The General Data Protection Regulation -Rights of GDPR data subjects

Monday, 21 May 2018

We continue to present important information extracted from (EU) Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. In this edition, we shall elaborate upon the aspects which refer to the Rights of GDPR data subjects.

 

CHAPTER III: Rights of data subjects

Section 2: Information and access to personal data

 

Art. 13: Information provided in case personal data is collected from a data subject

 

(1) In case personal data referring to a data subject is collected from said data subject, the operator, at the time of obtaining this personal data, shall provide the data subject with all of the following information:

  1. a) the identity and contact data of the operator and, as applicable, of its representative;
  2. b) the contact data of the data protection officer, as applicable;
  3. c) the purposes for which the personal data shall be processed, as well as the legal basis

for the processing;

  1. d) in case the processing is performed in accordance with article 6 paragraph (1) letter (f), the legitimate interests followed by the operator or by a third party;
  2. e) the beneficiaries or the categories of beneficiaries of the personal data;
  3. f) if applicable, the operator’s intention to transfer personal data to a third-party country or international organization and the existence or absence of a decision of the Commission regarding the adequate character or, in the case of transfers mentioned under article 46 or 47 or under article 49 paragraph (1), second paragraph, a reference to adequate or appropriate guarantees and to the means by which a copy of said guarantees may be obtained, in case they have not been made available.

(2) in addition to the information mentioned under paragraph (1), upon obtaining the personal data, the operator shall provide the data subject with the following additional information so as to ensure an equitable and transparent processing activity:

  1. a) the period of time during which the personal data shall be stored or, if not possible, the criteria used to establish said period;
  2. b) the existence of the right to request, with regards to the personal data regarding the subject data, that the operator grant access to, rectify or delete this data or restrict the processing of said data or the right of refusing processing, as well as the right to data portability;
  3. c) when processing is based on article 6 paragraph (1) letter (a) or article 9 paragraph (2) letter (a), the existence of the right to withdraw consent at any given time, without affecting the legality of the processing performed based on the consent before its withdrawal;
  4. d) the right to submit a claim to the supervisory authority;
  5. e) of providing the personal data represents a legal or contractual requirement or a requirement necessary as to conclude a contract, as well as if the data subject is required to provide personal data and what are the potential consequences of breaching this obligation;
  6. f) the existence of an equitable automated decision process, including creation of profiles, mentioned under article 22 paragraphs (1) and (4), as well as, at least in the respective cases, relevant information regarding the used logic and regarding the importance and foreseen consequences of such a processing for the data subject.

(3) In the case in which the operator intends to subsequently process the personal data with another purpose than that for which the data was collected, the operator shall provide the data subject, before the subsequent processing, information with regards to the secondary purpose and respectively any relevant additional information in accordance with paragraph (2).

(4) Paragraphs (1), (2) and (3) shall not apply if and to the extent to which the data subject already holds said information.

 

Art. 14: Information provided in case the personal data has not been obtained from the data subject

 

(1) In case the personal data has not been obtained from the data subject, the operator shall provide the data subject with the following information:

  1. a) the identity and contact data of the operator and, as applicable, of its representative;
  2. b) the contact data of the data protection officer, as applicable;
  3. c) the purposes for which the personal data shall be processed, as well as the legal basis for the processing;
  4. d) the targeted categories of personal data;
  5. e) the beneficiaries or the categories of beneficiaries of the personal data, as applicable;
  6. f) if applicable, the operator’s intention to transfer personal data to a beneficiary in a third-party country or international organization and the existence or absence of a decision of the Commission regarding the adequate character or, in the case of transfers mentioned under article 46 or 47 or under article 49 paragraph (1), second paragraph, a reference to adequate or appropriate guarantees and to the means by which a copy of said guarantees may be obtained, in case they have not been made available.

(2) In addition to the information provided under paragraph (1), the operator provides the data subject with the following information necessary so as to ensure an equitable and transparent processing with regards to the data subject:

  1. a) the period of time during which the personal data shall be stored or, if not possible, the criteria used to establish said period;
  2. b) in case the processing is performed in accordance with article 6 paragraph (1) letter (f), the legitimate interests of the operator or of a third party;
  3. c) the existence of the right to request, with regards to the personal data regarding the subject data, that the operator grant access to, rectify or delete this data or restrict the processing of said data and the right of refusing processing, as well as the right to data portability;
  4. d) when processing is based on article 6 paragraph (1) letter (a) or article 9 paragraph (2) letter (a), the existence of the right to withdraw consent at any given time, without affecting the legality of the processing performed based on the consent before its withdrawal;
  5. e) the right to submit a claim to the supervisory authority;
  6. f) the source from which the personal data originates and, if applicable, if said data originates from publicly available sources;
  7. g) the existence of an equitable automated decision process, including creation of profiles, mentioned under article 22 paragraphs (1) and (4), as well as, at least in the respective cases, relevant information regarding the used logic and regarding the importance and foreseen consequences of such processing for the data subject.

(3) The operator shall provide the information mentioned under paragraphs (1) and (2):

  1. a) within a reasonable period of time after having obtained the personal data, no later than a month, by taking into full consideration the specific circumstances in which the personal data is processed;
  2. b) if the personal data is to be used with the purpose of communicating with the data subject, no later than the first communication had with the data subject; or
  3. c) if there is an intention to disclose the personal data to another beneficiary, no later than the date upon which said data is disclosed for the first time.

(4) In case the operator intends to subsequently process the personal data with another purpose than that for which the data was obtained, the operator shall provide the data subject, before the subsequent processing, with information with regards to the secondary purpose and respectively any relevant additional information in accordance with paragraph (2).

(5) Paragraphs (1) – (4) shall not apply if and to the extent to which:

  1. a) the data subject already holds the information;
  2. b) providing said information proves to be impossible or would imply disproportionate efforts, especially in the case of processing with the purpose of archiving in public interest, purposes of scientific or historic research or statistical purposes, under the conditions and guarantees provided under article 89 paragraph (1), or to the extent to which the requirement mentioned under paragraph (1) under the present article, it is possible to be subject to impossibility or to gravely affect the accomplishment of objectives associated to said processing activity. In such cases, the operator shall take adequate measures as to protect the rights, liberties and legitimate interests of the data subject, including making the information available to the public;
  3. c) obtaining or disclosing said data is explicitly provided by the European Union’s Law or by internal law, to which the operator is subjected and which provides adequate measures as to protect the legitimate interests of the data subject; or
  4. d) in case the personal data must remain confidential on the basis of a statutory requirement of professional secret regulated by the European Union’s Law or domestic law, including that of a legal obligation to keep the secret.

 

 

The (EU) Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) is to be applied in all Member States of the European Union as of May 25, 2018.

For more information, we recommend consulting the Data Protection Officer (DPO) Guide, which is available in the special section on the New Regulation on the website of the National Supervisory Authority for Personal Data – www.dataprotection.ro.

Author: Editor

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *