THE RIGHTS OF THE PERSONS CONCERNED

Extract from Regulation (EU) no. 679/2016 on the protection of natural persons in terms of processing

personal data and on the free movement of such data and repealing Directive 95/46/EC

(General Data Protection Regulation)

 

CHAPTER III: Rights of the data subject

Section 2: Information and access to personal data

Art. 13: Information to be provided if personal data is collected from the data subject

(1) If personal data relating to a data subject are collected from him, the operator, at the time of obtaining this personal data, provides the data subject with all the following information:

  1. a)the identity and contact details of the operator and, as the case may be, of his representative;
  2. b) contact details of the person in charge of data protection, as the case may be;
  3. c) the purposes for which the personal data are processed, as well as the legal basis of the processing;
  4. d) if the processing is done pursuant to Article 6 paragraph (1) letter (f), the legitimate interests pursued by the operator or a third party;
  5. e) recipients or categories of recipients of personal data;
  6. f) if applicable, the intention of the operator to transfer personal data to a third country or an international organization and the existence or absence of a decision of the Commission on the adequacy or, in the case of transfers referred to in article 46 or 47 or in article 49 paragraph (1) second paragraph, a reference to adequate or appropriate guarantees and to the means of obtaining a copy of them, if they have been made available.

(2) In addition to the information mentioned in paragraph (1), when the personal data is obtained, the operator provides the data subject with the following additional information necessary to ensure a fair and transparent processing:

  1. a) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period;
  2. b)the existence of the right to request the operator, regarding the personal data relating to the data subject, access to them, their rectification or deletion or the restriction of the processing or the right to oppose the processing, as well as the right to data portability;
  3. c) when the processing is based on Article 6 paragraph (1) letter (a) or on Article 9 paragraph (2) letter (a), the existence of the right to withdraw consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal;
  4. d)the right to file a complaint with a supervisory authority;
  5. e) if the provision of personal data represents a legal or contractual obligation or an obligation necessary for the conclusion of a contract, as well as if the data subject is obliged to provide this personal data and what are the possible consequences of non-compliance with this obligation;
  6. f) the existence of an automated decision-making process including the creation of profiles, referred to in Article 22 paragraphs (1) and (4), as well as, at least in the respective cases, pertinent information regarding the logic used and regarding the importance and expected consequences of such processing for the person concerned.

(3) If the operator intends to subsequently process the personal data for a purpose other than that for which they were collected, the operator shall provide the data subject, before this further processing, with information regarding the respective secondary purpose and any additional information relevant, in accordance with paragraph (2).

(4) Paragraphs (1), (2) and (3) do not apply if and to the extent that the data subject already possesses the respective information.

 

Art. 14: Information to be provided if the personal data were not obtained from the data subject

(1) If the personal data were not obtained from the data subject, the operator provides the data subject with the following information:

  1. a) the identity and contact details of the operator and, as the case may be, of his representative;
  2. b) contact details of the person in charge of data protection, as the case may be;
  3. c) the purposes for which the personal data are processed, as well as the legal basis of the processing;
  4. d) the categories of personal data concerned;
  5. e) recipients or categories of recipients of personal data, as the case may be;
  6. f) if applicable, the intention of the operator to transfer personal data to a recipient in a third country or an international organization and the existence or absence of a decision of the Commission on the appropriateness or, in the case of the transfers referred to in article 46 or 47 or in Article 49 paragraph (1) second paragraph, a reference to adequate or appropriate guarantees and to the means of obtaining a copy of them, if they have been made available.

(2) In addition to the information mentioned in paragraph (1), the operator provides the data subject with the following information necessary to ensure a fair and transparent processing regarding the data subject:

  1. a) the period for which the personal data will be stored or, if this is not possible, the criteria used to establish this period;
  2. b)if the processing is done pursuant to Article 6 paragraph (1) letter (f), the legitimate interests pursued by the operator or a third party;
  3. c) the existence of the right to request the operator, regarding the personal data relating to the data subject, access to them, their rectification or deletion or restriction of processing and the right to oppose the processing, as well as the right to data portability;
  4. d) when the processing is based on Article 6 paragraph (1) letter (a) or on Article 9 paragraph (2) letter (a), the existence of the right to withdraw consent at any time, without affecting the legality of the processing carried out on the basis of consent before its withdrawal;
  5. e)the right to file a complaint with a supervisory authority;
  6. f) the source of the personal data and, if applicable, whether they come from publicly available sources;
  7. g) the existence of an automated decision-making process including the creation of profiles, referred to in Article 22 paragraphs (1) and (4), as well as, at least in the respective cases, pertinent information regarding the logic used and regarding the importance and expected consequences of such processing for the person concerned.

