Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.
Data Protection & Cyber Security
Russian laws set out the following data subjects’ rights:
- To withdraw the consent at any moment. In this case, the data controller should terminate processing of PII based on consent within 30 calendar days.
- To access PII. The data subject is entitled to request from the data controller the confirmation of processing by that data controller and a range of details regarding data processing activities (e.g., categories of processed data, purposes of processing, operations performed on data, methods of processing, information on international transfers, et.). If the data subject requests, he/she should be provided with the copy of PII (e.g., copy of documents containing PII, extracts from automated information system where data is processed).
- To require rectification, blocking and destruction of PII in case data is incomplete, inaccurate, outdated, processed unlawfully or no longer needed to achieve the specific purpose of data processing.
- To lodge a complaint to Roskomnadzor or a court, some others.
There are some requirements applicable to both company and data subject in order to comply with right and exercise them respective (e.g., deadlines, specific format of request/ response, exemptions to the obligation to comply with the request, etc.).
The data subject has the right to: (i) access any database containing his or her personal data; (ii) request information in connection with his or her data; and (iii) request the correction, deletion, updating or confidential treatment of his or her personal data.
The right of data subject to access their data can be exercised free of charge every 6 months or in shorter periods if the data subject demonstrates a legitimate interest.
Data controllers must inform the data subjects of their rights to access, rectify and suppress their personal data when obtaining consent to any data processing.
The LGDP sets forth that all natural people are ensured the ownership of their personal data and the guarantee of the fundamental rights to freedom, intimacy and privacy. It also establishes that data subjects have the right to obtain from the controller, at any time and upon request:
- Confirmation of the existence of the processing;
- Access to the data;
- Correction of incomplete, inaccurate or outdated data;
- Anonymization, blocking or erasure of unnecessary or excessive data or data processed in noncompliance with the provisions of the LGPD;
- Portability of the data to another service or product provider, by means of an express request, observing business and industrial secrets, pursuant to the regulation of the controlling agency;
- Erasure of the personal data processed with the consent of the data subjects, except in cases of:
a) Compliance with a legal or regulatory obligation by the controller;
b) Conduction of studies by a research entity, ensuring, whenever possible, the anonymization of the personal data;
c) Transfer to third parties, provided that all legal requirements set forth in this Law are complied with;
d) Exclusive use of the controller, with forbidden access to third parties, and provided the data has been anonymized.
- Information about public and private entities with which the controller has shared data;
- Information about the possibility of denying consent and the consequences of the denial;
Revocation of consent.
- Data subjects have the right to petition in relation to their data against the controller before the national authority and they also may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of the LGPD.
In addition, the Consumer Protection Code (Law 8.078/1990) set forth that individuals have the right to access all data stored about themselves in consumer-related databases, and request changes, corrections and even removal from the database.
Further, according to the Brazilian Civil Rights Framework for the Internet, users have the right to request at the end of their contract with internet application providers the definitive exclusion of personal data, respecting the mandatory log retention rule.
As provided by the GDPR, individuals enjoy all of the following rights:
- To have the information regarding the processing provided to them in a transparent and intelligible manner (Article 12 GDPR)
- To be informed on the processing of their personal data (Articles 13 and 14 GDPR)
- To access their data (Article 15 GDPR)
- To have their data rectified (Article 16 GDPR)
- To have their data erased (Article 17 GDPR)
- To processing of their data restricted (Article 18 GDPR)
- To data portability (Article 20 GDPR)
- To object to the processing of their data (Article 21 GDPR)
- To not be subject to a decision based solely on automated processing (Article 22 GDPR)
- To be informed, in certain instances, of a data breach (Article 34 GDPR).
The controller may refuse, wholly or partially, the exercise of the individual rights, and may not fulfill the obligation to inform individuals on data breaches where the exercise of the rights or the fulfillment of the obligation would create a risk for:
- the national security
- the defense
- the public order and security
- the prevention, investigation, detection or prosecution of criminal offenses or the enforcement of sanctions, including the prevention of threats to public order and security
- other important objectives of broad public interest and, in particular, an important economic or financial interest, including monetary, budgetary and fiscal matters, public health and social security
- the protection of the independence of the judiciary and judicial proceedings
- the prevention, investigation, detection and prosecution of breaches of ethical codes in regulated professions
- the protection of the data subject or the rights and freedoms of others
- the enforcement of civil claims (Article 37a, para. 1 PDPA).
