If your personal data is processed, then you are the data subject under the provisions of the GDPR and you are entitled to the following rights vis-à-vis the controller:
1. Right of access
You can request confirmation from the controller as to whether we are processing personal data concerning you.
If such processing is taking place, you can request access to the following information from the controller:
- The purposes for which the personal data is being processed;
- The categories of personal data that are being processed;
- The recipients or categories of recipients to whom the relevant personal data has been disclosed or is being disclosed;
- The planned duration of storage of the personal data concerning you or, if that is not possible, the criteria used to define that period;
- The existence of the right to request from the controller rectification or erasure of personal data concerning you, the right to restrict processing by the controller or the right to object to this processing;
- The right to lodge a complaint with a supervisory authority;
- All available information about the origin of the data, if the personal data is not obtained from the data subject;
- The existence of automated decision-making, including profiling, referred to in Art. 22 Par. 1 and 4 of the GDPR and – at least in those cases – meaningful information about the logic involved, as well as the implications and intended effects of such procedures for the data subject.
- You have the right to request information about whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you can request to be informed of the appropriate safeguards according to Art. 46 of the GDPR in connection with such transfer.
2. Right to rectification
You have a right to obtain rectification and/or completion from the controller, where the processed personal data concerning you is incorrect or incomplete. The controller shall rectify the data without delay.
3. Right to restrict processing
You can request that processing of the personal data concerning you be restricted under the following conditions:
- When you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
- Processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- The controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims, or
- When you have objected to processing pursuant to Art. 21 Par. 1 of the GDPR, pending verification of whether the legitimate grounds of the controller override yours.
Where processing of the personal data concerning you is restricted, such data shall – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of rights of another natural or legal person or for reasons of important public interest of the Union or of a member state.
If restriction of processing was obtained in accordance with the aforementioned conditions, you shall be informed by the controller before the restriction is lifted.
4. Right to erasure
a) Obligation to erase
You can make a request to the controller that the personal data concerning you be erased without undue delay and the controller shall be obliged to erase this data without undue delay where one of the following grounds applies:
- The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw your consent on which processing is based in accordance with Art. 6, Para. 1, lit. a or Art. 9, Para. 2, lit. a of the GDPR and there are no other legal grounds for processing.
- You object to processing pursuant to Art. 21, Para. 1 of the GDPR and there are no other overriding legitimate grounds for processing or you object to processing pursuant to Art. 21, Para. 2 of the GDPR.
- The personal data concerning you was processed unlawfully.
- The personal data concerning you must be erased for compliance with a legal obligation in Union or member state law to which the controller is subject.
- The personal data concerning you was collected in relation to the offer of information society services referred to in Art. 8, Para. 1 of the GDPR.
b) Information to third parties
Where the controller has made the personal data concerning you public and is obliged to erase the personal data pursuant to Art. 17, Par. 1 of the GDPR, taking account of the available technology and the cost of implementation, the controller shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you as the data subject have requested the erasure of any links to, or copy or replication of this personal data.
c) Exceptions
The right to erasure shall not apply where processing is necessary
- For exercising the right of freedom of expression and information;
- For compliance with a legal obligation which requires processing by Union or member state law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- For reasons of public interest in the area of public health in accordance with points (h) and (i) of Art. 9 Par. 2 as well as Art. 9 Par. 3 of the GDPR;
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Par. 1 of the GDPR, in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
- For the establishment, exercise or defence of legal claims.
5. Right to notification
If you have asserted your right to rectification, erasure or restriction of processing from the controller, the controller shall be obliged to inform all the recipients to whom the personal data concerning you has been disclosed of this rectification or erasure of data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You are entitled to receive information about these recipients from the controller.
6. Right to data portability
You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where
Processing is based on consent pursuant to Art. 6 Par. 1 lit. a or Art. 9 Par. 2 lit. a of the GDPR or on a contract pursuant to Art. 6 Par. 1 lit. b of the GDPR and processing is carried out by automated means.
In exercising this right, you further have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by the exercising of this right.
7. Right to object
You shall have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6, Para. 1, lit. e or f of the GDPR; this shall also apply to profiling based on those provisions.
The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If the personal data concerning you is processed for direct marketing purposes, you shall have the right at any time to object to processing of the personal data concerning you for the purposes of such marketing; this shall also apply to profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.
In the context of the use of information society services – notwithstanding Directive 2002/58/EC – you can exercise your right to object by automated means using technical specifications.
8. Right to withdraw your declaration of consent under data privacy legislation
You have the right to withdraw your declaration of consent under data privacy legislation at any time. Withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.