(3) The operator provides the information mentioned in paragraphs (1) and (2):

  1. a) within a reasonable time after obtaining the personal data, but no longer than one month, taking into account the specific circumstances in which the personal data are processed;
  2. b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to the respective data subject; or
  3. c) if it is intended to disclose personal data to another recipient, at the latest on the date on which they are disclosed for the first time.

(4) If the operator intends to subsequently process the personal data for a purpose other than that for which they were obtained, the operator provides the data subject, before this further processing, with information regarding the respective secondary purpose and any additional information relevant, in accordance with paragraph (2).

(5) Paragraphs (1)-(4) do not apply if and to the extent that:

  1. a) the targeted person already owns the information;
  2. b) the provision of this information proves to be impossible or would involve disproportionate efforts, especially in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, subject to the conditions and guarantees provided for in the article 89 paragraph (1), or to the extent that the obligation referred to in paragraph (1) of this article is likely to make impossible or seriously affect the achievement of the respective processing objectives In such cases, the operator takes appropriate measures to protect the rights, the freedoms and legitimate interests of the data subject, including making information available to the public;
  3. c) the obtaining or disclosure of data is expressly provided for by Union law or by internal law under which the operator falls and which provides for adequate measures to protect the legitimate interests of the data subject; or
  4. d)if the personal data must remain confidential on the basis of a statutory obligation of professional secrecy regulated by Union law or domestic law, including a legal obligation to maintain secrecy.

 

Art. 15: The data subject’s right of access

(1) The data subject has the right to obtain from the operator a confirmation that personal data concerning him or her is being processed or not and, if so, access to the respective data and the following information:

  1. a)the purposes of the processing;
  2. b) the categories of personal data concerned;
  3. c) recipients or categories of recipients to whom the personal data have been or will be disclosed, especially recipients from third countries or international organizations;
  4. d) where possible, the period for which it is expected that the personal data will be stored or, if this is not possible, the criteria used to establish this period;
  5. e)the existence of the right to request the operator to rectify or delete personal data or to restrict the processing of personal data relating to the person concerned or the right to oppose the processing;
  6. f)the right to file a complaint with a supervisory authority;
  7. g) if the personal data are not collected from the data subject, any available information regarding their source;

the existence of an automated decision-making process including the creation of profiles, referred to in Article 22 paragraphs (1) and (4), as well as, at least in the respective cases, relevant information regarding the logic used and regarding the importance and expected consequences of such processing for the person targeted.

(2) If personal data are transferred to a third country or an international organization, the data subject has the right to be informed of the appropriate safeguards under Article 46 relating to the transfer.

(3) The operator provides a copy of the personal data that are the subject of processing. For any other copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the application in electronic format and unless the data subject requests a different format, the information is provided in a currently used electronic format.

(4) The right to obtain a copy referred to in paragraph (3) does not affect the rights and freedoms of others.

 

Section 3: Rectification and Deletion

 

Art. 16: The right to rectification

The data subject has the right to obtain from the operator, without undue delay, the rectification of inaccurate personal data concerning him. Taking into account the purposes for which the data were processed, the data subject has the right to obtain the completion of personal data that are incomplete, including by providing an additional statement.