However, for applying any of the above exceptions under Art. 37a PDPA the rules and conditions for their application should be set out in law. These exceptions follow the restrictions permitted by Art. 23 GDPR. Currently, the Bulgarian legislation in this context is not yet developed, which means that in practice the application of the enlisted exceptions/ restrictions would be rather limited as there are no the necessary rules and safeguards as required by Art. 23 GDPR.
Individuals can exercise their rights by means of a written request to the controller or by another method specified by the latter (Article 37b, para. 1 PDPA). The request may also be filed electronically under the terms of the Electronic Document and Electronic Certification Services Act, the E-Governance Act and the E-Identification Act (Article 37b, para. 2 PDPA). The request may also be filed through actions in the user interface of the information system used for the processing of data, once the individual has been identified with the respective identification means corresponding to the information system (Article 37b, para. 3 PDPA).
The request shall contain the following requisites:
- name, address, national personal identification number or personal identification number of a foreigner or other similar identifier, or other identification data of the individual determined by the controller
- description of the request
- preferred form for obtaining the information when exercising the rights under Article 15-22 GDPR
- signature, date of filing of the request and address for correspondence.
The request may be submitted by a third authorized person, in which case the power of attorney shall be provided together with the request. (Article 37c PDPA)
Access / Information Right
FADP explicitly mentions the right to access in art. 8 et seq. FADP. There is no explicit duty of the controller of the data file to inform the data subjects about this right (for example in the data privacy notice). However, it is quite common to mention the respective right in the data privacy notice. However, irrespective of this common practice, data subjects can find detailed information on the statutory right to access as well as how to exercise this right on the website of the FDPIC. The FDPIC offers on its website also template access requests for the data subjects.
When receiving an access / information request, the controller of the data file must provide the requested information generally within 30 days. The information request is generally free of charge. However, the controller of the data file may ask for reimbursement if the costs connected to the access request are extraordinary, for example because the data subject requests to receive copies of documents and the copying requires substantial time and material.
The controller of the data file must provide the following information:
- all available data concerning the subject in the data file, including the available information on the source of the data;
- the purpose of and if applicable the legal basis for the processing as well as the categories of the personal data processed, the other parties involved with the file and the data recipient.
There are exemptions from the access / information right. The controller of a data file may refuse, restrict or defer the provision of information where:
- a statute so provides;
- this is required to protect the overriding interests of third parties.
The private controller of a data file may further refuse, restrict or defer the provision of information where his own overriding interests so require and he does not disclose the personal data to third parties.
The controller of a data file must indicate the reason why he has refused, restricted or deferred access to information.
A federal body may further refuse, restrict or defer the provision of information where:
- this is required to protect overriding public interests, and in particular the internal or external security of the Confederation;
- the information would jeopardise the outcome of a criminal investigation or any other investigation proceedings.
Other Individual Rights
Other individual rights are mentioned in art. 15 FADP. The other individual rights are, in particular:
- Request to block data processing;
- Prohibition to disclose personal data to third parties;
- Request to have personal data corrected;
- Deletion request;
- Where it is impossible to demonstrate that personal data is accurate or inaccurate, the data subject may request that a note to this effect be added to the data.
These other individual rights are, contrary to the access / information right, not further specified.
The right to access and deletion are granted by the GDPR and the LOPD as well as other individual rights: the right to obtain the rectification of his/her inaccurate personal data; the right to be forgotten, which is a specialty of the right of deletion; the right to obtain from the controller restriction of processing in certain circumstances; the right to receive the personal data concerning him or her in a «structured, commonly used and machine-readable format» in order to transfer them to another controller; the right to object, because of his or her particular situation, to processing of his/her personal data; and, finally, the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects him or her.
All this rights are subject to limitations, which are foreseen in their specific articles. However, the main limitation on the exercise of these rights is the prohibition on affecting data of third parties in the exercise of these rights.
Yes, according to the Data Privacy Act:
Right to access or information: The subject or holder of personal data has the right to request information about him/herself, its origin data (how this data was collected); and addressee, the purpose of the storage and the identification of the persons or agencies to whom his/her data is regularly transmitted.
