires them to identify, exercise or protect legal claims;

– the data subject has objected to the processing under Article 21 (1) of the Regulation pending the verification of whether the controller’s legal grounds take precedence over the interests of the data subject.

When a processing restriction is made, such data is processed, except for its storage, only with the consent of the data subject or for the establishment, exercise or protection of legal claims or for the protection of the rights of another individual or for important reasons of public interest to the Union or a Member State. When a data subject has requested a limitation of the processing, the controller shall inform him / her prior to the revocation of the processing limitation.

6. Right to data portability

The data subject is entitled to receive the personal data that concerns him and which he has provided to a controller in a structured, widely used and machine – readable format when.

– processing is based on consent or a contractual obligation

and

– processing is done in an automated manner.

The Controller undertakes to transfer the data within one month at the request of the data subject.

7. Right to objection

The data subject may, at any time and on grounds relating to his or her particular situation, discontinue the processing of personal data when the processing is based on Article 6 (1) (e) or (f), including profiling provisions, namely:

– processing is necessary for the performance of a task of public interest or in the exercise of official authority conferred on the controller,

and

– processing is necessary for the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the individual requiring the protection of personal data are particularly advantageous to such interests, in particular where the individual is a child.

The Controller  undertakes to discontinue the processing of personal data unless it can prove that there are convincing legal grounds for the processing that take precedence over the interests, rights and freedoms of the data subject or for the establishment, exercise or protection of legal claims.

When processing personal data for direct marketing purposes, the data subject is entitled at any time to object to the processing of personal data relating to him / her for this type of marketing, including profiling so far as it relates to direct marketing. When the data subject opposes processing for direct marketing purposes, the processing of personal data for these purposes is terminated.

At the latest at the time of first contact with the data subject, it shall be expressly informed of the existence of the objection described above, which shall be provided to it by means of a notice in a clear and separate manner from any other information.

Where personal data are processed for purposes of scientific or historical research or for statistical purposes, the data subject may, on the basis of his or her particular situation, object to the processing of personal data relating to him, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Profiling rights

The data subject may not be the subject of a decision based solely on automated processing involving profiling that produces legal consequences for the data subject or similarly affects him or her significantly.

This right shall not apply if the decision:

– is necessary for the conclusion or performance of a contract between a data subject and a controller;

– is permitted by Union law or the law of a Member State which applies to the controller and which also provides for appropriate measures to protect the rights and freedoms and the legitimate interests of the data subject;

or

– is based on the explicit consent of the data subject.

Where necessary for the conclusion or performance of a contract between a data subject and a controller and based on the explicit consent of the entity, the controller shall apply appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, at least the right to human intervention by the controller, the right to express its point of view and to challenge the decision.

9. Right to notification of a personal data breach

Where the personal data breach is likely to pose a high risk to the rights and freedoms of individuals, the data subject must be notified by a sent message by the controller without undue delay regarding the personal data breach.

In the communication to the data subject of the personal data breach, the nature of the personal data breach shall be described in a clear and simple language and at least the following information and measures shall be listed:

– indication of the name and contact details of the data protection officer or other contact point from which more information can be obtained;

– a description of the possible consequences of the breach of personal data security;

– a description of the measures taken or proposed by the controller to address the personal data breach, including, where appropriate, measures to mitigate the possible adverse effects.

The data subject is not required to be notified by sending a message if any of the following conditions are met:

– the controller has taken appropriate technical and organizational protection measures and these measures have been applied to personal data affected by the breach of personal data security, in particular measures that make personal data incomprehensible to any person not authorized to do so access to them, such as encryption;

– the controller has subsequently taken measures to ensure that the high risk for the rights and freedoms of the data subjects is no longer likely to materialize;

– it would lead to disproportionate efforts. In such a case, a public communication or similar measure shall be made so that the data subjects are equally effectively informed.

10. Right to a higher level of protection of children’s personal data

Children have a special protection of personal data because they are not sufficiently aware of the risks, consequences and guarantees, as well as their rights related to the processing of personal data. This special protection should apply in particular to the use of children’s personal data for the purposes of marketing or to the creation of personal or user profiles and the collection of personal data concerning children when using services provided directly to children. The consent of the parental responsibility should not be necessary in the context of child-friendly prevention and counseling services. Given that children are given special protection when child-directed treatment, any information and communication should be provided with clear and unambiguous formulations that are easy to understand for the child. In relation to the direct provision of child information services, child data processing is lawful if the child is at least 16 years of age. If the child is under 16 years of age, this processing is lawful only if and to the extent that such consent is given or permitted by the parent’s parental responsibility.

11. Right to a fair and judicial remedy

A: Right to file a complaint with a supervisor

Each data subject shall have the right to appeal to a supervisor, in particular in the Member State of habitual residence, place of work or place of suspected infringement, if the data subject considers that the processing of personal data relating to him or her violates the provisions of the Regulation.

B: Right to effective judicial protection against a supervisor

Each data subject shall have the right to effective judicial protection against a binding decision of a supervisory authority.

Any data subject shall have the right to effective judicial protection where the supervisory authority has not dealt with the complaint or informed the data subject within three months of the progress made in examining the complaint lodged pursuant to Article 77 of the Regulation or of the outcome there of .

Proceedings against a supervisory authority shall be brought before the courts of the Member State in which the supervisory authority is established.

C: Right to effective judicial protection against a controller or a personal data processor

Without prejudice to any available administrative or non-judicial means of redress, including the right to appeal to a supervisory authority, any data subject shall have the right to effective judicial protection where he considers that his rights under the Regulation have been violated as a result the processing of his personal data, which is not in accordance with the Regulation.

Proceedings against a controller or processor of personal data shall be brought before the courts of the Member State in which the controller or the personal data processor has a place of establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his habitual residence unless the controller or the personal data processor is a public authority of a Member State acting in the exercise of its public powers.

12. Right to compensation for suffered damages

Any data subject who has suffered material or non-material damage as a result of a violation of the Regulation is entitled to receive compensation from the controller or the processor of the personal injury data. The controller involved in the processing of personal data is liable for damages resulting from the processing that violates the Regulation. The personal data processor is liable for damages resulting from the processing only if he has not fulfilled the obligations under the Regulation specifically addressed to the personal data processor or when he or she acted outside the lawful instructions of the controller or in contradiction with them. The controller or the personal data processor shall be relieved of liability if he proves that he is in no way responsible for the event causing the damage.

Judicial proceedings in connection with the exercise of the right to compensation are brought before courts competent under the law of the Member State referred to in Article 79 (2) of the Regulation, namely: the courts of the Member State where the controller or the personal data processor has a place of establishment. Alternatively, such proceedings may be brought before the courts of the Member State where the data subject has his habitual residence unless the controller or the personal data processor is a public authority of a Member State acting in the exercise of its public powers

Legal Disclaimer: This material prepared by Krasimira Kadieva aims to provide information about the rights of data subjects under Regulation (EU) 2016/679. It does not constitute a legal opinion and cannot be interpreted as an individual consultation on any concrete facts or circumstances. The advice of a legal specialist should be obtained for specific questions and situations. For more information on the above mentioned issues and individual consultations, please contact Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of this website.