 

Art. 17: The right to delete data (“the right to be forgotten”)

(1) The data subject has the right to obtain from the operator the deletion of personal data concerning him, without undue delay, and the operator has the obligation to delete personal data without undue delay if one of the following reasons applies :

  1. a) personal data are no longer necessary to fulfill the purposes for which they were collected or processed;
  2. b)the data subject withdraws the consent on the basis of which the processing takes place, in accordance with Article 6(1)(a) or Article 9(2)(a), and there is no other legal basis for the processing;
  3. c)the data subject objects to the processing under Article 21(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing under Article 21(2);
  4. d) personal data were processed illegally;
  5. e)personal data must be deleted to comply with a legal obligation incumbent on the operator under Union law or the internal law to which the operator is subject;
  6. f)personal data were collected in connection with the provision of information society services referred to in Article 8 paragraph (1).

(2) If the operator has made personal data public and is obliged, under paragraph (1), to delete it, the operator, taking into account the available technology and the cost of implementation, takes reasonable measures, including technical measures, to inform the operators who process the personal data that the data subject has requested the deletion by these operators of any links to the respective data or of any copies or reproductions of these personal data.

(3) Paragraphs (1) and (2a) do not apply to the extent that the processing is necessary:

  1. a)for exercising the right to free expression and information;
  2. b)for complying with a legal obligation that provides for processing based on Union law or internal law that applies to the operator or for the performance of a task performed in the public interest or in the exercise of an official authority with which the operator is vested;
  3. c)for reasons of public interest in the field of public health, in accordance with Article 9 (2) letters (h) and (i) and Article 9 (3);
  4. d)for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, in accordance with Article 89 paragraph (1), to the extent that the right referred to in paragraph (1) is likely to make impossible or affect in seriously achieving the objectives of the respective processing; or
  5. e)for establishing, exercising or defending a right in court.

 

Art. 18: The right to restrict processing

(1) The data subject has the right to obtain from the operator the restriction of processing if one of the following cases applies:

  1. a) the data subject contests the accuracy of the data, for a period that allows the operator to verify the accuracy of the data;
  2. b) the processing is illegal, and the data subject opposes the deletion of personal data, requesting instead the restriction of their use;
  3. c) the operator no longer needs the personal data for the purpose of processing, but the data subject requests them for establishing, exercising or defending a right in court; or
  4. d)the data subject has objected to the processing in accordance with Article 21 paragraph (1), for the period of time in which it is verified whether the legitimate rights of the operator prevail over those of the data subject.

(2) If the processing has been restricted pursuant to paragraph (1), such personal data may, with the exception of storage, be processed only with the consent of the data subject or for the establishment, exercise or defense of a right in court or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a member state.

(3) A data subject who has obtained the restriction of processing pursuant to paragraph (1) is informed by the operator before the lifting of the restriction of processing.

 

Art. 19: Notification obligation regarding the rectification or deletion of personal data or restriction of processing

The operator communicates to each recipient to whom personal data has been disclosed any rectification or deletion of personal data or restriction of processing carried out in accordance with Article 16, Article 17 paragraph (1) and Article 18, unless this this proves impossible or requires disproportionate efforts. The operator shall inform the data subject of the respective recipients if the data subject so requests.

 

Art. 20: The right to data portability

(1) The data subject has the right to receive the personal data concerning him and which he has provided to the operator in a structured, commonly used and machine-readable format and he has the right to transmit this data to another operator, without obstacles from the operator to whom the personal data was provided, if:

  1. a) the processing is based on consent pursuant to Article 6 (1) letter (a) or Article 9 (2) letter (a) or on a contract pursuant to Article 6 (1) letter (b); and
  2. b)the processing is carried out by automatic means.

(2) In exercising his right to data portability under paragraph (1), the data subject has the right to have his personal data transmitted directly from one operator to another where this is technically feasible.

(3) The exercise of the right mentioned in paragraph (1) of this article does not affect article 17. This right does not apply to the processing necessary for the performance of a task performed in the public interest or in the exercise of an official authority with which the operator is vested.

(4) The right mentioned in paragraph (1) does not affect the rights and freedoms of others.

 

Section 4: The right to opposition and the automated individual decision-making process

 

Art. 21: The right to opposition

(1) At any time, the data subject has the right to object, for reasons related to his particular situation, to the processing pursuant to Article 6 paragraph (1) letter (e) or (f) or Article 6 paragraph ( 1) of the personal data concerning her, including the creation of profiles based on the respective provisions. The operator no longer processes personal data, unless the operator demonstrates that it has legitimate and compelling reasons that justify the processing and that prevail over the interests, rights and freedoms of the data subject, or that the purpose is to ascertain, exercise or defend a right in court.