The information of personal data shall be free of charge. This right to access cannot be restricted by means of any act or agreement, except when it prevents proper compliance with the supervisory functions of the requested government entity or if it affects the confidentiality or secrecy established in legal or regulatory provisions, or the security of the nation or the national interest.
In order to exercise the right to access, the data subject must address to the person responsible for the data registry or data base claiming his/her right to access and if the person responsible for the personal data registry or bank fails to respond within two business days, or refuses a request on grounds other than the security of the nation or the national interest, the subject of the personal data shall have the right to sue before the civil court.
Right of modification: in case of erroneous, inexact, equivocal or incomplete data, and such situation has been evidenced;
Right of blocking: when the individual has freely provided his/her personal data or it is used for commercial communications and the subject does not want to continue to appear in the respective registry, either definitively or temporarily;
Right of cancellation or elimination: notwithstanding legal exceptions, the subject may also request data be eliminated if its storage lacks legal grounds or if it has expired, when the subject has voluntarily provided his/her personal data, or it is used for commercial communications or does not want it to continue appearing in the respective registry, either definitively or temporarily;
Right to free copy: the information, modification or elimination of personal data shall be free of charge, and a copy of the fragment of the registry that has been changed shall also be provided at the subject’s request. If new modifications or eliminations of data are made, the subject may obtain a copy of the updated registry without cost, if at least six months have passed since the last time requested; and
Right of opposition/object: the subject may object the use of his/her personal data for purposes of advertising, market research or opinion polls.
The rights of the data subjects are governed by chapter 3 of the GDPR. These are the right of access by the data subject, the right to erasure, the right to restriction of data processing, the right to object and the right to data portability.
Right of access: According to Art. 15 GDPR, the data subject may, upon request, obtain confirmation as to whether personal data relating to him or her is processed. If so, the personal data collected alongside the following information must be communicated to the data subject:
- purpose of processing;
- categories of data processed;
- (Intended) recipients of the data;
- the planned period of retention or the criteria for determining it;
- the existence of a right to rectification/deletion of the data and to limitation/opposition of the processing;
- the origin of the data if they have not been collected from the data subject;
- the existence of an automated decision-making procedure (including profiling) and its logic and purpose.
- Appropriate safeguards (e.g. certifications) if data are transferred to third countries or international organizations.
Upon further request, the controller has to provide a copy of said data (e.g. in digital form).
Right of rectification and erasure: The data subject may request that untrue data about him or her may be corrected or supplemented accordingly (Art. 16 GDPR). According to Art. 17 GDPR a data subject may at any time request the deletion of his data. Deletion means that the data must actually be destroyed. Even without such a request, the controller is obliged to delete personal data if one of the following conditions is met:
- the data is no longer necessary for the processing purpose;
- revocation of the data subject's consent to data processing (if there is no other legal basis for the processing);
- objection by the data subject to the processing (see below) and absence of a legitimate and overriding reason for doing so;
- unlawful processing of data;
- other cancellation obligations under national or Union law.
However, if the processing is necessary, the rules for deletion above do not apply. According to paragraph 3 of Art.17 GDPR the processing is considered necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defense of legal claims.
In addition, the right to be forgotten has been enshrined in law, which is particularly relevant in the case of published information and is intended to give data subjects the opportunity to leave the past behind them. If personal data was made public, controllers must do what is technologically and cost-technically possible, reasonable and reasonable for him to inform other processors of a restriction, deletion or correction request of the data subject.
Right of restriction of data processing: The data subject has the right to limit the processing of his/her data (Art. 18 GDPR). This right is also of interest if the deletion is impossible or disproportionate. If he demands the restriction, these data (except for the storage itself) may only be stored with his consent, for the enforcement of legal claims or legal protection or in the case of an important public interest of the EU or a Member State.
However, the restriction can only be demanded under one of the conditions set out in Art. 18 (1) GDPR,
- if the data subject disputes the accuracy of his/her data for a period of time which enables the controller to verify the accuracy of the personal data;
- in the case of unlawful data processing, when the data subject requests the restriction instead of deletion;
- the data controller no longer needs the data for his purposes, but the data subject needs them to enforce a claim, or
- if the data subject objects to the processing by the data controller pursuant to Art. 21 (1) GDPR, as long as it has not yet been determined whose interests are worthier of protection in the specific case.
