XIX. Rights of the data subject
If personal data about you is processed, you are the data subject under the terms of the GDPR, and you are entitled to the following rights vis-à-vis the controller:
1. Right of access
You can request confirmation of whether personal data concerning you is processed by us from the controller.
If such processing does take place, you can request information on the following from the controller:
- the purposes for which the personal data is being processed
- the categories of personal data which are processed
- the recipients or categories of recipients to whom the personal data concerning you was or shall be disclosed;
- the planned duration of storage of the personal data concerning you or, if specific information cannot be provided on this matter, criteria for defining the duration of storage
- the existence of a right to correct or delete the personal data concerning you, a right to restrict processing by the controller, and a right to object to such processing
- the existence of a right to lodge a complaint with a supervisory authority
- all of the available information about the origin of the data, if the personal data was not collected from the data subject
- The existence of automated decision-making, including profiling according to Art. 22, Paras. 1 and 4 of the GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You are entitled to the right to request information about whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you can request to be informed of the appropriate safeguards according to Art. 46 of the GDPR in connection with such transfer.
2. Right to correction
You have a right to correction and/or completion vis-à-vis the controller, provided that the processed personal data concerning you is incorrect or incomplete. The controller must correct the data without delay.
3. Right to restriction of processing
You can request that processing of the personal data concerning you be restricted under the following conditions:
- if you dispute the accuracy of the personal data concerning you for a duration that enables the controller to check the accuracy of the personal data
- if processing is unlawful and you refuse deletion of the personal data and instead request restriction of your personal data’s use
- the controller no longer needs the personal data for the purposes of processing, but you require the same to establish, exercise or defend legal claims or
- if you have objected to processing according to Art. 21, Para. 1 of the GDPR and it has not yet been determined whether the controller’s legitimate grounds take precedence over your grounds.
If processing of the personal data concerning you is restricted, such data may – with the exception of storage – only be processed with your consent, for the establishment, exercise or defence of legal claims, for the protection of rights of another natural or legal person, or for reasons of important public interest of the Union or of a member state.
If restriction of processing was not carried out according to the aforementioned conditions, you shall be informed by the controller before the restriction is removed.
4. Right to deletion
a) Dury to delete
You can make a request to the controller that the personal data concerning you be deleted immediately, and the controller is obligated to delete this data immediately where one of the following grounds apply:
- The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
- You revoke your consent on which processing according to Art. 6, Para. 1, lit. a or Art. 9, Para. 2, lit. a of the GDPR was based, and there are no other legal grounds for processing.
- You object to processing according to Art. 21, Para. 1 of the GDPR and there are no other overriding legitimate grounds for processing, or you object to processing according to Art. 21, Para. 2 of the GDPR.
- The personal data concerning you was processed unlawfully.
- Deletion of the personal data concerning you is required to fulfil a legal obligation under Union law or the law of the member states to which the controller is subject.
- The personal data concerning you was collected in relation to the offer of information society services according to Art. 8, Para. 1 of the GDPR.
b) Information to third parties
If the controller has made the personal data concerning you public and is obligated to delete the same according to Art. 17, Para. 1 of the GDPR, taking account of the available technology and the associated implementation costs the controller shall take appropriate measures, including those of a technical nature, to inform other controllers processing the personal data that you as the data subject have requested the deletion of all links to this personal data or to copies or replications of the same.
The right to deletion does not exist insofar as processing is required
- to exercise the right to freedom of expression and information
- to fulfil a legal obligation which requires processing according to Union or member state law to which the controller is subject, to perform a task carried out in the public interest, or to exercise official authority vested in the controller
- for reasons of public interest in the area of public health according to Art. 9, Para. 2, lit. h and i, as well as Art. 9, Para. 3 of the GDPR
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Art. 89, Para. 1 of the GDPR, insofar as the right mentioned under a) is likely to render impossible or seriously impair the achievement of the objectives of such processing or
- for the establishment, exercise or defence of legal claims.
5. Right to information
If you have asserted your right to correction, deletion or restriction of processing vis-à-vis the controller, the controller is obligated to inform all the recipients to whom the personal data concerning you was disclosed of this correction or deletion of data or of the restriction of processing, unless doing so proves to be impossible or would involve a disproportionate effort.
You are entitled to receive information about these recipients from the controller.
6. Right to data portability
You have the right to receive the respective personal data which you provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data was provided, insofar as
- processing is based on consent according to Art. 6, Para. 1, lit. a of the GDPR or Art. 9, Para. 2, lit. a of the GDPR or on a contract according to Art. 6, Para. 1, lit. b of the GDPR; and
- processing is carried out by automated means.
In exercising this right, you further have the right to have the personal data concerning you transferred directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected by the exercising of this right.
The right to data portability does not apply to the processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right of objection
You have the right, on grounds relating to your particular situation, to object at any time to processing of the personal data concerning you based on Art. 6, Para. 1, lit. e or f of the GDPR; this also applies to profiling based on these provisions.
The controller shall no longer process the personal data concerning you unless they can demonstrate compelling and legitimate grounds for processing which outweigh your interests, rights and freedoms, or if processing serves to establish, exercise or defend legal claims.
If the personal data concerning you is processed for the purpose of carrying out direct advertising, you have the right at any time to object to processing of the personal data concerning you for the purposes of such advertising; this also applies to profiling if it is in conjunction with such direct advertising.
If you object to processing for the purposes of direct advertising, the personal data concerning you shall no longer be processed for these purposes.
In connection with the use of information society services – notwithstanding Directive 2002/58/EC – you can exercise your right of objection by automated means where technical specifications are used.
8. Right to revocation of your declaration of consent under data protection legislation
You have the right to revoke your declaration of consent under data protection legislation at any time. Revocation of consent does not affect the lawfulness of processing carried out based on consent up until the same is revoked.
9. Automated decision on a case-by-case basis, including profiling
You have the right to not be subjected to a decision based solely on automated processing – including profiling – which has legal implications for you or significantly affects you in another way. This does not apply if the decision
- is required to conclude or fulfil a contract between you and the controller;
- is permissible based on Union or member state legislation to which the controller is subject, and this legislation contains appropriate measures to protect your rights and freedoms as well as your legitimate interests; or
- is made with your express consent.
However, these decisions may not be based on specific categories of personal data according to Art. 9, Para. 1 of the GDPR, insofar as Art. 9, Para. 2, lit. a or g does not apply and appropriate measures were taken to protect rights and freedoms as well as your legitimate interests.
With regard to the cases mentioned in (1) and (3), the controller shall take appropriate measures to protect rights and freedoms as well as your legitimate interests, which at least includes the controller’s right to request someone’s intervention, present their own point of view and contest the decision.
10. Right to lodge complaints with a supervisory authority
Regardless of another administrative or judicial legal remedy, you have the right to lodge complaints with a supervisory authority, particularly in the member state where your place of residence, your workplace or the place of the suspected violation is located if you believe that the processing of the personal data concerning you is in violation of the GDPR.
The supervisory authority with whom the complaint was lodged informs the complainant of the status and results of the complaint, including the possibility to appeal according to Art. 78 of the GDPR.