RIGHTS OF THE INTERESTED PARTY – ART. 15 -22 GDPR
Article 15 Right of access of the interested party
1. The data subject has the right to obtain from the data controller confirmation that the processing of personal data concerning him or her is in progress and, in this case, to obtain access to personal data and the following information:
a) the purposes of the processing;
b) the categories of personal data in question;
c) the recipients or categories of recipients to whom the personal data have been or will be communicated, in particular if recipients of third countries or international organizations;
(d) where possible, the retention period of the personal data provided or, if not possible, the criteria used to determine this period;
e) the existence of the right of the interested party to request the data controller to rectify or delete personal data or limit the processing of personal data concerning him or to oppose their treatment;
f) the right to lodge a complaint with a supervisory authority;
g) if the data are not collected from the data subject, all information available on their origin;
(h) the existence of an automated decision-making process, including the profiling referred to in Article 22 (1) and (4) and, at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such processing for the interested party.
2. Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the existence of adequate safeguards pursuant to Article 46 relating to the transfer.
3. The data controller provides a copy of the personal data being processed. In the event of further copies requested by the data subject, the data controller may charge a reasonable fee contribution based on administrative costs. If the interested party submits the request by electronic means, and unless otherwise indicated by the interested party, the information is provided in a commonly used electronic format.
4. The right to obtain a copy referred to in paragraph 3 shall not affect the rights and freedoms of others.
Article 16 right of RECTIFICATION
The data subject has the right to obtain from the data controller the correction of inaccurate personal data concerning him without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, also by providing an additional declaration.
Article 17 Right to CANCELLATION («right to OBLIO»)
1. The data subject has the right to obtain from the data controller the deletion of personal data concerning him without undue delay and the data controller is obliged to cancel the personal data without undue delay if one of the following reasons exists:
a) personal data are no longer necessary with respect to the purposes for which they were collected or otherwise processed;
(b) the data subject revokes the consent on which the processing is based in accordance with Article 6 (1) (a) or Article 9 (2) (a) and whether there is no other legal basis for the processing ;
(c) the data subject opposes the processing pursuant to Article 21 (1) and there is no legitimate overriding reason to proceed with the processing, or opposes the processing pursuant to Article 21 (2);
d) personal data have been processed unlawfully;
e) personal data must be deleted to fulfill a legal obligation under Union or Member State law to which the controller is subject; (26)
(f) the personal data have been collected in relation to the information society service offer referred to in Article 8 (1).
2. The controller shall, if he / she has made personal data public and is obliged, pursuant to paragraph 1, to delete it, taking into account the available technology and implementation costs, shall take reasonable steps, including technical measures, to inform the data controllers who are processing personal data of the request of the person concerned to delete any link, copy or reproduction of his personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
a) for exercising the right to freedom of expression and information;
(b) for the fulfillment of a legal obligation requiring treatment under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority of which the data controller is invested; (26)
(c) for reasons of public interest in the field of public health in accordance with Article 9 (2) (h) and (i) and Article 9 (3);
(d) for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 risks making it impossible or to seriously affect the achievement of the objectives of this treatment; or
e) for the assessment, exercise or defense of a right in court.
Article 18 Right of LIMITATION of treatment
1. The data subject has the right to obtain from the data controller the limitation of processing when one of the following hypotheses occurs:
a) the interested party disputes the accuracy of personal data for the period necessary for the data controller to verify the accuracy of such personal data;
b) the processing is illegal and the interested party opposes the cancellation of personal data and asks instead that its use is limited;
c) although the data controller no longer needs it for processing purposes, personal data are necessary for the data subject to ascertain, exercise or defend a right in court;
d) the interested party has opposed the treatment pursuant to Article 21 (1), pending verification of the possible prevalence of the legitimate reasons of the data controller with respect to those of the interested party.
2. If the processing is restricted pursuant to paragraph 1, such personal data shall only be processed, except for storage, with the consent of the data subject or for the establishment, exercise or defense of a right in court. or to protect the rights of another natural or legal person or for reasons of significant public interest of the Union or of a Member State.
3. The data subject having obtained the processing restriction pursuant to paragraph 1 shall be informed by the controller before the limitation is revoked.
Article 20 Right to data PORTABILITY
1. The data subject shall have the right to receive personal data concerning him / her provided to a data controller in a structured, commonly used and readable form by automatic device and has the right to transmit such data to another data controller without impediments on the part of the data controller to whom he has provided them if:
(a) the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) or on a contract within the meaning of Article 6 (1) b); is
b) the treatment is carried out by automated means.
2. In exercising its rights relating to the portability of data in accordance with paragraph 1, the data subject shall have the right to obtain direct transmission of personal data from one controller to another, if technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right does not apply to the treatment necessary for the performance of a task carried out in the public interest or in connection with the exercise of official authority as the data controller is invested.
4. The right referred to in paragraph 1 must not affect the rights and freedoms of others.
Article 21 Right to OPPOSITION
1. You have the right to object at any time, for reasons connected with your particular situation, to the processing of your personal data pursuant to Article 6, paragraph 1, letters e) of), including profiling on the basis of these provisions. The data controller refrains from further processing personal data unless he demonstrates the existence of binding legitimate reasons to proceed with the processing that prevail over the interests, rights and freedoms of the data subject or for the assessment, exercise or the defense of a right in court.
2. If personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him / her for such purposes, including profiling in so far as it is related to such marketing direct.
3. If the data subject objects to processing for direct marketing purposes, personal data are no longer processed for these purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the interested party and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of the use of information society services and without prejudice to Directive 2002/58 / EC, data subjects may exercise their right to object by automated means using technical specifications.
6. Where personal data are processed for the purposes of scientific or historical research or for statistical purposes in accordance with Article 89 (1), the data subject shall have the right to object to the processing of personal data for reasons connected with his particular situation that concern him, unless the processing is necessary for the performance of a task in the public interest.
Article 22 AUTOMATED decision-making process concerning natural persons, including profiling
1. The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or which significantly affects his person.
2. Paragraph 1 shall not apply where the decision:
a) is necessary for the conclusion or execution of a contract between the data subject and a data controller;
(b) is authorized by the law of the Union or of the Member State to which the controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject;
c) is based on the explicit consent of the interested party.
3. In the cases referred to in paragraph 2 (a) and (c), the controller shall implement appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least the right to obtain human intervention from the holder of the treatment, to express their opinion and to challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the particular categories of personal data referred to in Article 9 (1), unless Article 9 (2) (a) or (g) applies, and there are no adequate measures to protect the rights, freedoms and legitimate interests of the data subject.