Right to data portability: Art. 20 DSGVO also grants the data subject the right to receive all personal data in a structured and machine-readable format, or to transfer them directly to another controller, provided that the processing is based on consent, a contract or automated procedures. The data subject may also obtain the direct transfer of the data to the other controller, unless the processing by the first controller is related to the performance of a task assigned to him in the public interest or the effort involved exceeds the interests and possibilities of the entrepreneur.
Right to object: Pursuant to Art. 21 (1) GDPR, data subjects have the right to object at any time to data processing for the performance of a public service task or to safeguard the interests of the data controller. Pursuant to (6), this also applies if the processing is carried out for historical, scientific or statistical purposes (Art. 89 (1)), unless it is necessary for the performance of a task in the public interest. In these cases, further processing is only permissible if you can assert that considerable and irreversible disadvantages arise without this processing (e.g. collection procedures).
As indicated in our response to Query 4 above, the Privacy Rules provide Data Subjects certain rights. These include – the opportunity to review, the opportunity to not provide and withdraw consent and things that the Data Subject should know. Please see our earlier response for a general description of these rights.
Whilst such rights have been provided to the Data Subjects, the Privacy Rules do not impose any obligation on body corporates to communicate these to the Data Subjects. Even the provision which identifies the components that need to be included in the privacy policies does not require for communication of Data Subjects rights and how these rights may be exercised.
The Privacy Bill, on the other hand, recognises several rights of Data Subjects. These include right to confirmation and access, right to correction, completion and updation of PD, right of portability of PD from one data fiduciary to another, right to be forgotten, right to receive compensation in case of breach of obligations by the data fiduciary etc. The Privacy Bill stipulates that privacy policies should expressly provide for the existence of and procedure by which the Data Subjects can exercise these rights.
Article 43 of the CSL entitles the individuals to require a network operator to delete his or her personal information if he or she founds that collection and use of such information by such operator violate the laws, administrative regulations or the agreement by and between such operator and him or her; and is entitled to require any network operator to make corrections if he or she founds errors in such information collected and stored by such operator. Such operator shall take measures to delete the information or correct the error.
Laws and regulations in different sectors also contain provisions in protecting data subjects’ rights. The E-commerce Law of the People’s Republic of China (《中华人民共和国电子商务法》) (the “E-commerce Law”) requires E-commerce business operators to clearly state the methods and procedures for access, correction and deletion of user information as well as account cancellation.53 Article 26 of the Law on the Protection of Rights and Interests of Consumers (Revised in 2013) (《中华人民共和国消费者权益保护法（2013年修正）》) also provides that business operators shall not impose unfair and unreasonable provisions on consumers such as elimination or restriction of consumer rights.
The PI Specification provides and describes in detail the personal information subjects’ rights of access, rectification, deletion, withdrawal of consent, account cancellation, obtaining copies of personal information, limitation on automated decision-making, etc.54 An exception to the right to access is that when a personal information subject requests access to personal information that he or she did not voluntarily provided, personal information controllers can evaluate the request, taking into account the risk or harm to the subject’s lawful rights and interests that could arise from not responding to the request, technical feasibility, cost, and other factors in carrying out the request.55 As for the right to withdrawal, the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.56
53 - E-commerce Law. § 24.
54 - PI Specification. 7.4, 7.5, 7.6, 7.7, 7.8.
55 - PI Specification. 7.4.
56 - PI Specification. 7.7.
- Access to Data
As one of the individual’s right under MCI Regulation 20/2016, the Data Subject must have ease of access to his/her Personal Data for alteration, supplementation, and renewal purposes. This will also include the access on historical record of Personal Data transferred to the ESO. This individual’s right is in line with one of the principles of Personal Data protection which is maintaining the integrity, accuracy, validity and up-to-dateness of Personal Data.
- Right to Deletion
Under Indonesian law and regulations, ESO is required to provide a deletion mechanism of irrelevant electronic information including Personal Data. It is one of the rights of the Data Subject to request for deletion of certain information of his/her Personal Data. Such deletion shall entirely or partially remove documents pertaining to the Personal Data, either in the forms of electronic or non-electronic processing.
