Data Protection for Individuals
Chapter 3 of the GDPR provides the rights which data subjects may exercise with regard to their personal data. Below find a list of these rights together with a brief explanation to assist you in understanding what each one means and how you may exercise it.
|Your right to be informed|
Pursuant to the transparency principle, a controller is obliged to inform you if it is using your personal data. It should provide detailed information on the following:
The controller should give you this information at the time it collects your personal data. If it obtains your data from another source, it should provide such information within one month and may do in the form of a data protection notice.
|Your right of access to your personal data undergoing processing||You have the right to ask a controller for a confirmation as to whether or not they are using, storing or otherwise processing your personal data. The controller is required to provide you with a copy of your personal data together with the other information set out under Article 15(1) GDPR. Naturally, when acceding to your subject access request, the controller shall not adversely affect the rights and freedoms of third parties. If you are not satisfied with the information provided by the controller or in the event that the controller does not provide you with a response within one month from your request, you may lodge a complaint with the IDPC, which will be investigated accordingly.|
|Your right to get your personal data rectified|
As a data subject you have the right to obtain from a controller the rectification of inaccurate personal data. To exercise your right you should inform the controller that you are challenging the accuracy of your data and want it corrected. You should:
It is recommended that you make your request in writing to the controller wherein you explain your concern and give the necessary evidence to support your claim to have your data corrected. In the event that you would like to challenge the controller’s response or lack of action, you need to provide us with clear proof of your engagement with the controller so that we will be able to investigate your complaint.
|Your right to get our personal data deleted|
The right to get your personal data erased, also known as the ‘right to be forgotten' (EDPB guideline available here), entitles you to request a controller that holds data about you to delete it. This applies when one of the following grounds apply:
The controller can refuse to erase your data in the following circumstances:
|Your right to data portability||When the processing of your personal data is based on your consent or on the basis of a contract, you have a right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. Click here to access the guidelines adopted by the EDPB on the right to data portability.|
|Your right to object to the processing of your personal data|
You have the right to object to a controller processing personal data at any time. This means that you can stop the controller from using your personal data. Having said that, this right applies in specific circumstances and, in particular, where your personal data is processed:
|Your right in relation to the decisions taken solely by automated means|
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You may click here to access the Guidelines issued by the EDPB on this right.
|Your right to lodge a complaint with the IDPC||If you consider that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with the IDPC against the controller involved and the case will be investigated accordingly.|
It’s important to know that all these rights can be exercised directly with the data controller or with the Data Protection Officer (DPO) when such person is appointed. Moreover the controller shall provide a response within one month from receipt of a communication, according to Article 12 GDPR. In the event that the controller fails to respond or if otherwise you are not satisfied with the reply, you may lodge a complaint through our online form.
The controller could extend the time to respond if the request is complex or when receiving several requests from the individual. In such cases, the controller must still reply within one month of receiving their request and explain why the extension is necessary.
Where the controller has reasonable doubts concerning the identity of the data subject exercising his or her rights under the GDPR, it may request the provision of additonal information necessary to confirm the identity of the data subject.