(2) When the processing of personal data is aimed at direct marketing, the data subject has the right to object at any time to the processing for this purpose of the personal data concerning him, including the creation of profiles, to the extent that it is related to that direct marketing.

(3) If the data subject objects to the processing for the purpose of direct marketing, the personal data are no longer processed for this purpose.

(4) At the latest at the time of the first communication with the data subject, the right referred to in paragraphs (1) and (2) is explicitly brought to the attention of the data subject and is presented clearly and separately from any other information.

(5) In the context of the use of information society services and despite Directive 2002/58/EC , the data subject may exercise his right to object through automatic means that use technical specifications.

(6) If personal data are processed for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), the data subject, for reasons related to his particular situation, has the right to object to data processing of a personal nature that concern her, unless the processing is necessary for the performance of a task for reasons of public interest.

 

Art. 22: The automated individual decision-making process, including the creation of profiles

(1) The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly affects him to a significant extent.

(2) Paragraph (1) does not apply if the decision:

  1. a) it is necessary for the conclusion or execution of a contract between the data subject and a data operator;
  2. b)is authorized by Union law or internal law that applies to the operator and that also provides for appropriate measures to protect the rights, freedoms and legitimate interests of the data subject; or
  3. c) is based on the explicit consent of the person concerned.

(3) In the cases referred to in paragraph (2) letters (a) and (c), the data operator implements appropriate measures to protect the rights, freedoms and legitimate interests of the data subject, at least his right to obtain human intervention from the part of the operator, to express his point of view and to appeal the decision.

(4) The decisions referred to in paragraph (2) are not based on the special categories of personal data referred to in Article 9 (1), except in the case where Article 9 (2) letter (a) or (g) applies and in that appropriate measures have been established to protect the rights, freedoms and legitimate interests of the data subject.

 

CHAPTER VIII: Appeals, liability and sanctions

Art. 77: The right to file a complaint with a supervisory authority

(1) Without prejudice to any other administrative or judicial remedies, any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State in which he has his habitual residence, in which his place is located of work or where the alleged violation occurred, if it considers that the processing of personal data concerning it violates this regulation.

(2) The supervisory authority to which the complaint was submitted informs the complainant about the progress and outcome of the complaint, including the possibility of exercising a judicial appeal under Article 78.

 

Art. 78: The right to an effective judicial remedy against a supervisory authority

(1) Without prejudice to any other administrative or non-judicial remedies, every natural or legal person has the right to exercise an effective judicial remedy against a legally binding decision of a supervisory authority concerning him.

(2) Without prejudice to any other administrative or non-judicial remedies, each data subject shall have the right to an effective judicial remedy if the supervisory authority which is competent under Articles 55 and 56 does not deal with a complaint or does not inform the data subject within three months regarding the progress or resolution of the complaint filed under Article 77.

(3) Actions brought against a supervisory authority are brought before the courts of the Member State in which the supervisory authority is established.

(4) If the actions are brought against a decision of a supervisory authority that was preceded by an opinion or a decision of the committee within the mechanism for ensuring coherence, the supervisory authority transmits the respective opinion or decision to the court.

 

Art. 79: The right to an effective judicial remedy against an operator or a person authorized by the operator

(1) Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority under Article 77, each data subject shall have the right to an effective judicial remedy if he or she considers that the rights he benefits from under this regulation have been violated as a result of the processing of his personal data without complying with this regulation.

(2) Actions brought against an operator or a person authorized by the operator are presented before the courts of the member state where the operator or person authorized by the operator has its headquarters. Alternatively, such an action may be brought before the courts of the Member State where the person concerned has his or her habitual residence, unless the operator or the person authorized by the operator is a public authority of a Member State acting in the exercise of its public powers .

*This document was automatically translated using Google Translate from Romanian. For accurate information, we recommend contacting us at dpo@expertarom.com