Data subjects are provided with the following data protection rights prescribed in articles 12 to 22 of the GDPR (regardless any restrictions that the Portuguese Data Protection Law may foresees when it is approved):
a) Information: the data subject is entitled to be provided by the controller with all the information regarding the processing of his/her data;
b) Access: the data subject is entitled to have access of the data held by the controller about him/her, receive a copy free of charge and get additional information. Notwithstanding, the use of this right shall not affect the rights and freedoms of others (including trade secrets or intellectual property);
c) Rectification: the data subject is entitled to request the controller to correct and/or complete any inaccurate data concerning him/her;
d) Erasure: the data subject is entitled to request the controller to delete personal data concerning him/her in case (i) personal data are no longer needed (ii) consent is withdrawn and there is no other legal ground for the processing (iii) the data subject has objected to the processing (iv) the data has been unlawfully processed (v) personal data have to be erased for compliance with a legal obligation to which the controller is subject to (vi) personal data were collected in relation to the to the offer of information society services directly to a child. Notwithstanding, this right is not absolute and shall not apply if the processing is necessary for certain purposes (exercising the right of freedom of expression and information, compliance with a legal obligation to which the controller is subject, public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or the establishment, exercise or defence of legal claims);
e) Restriction of processing: the data subject is entitled to obtain from the controller restriction of processing if (i) the accuracy of the data is contested (ii) the processing is unlawful but the data subject does not want the data to be erased (iii) the data is no longer needed but data subject requires them for the establishment, exercise or defence of legal claims (iv) the data subject has objected and the decision is pending; with the exception of storage, the data can only be processed with consent of the data subject or for the establishment, exercise or defence of legal claims, the protection of the rights of another natural or legal person or reasons of public interest.
f) Portability: the data subject is entitled to receive the personal data provided to the controller in a structured, commonly used and machine-readable format and also to be transferred to another controller (where technically feasible) if the processing is based on consent or on a contract and is carried out by automated means.
g) Objection: the data subject is entitled to object to processing his/her data for (i) direct marketing (ii) when the processing is based on the legitimate interests of the controller and (iii) for scientific or historical research purposes or statistical purposes. However, in (ii) controller may continue the processing by demonstrating having compelling legitimate grounds that override the data subject’s interests, rights and freedoms or for the establishment, exercise or defence of legal claims. In (iii) controller may continue the processing if is necessary for the performance of a task carried out for reasons of public interest.
h) Not to be subject to automated individual decision-making, including profiling: data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is (i) necessary to enter or perform a contract (ii) authorised by the law to which the controller is subject (iii) based on data subject’s explicit consent.
In addition, the data subject is also entitled to lodge a complaint with the supervisory authority as well as to withdraw his/her consent at any time where processing is based on consent not to mentioned to claim compensation before the courts, in case the controller or the processor has infringed the data protection laws, for material and non-material damages suffered.
Finally, Article 29 Working Party Guidelines on data portability and on automated individual decision-making and profiling (WP242rev.01 and WP251rev.01) provides guidance on the terms and conditions under which these rights can be exercised and how controllers should conduct should requests that controllers, in the absence of specific laws, regulations and guidelines in their jurisdiction, should have into consideration as these guidelines reflect the position of the European Data Protection Authorities and their interpretation of the GDPR provisions.
Individuals have a range of rights under the Data Protection Act 2018 (DPA 2018) . They have the right to be given a fair processing notice, access their personal data, rectify inaccurate or incomplete personal data and erase or restrict its use or transfer the personal data to another party in certain circumstances.
Where legitimate interests is the lawful basis for processing the data, a data subject can object to the processing in which case the controller must assess whether it can continue to process the data (this is called the legitimate interests balancing test/assessment). An individual has the absolute right to object to receiving direct marketing and to withdraw any consent they have given for a processing activity – if they object or withdraw their consent this must be complied with.
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them unless certain conditions are met.
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why an organisation is using their data, and check they are doing it lawfully.
The right to have personal data erased is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For example if the personal data is no longer necessary for the purpose which it was originally collected or processed; if consent is the lawful basis and the individual withdraws their consent; if legitimate interests is the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; the processing is for direct marketing purposes and the individual objects to that processing; and the business has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle).
The data subject rights may not apply in certain circumstances (to the extent that applying the right would prejudice/prevent certain purposes) such as where personal data is processed for crime and taxation purposes. The DPA 2018 also contains a number of other exemptions, a number of which are narrowly applied in practice.
Yes, the data subject has several rights under GDPR such as:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restriction of processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
Right to be informed (articles 13 and 14 of the GDPR)
The controller is required to provide data subjects with certain information, such as identity and contact details of the controller and the purposes as well as the legal basis for the processing. The information to provide the data subjects with varies to some extent depending on whether the personal data have been obtained from the data subject or not. When personal data is obtained directly from the data subject, then the data subject shall be informed immediately, i.e. at the time the personal data is collected. Otherwise, the data subject shall be informed within a reasonable period of time, but at latest after one (1) month. If the data are to be used for communication with the data subject or if a disclosure to another recipient is envisaged, then the data subject shall be informed at the latest at the time of the first communication to that data subject or when the personal data are first disclosed.
The information shall be provided to the data subject in a suitable manner, which may differ on a case-by-case basis. Many chose to post an online privacy notice and include hyperlinks to the notice in for example its email signatures and marketing messages.
The information to the data subject shall be provided in an easily accessible, written form in a clear and simple language.
Right of access (article 15 of the GDPR)
The data subject has the right to request a register extract from a controller that processes the data subject’s personal data. The controller shall inform the data subject whether it processes personal data or not, and if so, the register extract shall, among other things, include information on the purposes of the processing, the categories of personal data processed, the recipients or categories of recipients etc. The information must be provided without undue delay but at latest within one (1) month if there is not an exception.
Right to rectification (article 16 of the GDPR)
The data subject has the right to contact the controller and request that information that is inaccurate shall be rectified. Furthermore, this also means that the data subject has the right to add such personal data that is missing and that is relevant taking into account the purpose of the processing of personal data.
Right to erasure (article 17 of the GDPR)
The right is also known as “the right to be forgotten” and the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay. This right is not an absolute right, the personal data is to be erased only if one of the grounds stipulated in article 17 of the GDPR applies, such as for example if the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or the personal data have been unlawfully processed.
Right to restriction of processing (article 18 of the GDPR)
The data subject has the right to demand the controller to restrict the processing of their personal data in some cases. The right to restriction applies, among other things, when the data subject considers that the data is inaccurate and has requested rectification. In such cases, the data subject may request to restrict the processing of their personal data during the investigation of the accuracy of the data. Where the processing has been restricted, the personal data may only be processed for certain limited purposes.
Right to data portability (article 20 of the GDPR)
The data subject shall in certain cases have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the tight to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, e.g. from a social media service to another where the data subject him- or herself has provided the controller with its personal data.
Right to object (article 21 of the GDPR)
In certain cases, the data subject has the right to object to his or her personal data being used. The controller may only continue to process the personal data if it can demonstrate compelling legitimate grounds for the processing which override the interest, right and freedoms of the data subject or if the processing is carried out for the establishment, exercise or defence of legal claims.
Furthermore, the data subject always has the right to object to his or her personal data being used for direct marketing and such objections can be made at any time. If such objection is made, the personal data may no longer be processed for such purposes.
Where personal data is processed for scientific, historical or statistical research purposes, other rules apply.
Rights in relation to automated decision making and profiling (article 22 of the GDPR)
The data subject shall have the right to not be subject of a decision solely based on some form of automated decision-making, including profiling, if the decision produces legal effects concerning him or her or similarly significantly affects him or her. However, automated decision-making may be permitted if it is necessary to enter into or performance of an agreement between the data subject and the controller or if the data subject has given its explicit consent. There may also be special legislation that permits such automated decision-making.
The controller shall inform the data subject if automated decision-making is used.
Law 2472/1997 provides the right to be informed, the right of access (article 12), the right to object (article 13) and the right to judicial protection (article 14). All rights mentioned above are enhanced and further supplemented by the GDPR provisions calling for more fairness and transparency. The rights briefly described are as follows:
- Right to information: right to precise information about data processing;
- Right of access: confirmation about processing of personal data and access to specific relevant information;
- Right to rectification: rectification of inaccurate data and complete incomplete data;
- Right to erasure: erasure of data which is no longer necessary under certain circumstances;
- Right to restriction of processing: when data accuracy is challenged, processing is unlawful, data is no longer necessary or when the data subject objects to processing;
- Right to data portability: the data subjects can request under certain conditions to either receive in a specific format the data belonging to them or to directly transfer it to another data controller;
- Right to object: the data subject can object to processing when this relies upon the legitimate interests of the data controller or public interest;
- Right to human intervention: in cases where exclusively automated processing takes place, including profiling, the data subject may express one’s point of view and contest the decision taken based on this processing.
