What are your rights when your personal data is being processed?
To exercise your rights, you need to contact the company or organisation processing your personal data; that is, the data controllerThe company/organisation has to respond to your request without undue delay, and at the latest within 30 days. If the company/organisation refuses to comply with your request, it has to provide a valid reason for this.
When processing your data, organisations/companies need to provide you with clear information on how your data is being used, which includes the following information:
• Purpose for which your data will be used
• Legal ground for processing your data
• Period for which your data will be stored
• Who will your data be shared with
• Your basic rights pertaining to data protection
• Whether your data will be transmitted outside the EU
• Your right to object
• How to withdraw your consent, if have given it
• Contact information of the organisation/company in charge of processing your data.
Personal data may only be collected and processed for the precisely defined purpose, to the extent necessary. When an organisation/company is collecting your data, you have the right to know for what purpose and on what legal grounds it is doing so.
Right of access to personal dataYou have the right to access your personal data which the data controller (business entities/companies/organisations) collected and you can request detailed information in particular about the purpose of processing, type/categories of personal data being processed—including viewing your personal data—recipients or categories of recipients and the envisaged period for which the personal data will be stored. Access to personal data may only be restricted in those cases laid down by Union law or national legislation; that is, when such a restriction respects the essence of the fundamental rights and freedoms of other persons. In order to exercise your right, you need to contact the data controller in writing.
Right to rectification of personal dataYou have the right to request that your personal data be rectified or completed if your data is not accurate, complete or up to date. In order to do this, you need to send a written request to the data controller. If the data controller keeps inaccurate data about you, this can have an adverse effect on you, for example when you apply for a loan.
EXAMPLE: A credit institution is processing your personal data on an allegedly unpaid debt to a telecommunications operator. You have won the administrative dispute in which it was established that you had paid all of your bills; that is, that there had been an error in the system of the telecommunications operator. You can request the credit institution to rectify the data it has on you so that you are not in an unfavourable position in the future when you apply for a loan.
Right to erasure (“right to be forgotten”)You have the right to erasure of your personal data where one of the following grounds applies:
• Your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
• You have withdrawn your consent on which the processing is based and there is no other legal ground for the processing
• You have objected to the processing and there are no overriding legitimate grounds for the processing
• The personal data have been unlawfully processed
• The personal data have to be erased for compliance with a legal obligation in Union or member state law to which the controller is subject
• The personal data have been collected in relation to the offer of information society services.
EXAMPLE: Upon entering your name and surname in an internet browser, you have learned that the search results include a link to a newspaper article from 15 years ago which falsely accuses you of theft, and this is causing issues in your personal and professional life. If you are not a public figure and your interest in having the article removed is greater than the public interest of access to information, you can contact the data controller (e.g. Google, Bing, Yahoo) and request removal of the link to the webpage with the newspaper article containing your personal data from search results.
Right to restriction of processingYou have the right to obtain restriction of processing of your personal data if: you contest their accuracy, if the processing is unlawful and you oppose the erasure of your personal data, if the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, if you have objected to processing of your personal data.
EXAMPLE: You have decided to change banks. You have requested the bank with which you no longer want to do business closing of your account and erasure of all your personal data. However, the bank has a statutory obligation to keep all data on their former clients during the statutory period. If the bank has a statutory obligation to keep your personal data, you can request restriction of processing of your personal data to make sure that the data will not be used for unwanted purposes.
Right to objectIf a company/organisation is processing your data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the it, or on grounds of legitimate interests or for direct marketing purposes, you are entitled to object to such processing.
EXAMPLE: When buying shoes, you filled out a prize competition ticket and agreed to your personal data being processed for marketing purposes. After this, you keep receiving various unsolicited promotional offers to your e-mail address and mobile phone number. You have the right to object to this type of processing and after you have objected to it, the company/organisation has to stop sending you unsolicited promotional materials.
Right to data portabilityYou have the right to receive your personal data which you have previously provided to a controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or contract and is carried out by automated means.
EXAMPLE: You wish to change telecommunications operators. You have the right to request your personal data in a digital format from the telecommunications operator whose services you no longer wish to use and to transfer those data to another operator.