Information on rights I have with respect to processing of my personal data
Information on rights under “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”. This regulation no. 2016/679 is hereinafter referred to as “General Data Protection Regulation” or “GDPR”.
I confirm that I was informed about my rights pertaining to the processing of my personal data as arising out of Articles 13, 15-22 and 34 of GDPR. I know that the said provisions are effective as of 25 May 2018.
I know that:
- under Article 13 of the GDPR:
- I have the right to request the Controller to grant access to my personal data,
- I have the right to request the Controller to rectify or erase my personal data or to restrict processing and to object to processing and to data portability,
- I have the right to lodge a complaint with a supervisory authority,
- the provision of my personal data is not a statutory or contractual requirement, and, therefore, I am not obliged to provide my personal data to the Controller, and I was informed about consequences of failure to provide my personal data (see paragraph 11 in the part “Contents of the consent to processing of my personal data”),
- under Article 15 of the GDPR – right to access to my personal data:
- I have the right to obtain from the Controller a confirmation as to whether or not my personal data is being processed and if that is the case, to access my personal data and the following information: a) purposes of the processing, b) categories of personal data concerned, c) the recipients or categories of recipients to whom my personal data have been or will be disclosed, in particular recipients in third countries or international organizations, d) the envisaged period for which my personal data will be stored, or, if not possible, the criteria used to determine that period, e) the existence of the right to request from the Controller a rectification or erasure of my personal data or a restriction of processing of my personal data concerning me or to object such processing, f) the right to lodge a complaint with a supervisory authority, g) available information as to the source of my personal data (if my personal data is not collected from me), h) the existence of automated decision-making, including profiling referred to in Article 22(1) and (4) of GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significant and the envisaged consequences of such processing for me.
- I have the right to be provided a copy of my personal data undergoing processing by the Controller. For any further copies requested by me the Controller may charge a reasonable fee based on administrative costs. If I make the request by electronic means, the information will be provided in a commonly used electronic form, unless I request otherwise.
- under Article 16 of the GDPR – right to rectification of my personal data:
- I have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning me. Concerning the purposes of the processing, I have the right to have complete any incomplete personal data, including by means of providing a supplementary statement.
- under Article 17 of the GDPR – right to erasure of my personal data:
- I have the right to obtain from the Controller the erasure of my personal data without undue delay where one of the following grounds applies: a) my personal data are no longer in relation to the purposes for which they were collected or otherwise processed, b) I withdraw this consent on which the processing is based and there is no other legal ground for the processing, c) I have objected to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or I have objected to the processing pursuant to Article 21(2) of the GDPR, d) my personal data have been unlawfully processed, e) my personal data have to be erased for compliance with a legal obligation in the European Union or in any of its member state to which the Controller is subject.
- the above stated under letter h) shall not apply to the extent that processing of my personal data is necessary: a) for exercising the right of freedom of expression and information, b) for compliance with a legal obligation which requires processing by the European Union or any of its member state law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller,
c) for reasons of public interest in the area of public health, d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR, e) for establishment, exercise or defense of legal claims.
- under Article 18 of the GDPR – right to restriction of processing my personal data:
- I have the right to obtain from the Controller restriction of processing where one of the following applies: a) if the accuracy of my personal data is contested by me, for a period enabling the Controller to verify the accuracy of my personal data, b) the processing in an unlawful manner and I will oppose the erasure of my personal data and I will request the restriction of its use instead, c) the Controller no longer needs my personal data for the purpose of the processing but they are required by me for establishment, exercise or defense of legal claims, d) I will object to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the Controller override those of mine.
- where processing has been restricted pursuant to letter j. hereinabove, my personal data will, with the exception of storage, only be processed with my consent or for establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or any of its member state.
- under Article 19 of the GDPR – right to notification regarding rectification or erasure of my personal data or restriction of their processing:
- the Controller is obliged to communicate any rectification or erasure of my personal data or restriction of processing to each recipient to whom my personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller will inform me about those recipients if I will request it.
- under Article 20 of the GDPR – right to data portability:
- I have the right to receive personal data concerning me, which I have provided to the Controller, in a structured, commonly used and machine-readable format and I have the right to transmit the data to another controller without hindrance from the Controller, provided that the processing is carried out by automated means. In exercising my right to data portability under the previous sentence, I have the right to have the personal data transmitted directly from the Controller to another, where technically feasible.
- under Article 21 of the GDPR – right to object:
- I have the right to object, on grounds relating to my particular situation, at any time to processing of my personal data which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The Controller will no longer process my personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of mine or for the establishment, exercise or defense of legal claims.
- I may exercise my right to object by automated means using technical specifications.
- under Article 22 of the GDPR – automated individual decision-making, including profiling:
- I have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning me or similarly significantly affects me. The previous sentence shall not apply if the decision: a) is necessary for entering into, or performance of, a contract between me and the Controller; (b) is authorised by the European Union or any of its member state law to which the Controller is subject and which also lays down suitable measures to safeguard my rights and freedoms and legitimate interests; or (c) is based on my explicit consent.
- under Article 34 of the GDPR – communication of a personal data breach:
- When the personal data breach is likely to result in a high risk to my rights and freedoms, the Controller shall communicate the personal data breach to me without any undue delay.
- The communication to me referred to in letter q. hereinabove is not required if any of the following conditions are met: a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as an encryption; b) the Controller has taken subsequent measures which ensure that the high risk to myrights and freedoms referred to in letter q. hereinabove is no longer likely to materialise; c) it would involve a disproportionate effort.