The deadline provided under the GDPR for replying to such requests is one month from the submission of the request, which can be further extended for two more months, where necessary, considering the complexity and number of the requests. All information and communications made to this purpose by data controllers shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request.
The right to be informed, right of access and right to object are also provided in HDPA’s Directive for the use of CCTV (Directive 1/2011) with respect to the protection of persons and goods regarding personal data collected by CCTV systems. The time limit to satisfy the right of access in this case, in both the HDPA’s Directive and the Greek draft law is fifteen (15) days. The HDPA has further specified how the right to be informed can be satisfied through relevant signs, whereas it has also underlined that when for instance a copy of the footage is provided to data subjects exercising their right of access, third parties should be covered, i.e. by partially blurring the image, provided that their right to privacy is violated.
Moreover, rights arise from Law 3471/2006, such as the right of data subjects to be informed with respect to call recording, and the right of data subjects to be informed about processing of location and traffic data on the basis of consent. Furthermore, the data subjects have the right to object the inclusion of their personal details on a hard copy or electronic public registry and rights related to call identification and potential restrictions thereof. Moreover, the data subjects reserve the right not to receive detailed accounts and to impede the automatically forwarded calls from third parties to their device, while specific provisions apply with respect to cookies.
As stipulated by Article 11 of the Law No. 6698, every data subject has the following rights in relation to their personal data, which they may use by applying to the data controller;
- Learn whether their personal data have been processed,
- Request information as to processing if their data have been processed,
- Learn the purpose of processing of their personal data and whether data are used in accordance with their purpose,
- Learn the third parties those which their personal data have been transferred,
- Request rectification in case personal data are processed incompletely or inaccurately,
- Request deletion or destruction of their personal data within the framework of the conditions set forth under Article 7,
- Request notification of the operations made as per indents (e) and (f) to third parties to whom personal data have been transferred,
- Object to the occurrence of any result that is to their detriment by means of analysis of their personal data exclusively through automated systems,
- Request compensation for the damages in case the they incur damages due to unlawful processing of their personal data.
As per the Article 13 of the Law No. 6698, data subjects shall convey their requests regarding the above-listed rights by means specified under the Communiqué on the Principles and Procedures to be Followed Regarding Applications to Data Controllers (“Communiqué on Applications”).
According to Article 5(1) of the Communiqué on Applications, data subjects shall convey their requests:
- in written form,
- via registered electronic mail,
- via secure electronic signature,
- via mobile signature,
- via an e-mail address previously provided by the data subject and which is registered within the data controller’s system; or,
- by way of a software or an application developed and dedicated for the purpose of the application.
Article 13 of the Law No. 6698 further determines that data controllers are under the obligation to conclude such requests in due course and no later than thirty days. In principle, such requests shall be concluded free of charge, however; data controllers are entitled to charge additional fees, where the request requires, in accordance with the tariff published by the Board.
In Austria, the rights of data subjects laid down in Articles 15 through 22 of the GDPR apply as a basic principle:
- right of access
- right to rectification
- right to erasure
- right to restriction of processing
- right to data portability
- right to object
However, all these rights do not apply in every case. There are numerous exceptions whereunder a data subject does not have the rights mentioned above and in certain cases. For example, a right to access is excluded if the provision of this information would endanger a business- or trade secret of the controller or of a third party. Similarly, in the area of medical law, the data subject does not have all of these rights.
Individuals have a range of rights under the French Data Protection Act 1978 such as provided for in the GDPR.
Individuals have the right to access their personal data, rectify inaccurate or incomplete personal data and erase or restrict its use or transfer the personal data to another party in certain circumstances. They shall be informed on their rights through a specific notice at the latest at the time of data collection.
Where legitimate interests is the lawful basis for processing the data, a data subject can object to the processing in which case the controller must assess whether it can continue to process the data (this is called the legitimate interests balancing test/assessment). An individual has the absolute right to object to receiving direct marketing and to withdraw any consent they have given for a processing activity – if they object or withdraw their consent this must be complied with.
