Data Protection Rights
Know your Rights
Chapter 3 of the GDPR provides the rights which data subjects may exercise with regard to their personal data. Below find a list of these rights together with a brief explanation to assist you in understanding what each one means and how you may exercise you rights.
Right to be informed
Pursuant to the principle of transparency, a controller is required to inform you if it is processing your personal data. The controller must provide clear and detailed information about the processing activities, including the following:
- The purpose for which your personal data is being processed. - The legal basis for the processing.
- How long your personal data will be retained, or the criteria used to determine the retention period.
- Whether your personal data will be shared with third parties, including the names or categories of recipients.
- Whether your personal data will be transferred to a third country, including the country concerned and the safeguards in place to protect your data.
- Your data protection rights. - Whether your personal data will be used for profiling or other forms of automated decision-making, including meaningful information about how it works and the possible consequences for you.
- The contact details of the controller and the data protection officer, if applicable.
- Your right to lodge a data protection complaint with this Office.
The controller is required to give this information at the time it collects your personal data. If it obtains your data from another source, it should provide such information within one month. The controller generally provides this information by means of a data protection notice.
Right of Access by the Data Subject
In terms of article 15 of the GDPR, you have the right to obtain confirmation from the controller as to whether your personal data is being processed. If it is, you are entitled to request access to that data.
When responding to your request, the controller must provide:
- A copy of your personal data undergoing processing; and
- The additional information required under article 15(1) of the GDPR, such as the purposes of the processing, the categories of personal data concerned, the recipients of the data, the retention period, your data protection rights and your data to lodge a complaint with this Office.
A controller must respond to your request without undue delay and, in any event, within one (1) month from the data of receipt of the request.
Right to rectification
You have the right to obtain from a controller the rectification of inaccurate personal data. To exercise your right you should inform the controller that you are challenging the accuracy of your data and want it corrected. You should:
- state clearly what you believe is inaccurate or incomplete;
- explain how the controller should correct it; and
- where available, provide evidence of the inaccuracies.
It is recommended that you make your request in writing to the controller wherein you explain your concern and give the necessary evidence to support your claim to have your data corrected. In the event that you would like to challenge the controller’s response or lack of action, you need to provide us with clear proof of your engagement with the controller so that we will be able to investigate your complaint.
Right to erasure
The right to get your personal data erased, also known as the ‘right to be forgotten' (EDPB guideline available here), entitles you to request a controller that holds data about you to delete it. This applies when one of the following grounds apply:
- The controller no longer needs your data for the original reason they collected or used it for.
- You initially consented to the organisation using your data, but have now withdrawn your consent.
- You have objected to the use of your data, and your interests outweigh those of the organisation using it.
- You have objected to the use of your data for direct marketing purposes;
- You have objected to the use of your data, and your interests outweigh those of the organisation using it.
- You have objected to the use of your data for direct marketing purposes;
- The organisation has a legal obligation to erase your data.
- The data was collected from you as a child for an online service.
The controller can refuse to erase your data in any of the following circumstances:
- When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
- When the organisation is legally obliged to keep hold of your data such as to comply with legal obligations.
- When the organisation is carrying out a task in the public interest or when exercising its official authority.
- When keeping your data is necessary for establishing, exercising or defending legal claims.
- When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
Right to data portability
When the processing of your personal data is based on your consent or on the basis of a contract and the processing is carried out by automated means, you have a right to receive the personal data in a structured, commonly used and machine-readable format and the right to transmit those data to another
controller without hindrance from the controller to which the personal data have been provided.
To access the guidelines adopted by the EDPB on the right to data portability, click here
Right to object
You have the right to object to a controller processing your personal data at any time. This means that you can stop the controller from using your personal data. Having said that, this right applies in specific circumstances, and in particular, where your personal data is being processed:
- for the performance of a task carried out in the public interest;
- for the exercise of official authority;
- for the purposes of the controller’s legitimate interests;
- for scientific, historical or statistical purposes; or
- for direct marketing purposes.
Right in relation to automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply where the decision:
- is necessary for entering into, or performance of, a contract between the data subject and the controller;
- is authorised by Union or Members State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
- is based on your explicit consent. You may access the Guidelines issued by the EDPB on this right here.
Right to lodge a complaint with this Office
If you consider that the processing of personal data relating to you infringes the GDPR, you have the right to lodge a complaint with the IDPC against the controller involved and the case will be investigated accordingly.
It’s important to know that all these rights can be exercised directly with the data controller or with the Data Protection Officer (DPO) when designated. Moreover, the controller shall provide a response within one month from receipt of a communication, according to article 12(3) of
the GDPR. In the event that the controller fails to respond or if otherwise you are not satisfied with the reply, you may lodge a complaint through our online form.
The controller could extend the time to respond if the request is complex or when receiving several requests from the individual. In such cases, the controller must still reply within one month of receiving their request and explain why the extension is necessary.
Where the controller has reasonable doubts concerning the identity of the data subject exercising his or her rights under the GDPR, it may request the provision of additional information necessary to confirm the identity of the data subject.
