GDPR

The General Data Protection Regulation (GDPR) grants the following rights to persons whose personal data is processed (the data subjects):

Right to information

(art 13-14 GDPR)

A data subject must be informed of the fact that processing of his personal data is taking place or will take place and of the purposes of this. The data subject will also be informed again if the purpose of the processing changes.

Right of access

(art 15 GDPR)

A data subject has the right to view the personal data that is processed about him/her. The controller must provide the data subject with a copy of the personal data being processed.

Right to rectification

(art 16 GDPR)

A data subject has the right to have incorrect personal data concerning him/her corrected or supplemented. The correction must be made immediately. The controller is obliged to notify any recipient to whom personal data has been disclosed of any rectification, unless this is impossible or involves a disproportionate effort.

Right to erasure / oblivion

(art 17 GDPR)

The controller is obliged to delete personal data of the data subject without undue delay, including when:

  • personal data are no longer necessary for the purposes for which they were collected or processed;
  • the data subject withdraws consent and there is no other legal ground for processing;
  • the data subject objects to the processing;
  • the personal data has been unlawfully processed.

Right to object / right to restriction of processing

(art 18 GDPR)

The right to restriction means that the personal data may not be (temporarily) processed and may not be changed. The fact that the processing of the personal data is restricted must be clearly indicated in the file by the controller so that this is also clear to recipients of the personal data. When the restriction is lifted again, the person concerned must be informed.

Right to portability / data portability

(art 20 GDPR)

This right means that a data subject must be able to obtain data from a controller in a structured, commonly used and machine-readable form and have the right to transfer or have such data transferred directly to another controller without hindrance unless this is detrimental rights and freedoms of others. A data subject has the right to transferability insofar as it concerns data provided by him/her.

Right to object

(art 21 GDPR)

A data subject can exercise this right to object to the processing of personal data concerning him or her for reasons related to his particular situation, if the requirements set out in the Regulation are met. If a data subject objects, the controller shall cease processing, unless compelling legitimate grounds provide otherwise.

Right not to be subject to automated individual decision-making / profiling

(art 22 GDPR)

This right may include, for example, the automatic refusal of a request for quotation submitted online or the processing of applications via the Internet without human intervention. Automated individual decision-making is possible in three cases:

  • it is necessary for the conclusion or performance of an agreement;
  • it is permitted by a provision of Union or Member State law;
  • it is based on the explicit consent of the data subject.

For more information about the rights of data subjects, please contact the European Data Protection Authority.