A data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly affects them unless certain conditions are met. The right to access gives individuals the right to obtain a copy of their personal data as well as other supplementary information such as the purpose of the processing, the recipients of the data processed, etc. It helps individuals to understand how and why an organisation is using their data, and check they are doing it lawfully. To obtain such data, the individual shall prove its identity. The data controller may request the payment of fees to proceed with this operation but the costs shall not exceed the reproduction costs. The controller may refuse to proceed with abusive requests, e.g. repetitive or systematic requests but will have the burden of proof of the abusive nature of the requests if requested.
The right to have personal data erased is also known as the ‘right to be forgotten’. The right is not absolute and only applies to inaccurate, incomplete, ambiguous and out of date data or whose collection, use, disclosure or retention is prohibited by law. However, if the personal data were collected at a time where the data subject was a minor, the right to deletion is absolute and the data controller shall take any appropriate measures to inform any third party to which the data was transferred that such data shall be deleted.
The data subject rights may not apply in certain circumstances (to the extent that applying the right would prejudice/prevent certain purposes) such as where personal data is processed for crime and taxation purposes. The DPA 1978 also contains a number of other exemptions, a number of which are narrowly applied in practice.
In addition, French law provides that data subjects have the right to define specific or general guidelines on their data after their death. If the guidelines are general, i.e. if they concern all personal data relating to the data subject, they must be registered with a digital trusted third party certified by the CNIL. If the guidelines are specific, they are registered with the concerned data controller. In the absence of instructions, the heirs of the data subject, may, to a certain extent defined by law, exercise the rights of the data subject.
Personal subjects also have the right to data portability, i.e. to receive their personal data provided to a controller, in a structured, commonly used and machine-readable format in order to transmit those data to another controller if (i) the processing is carried out by automated means, (ii) is based the legal ground of the consent or contract and (iii) does not infringe the rights and freedoms of third parties.
There are sectoral laws governing health information, children’s information and consumer reports that provide limited rights. For example, FCRA provides individuals various rights with respect to how their consumer reports are compiled, maintained and disclosed to third parties.
FERPA, which applies to all educational institutions receiving federal funds, grants students (or, if the student is a minor, their parents) the right to inspect and review the student’s education records maintained by the school. Schools are generally not required to provide copies of records unless it is impossible for the student (or their parents) to review the records. Schools may charge a fee for copies. FERPA does not grant a deletion right but does grant the student (or their parents) the right to request that a school correct records that they believe to be inaccurate or misleading.
COPPA grants parents the right to receive copies of personal information collected online from their child under the age of 13, the right to request that the personal information be deleted and a way to revoke their consent for the collection of personal information from their child.
Under HIPAA, individuals are entitled to request copies of medical information held by a health services provider. HIPAA requires that covered entities provide individuals with access to PHI about them in one or more “designated record sets” (e.g., medical, billing, claims or health plan enrollment records) maintained by or for the covered entity. Covered entities are required to inform individuals of this right of access in their notice of privacy practices. Access must be granted or denied within 30 days of receipt of a request, although one 30-day extension is permitted.
This right to access does not extend to certain information, including (1) PHI contained in psychotherapy notes or (2) PHI compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. HIPAA does not grant individuals a right to deletion. HIPAA does, however, provide individuals with the right to request an amendment of their PHI if they believe the information held by the covered entity is incomplete or inaccurate.
In addition, the majority of states have laws granting patients the right to access certain medical records. While most of these access laws are pre-empted by HIPAA, several state laws do avoid pre-emption either by providing individuals with access to a broader range of records or by requiring that providers respond to these access requests sooner.
California currently has limited access rights under its Shine the Light law, and the forthcoming CCPA will expand these rights in the state. Under the Shine the Light law, companies that disclose California customer information to third parties for direct marketing purposes are required to provide an opt-out or respond to customer requests to disclose the identity of the third parties with whom customer information is shared and the types of information the company shares. When the CCPA takes effect in January 2020, California residents will be granted individual access rights, deletion rights and the right to request that their personal information stop being sold. Other states are considering similar legislation. In addition, California minors have the right to request deletion of information they posted online while under the age of 18.