A brief guide explaining what to do and whom to address if you have problems with the processing of your personal data.

By Elpida Vamvaka and Lefteris Chelioudakis

The new General Data Protection Regulation provides a range of rights to protect and exercise your fundamental right to protect your personal data. This Regulation is part of activities not related to the investigation and prevention of criminal offenses, as these activities are not covered by the new Regulation but by the Directive 2016/680.

But how can you exercise the rights granted to you by the law and whom should you contact in order to exercise them? In this article, Homo Digitalis will provide you with the necessary clarifications.

What are your rights under the provisions of the new Regulation?

Right to Transparency of Data Processing (Article 12)

You have the right to be informed by your data controller (the natural or legal person who determines the purpose and manner of processing your data) in simple, concise and comprehensible words, in writing and/or oral explanation about any rights you have under this processing, the way you may exercise these rights, the person/service you need to address, and the time limit within which you can receive the necessary answers to your requests.

Right to Information (Article 13):

What is included:

Your right to request from the processor the necessary information related to the processing of your personal data such as:

– the identity and the contact details of the controller;

– the identity and the contact details of the data protection officer, where applicable; (the existence of a data protection officer is not always required by law);

– the purpose of the processing for which the personal data are intended as well as the legal basis for the processing and the relevant clarifications related to such legal basis;

– any recipients of your data, and any intention to transfer your data outside the EU, explaining how this transfer is based, and the impact that such action will have on the level of security of your data,

– the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;

– the existence of your rights to request from the controller access to or rectification or erasure of your personal data or restriction of processing concerning the data subject or to object to processing as well as your right to transfer your data  to another data controller, or withdraw your consent if the processing of your data is based on such consent (see below for more regarding all these rights);

– your right to lodge a complaint with the Supervisory Personal Data Protection Authority;

– the existence of automated decision-making based on your personal data including profiling, meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for you (the rule is that you may not subject to a decision based solely on automated processing although there are some exceptions).

When can you receive the information?

When your personal data are collected from you, this information shall be obtained at the time when personal data are obtained. But when your personal data have not been obtained from you, this information shall be provided to you within one month from the collection. Particularly, if your personal data are to be used for communication with you, the information should be provided to you at the time of the first communication to you. Finally, if a disclosure of your data to another recipient is envisaged, such information shall be provided to you before such disclosure.

However, you must remember that the right to information is subject to serious restrictions as the case may be.

Right to access (Article 15):

Your right to know if a data controller processes your data.

If you receive a positive response, you will have the right of access to such data, the right to Information (as described above) as well as your right to obtain a copy of your personal data undergoing processing.

Right to rectification (Article 16)

Your right to request from the controller the rectification of personal data when there are inaccuracies or completing your incomplete data. Such rectification may take place without undue delay.

Right to erasure (known as “right to be forgotten”-Article 17)

Your right to request from the controller the erasure of your personal data without undue delay.

The grounds upon which you may exercise your right of erasure:

– where your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– where the processing is based on the legal basis of the consent you may withdraw your consent and the controller has no other legal ground for the processing;

– in the exercise of the right of objection to the processing of your personal data (see below);

– where your personal data have been unlawfully processed;

– where your personal data have to be erased by the controller for compliance with a legal obligation in Member State or in EU law;

– where the processing is based on consent in relation to the offer of information society services to a child (e.g a child account on a social networking platform)

However the right to erasure is subject to significant restrictions. In particular, this right may not be exercised to the extent that processing is necessary:

– for exercising the right of freedom of expression and information;

– for compliance with a legal obligation which requires processing by the national or EU law to which the controller is subject to;

– to perform a task carried out in the name of public interest or in the exercise of official authority vested in the controller;

– for reasons of public interest in the area of public health;

– for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right of erasure is impossible or seriously impair the achievement of the objectives of the processing of the data;

– for the establishment, exercise or defence of legal claims.

Right to restriction of processing (Article 18)

Your right to obtain from the controller restriction of processing of your personal data where:

– you contest the accuracy of your personal data and you require the restriction for a period enabling the controller to verify the accuracy of the data;

– the processing of your personal data is unlawful and you oppose the erasure of your personal data and you request the restriction of their use instead;

– you need your data for the establishment, exercise or defence of legal claims even if the controller no longer needs the personal data for the purposes of the processing;

– you have submitted a request for exercising your right of objection to processing (see more information below) pending the verification of your request you require the restriction of processing of your personal data.

Right to data portability (Article 19)

Your right to receive your personal data and transmit those data to another controller. You may request the transmission of your personal data directly from one controller to another where technically feasible. The exercise of this right may not adversely affect the rights and freedoms of others.

When can you exercise this right?

– Where the processing is based on the legal basis of consent or on a contract and is carried out by automated means.

Exception:

The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to objection to the processing of your personal data (Article 21):

Your right to object to processing of your personal data, including profiling, at any time and for personal reasons. At the latest at the time of your first communication with the controller, your right to object shall be explicitly brought to your attention and shall be presented clearly and separately from any other information.

You may exercise this right where the processing or the profiling:

– is necessary according to law for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing, which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– is necessary according to law for the purposes of legitimate interests pursued by the controller or by a third party unless the controller demonstrates compelling legitimate grounds for the processing which override your grounds or the processing is necessary for the establishment, exercise or defence of legal claims.

– refers to direct marketing purposes;

– in the context of the use of information society services, you may exercise your right to object by automated means using technical specifications;

– is necessary for scientific or historical research purposes or statistical purposes unless the processing is necessary for the performance of a task carried out for reasons of public interest.

Are these rights absolute?

No. As you have already understood from the above, these rights are subject to several restrictions as the case may be depending on the legal basis on which the processing of personal data is based. However, one thing to keep in mind is that the data controller is obliged to inform you accurately of your rights. Therefore, you should know at any time your rights for the processing of your personal data.

Are you wondering how you can exercise these rights in practice? Continue reading the second part of this article.