Rights of the data subject under the GDPR

If your personal data is being processed, you are a data subject in the meaning of the GDPR and you are entitled to enforce the following rights against the controller:

1. Right to information

You can ask the person in charge to confirm whether personal data concerning you will be processed by us.

Where that is the case, you have the right to obtain the following information from the controller:

  1. the purposes for which the personal data are processed;
  2. the categories of the personal data that is processed;
  3. the recipients or the categories of recipients to whom your personal data have been or will be disclosed;
  4. the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
  5. the existence of a right to have your personal data concerning you corrected or deleted, a right to have processing restricted by the controller or a right to object to such processing;
  6. the existence of a right of appeal to a supervisory authority;
  7. any available information on the origin of the data if the personal data are not collected from the data subject;
  8. the existence of automated decision-making, including profiling, referred to in Article 22 paragraph 1 and 4 GDPR and - at least in those cases - meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information on whether your personal data is transferred to a third country or to an international organisation. In this context, you have the right to be informed of the appropriate safeguards pursuant to Art. 46 GDPR relating to the transfer.

2. Right to rectification

If your personal data being processed is incorrect or incomplete, you have the right to demand from the controller correction and/or completion,. The controller has to make the correction without undue delay.

3. Right to restriction of processing

You have the right to obtain restriction of processing of your personal data where one of the following applies:

  1. if the accuracy of the personal data relating to you is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
  2. if the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
  3. if the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
  4. if you have objected to processing pursuant to Art. 21 paragraph GDPR pending the verification whether the legitimate grounds of the controller override those of yourself.

Where processing of the personal data relating to you has been restricted, such personal data shall - with the exception of storage - only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If restriction of processing has been obtained pursuant to the above named conditions, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. the personal data relating to you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  2. You revoke your consent, on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a DSGVO, and there is no other legal basis for the processing.
  3. you object to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or your object to the processing pursuant to Art. 21 paragraph 1 GDPR.
  4. the personal data relating to you has been unlawfully processed.
  5. the personal data relating to you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
  6. the personal data relating to you has been collected in relation to the offer of information society services referred to in Art. 8 paragraph 1 GDPR.

b) Information to third parties

Where the controller has made the personal data relating to you public and is obliged pursuant to Art. 17 paragraph 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions

The right to erasure shall not apply, insofar as processing is necessary 

  1. for exercising the right of freedom of expression and information.
  2. for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with Art. 9 paragraph 2 lit. h and i in conjunction with Art. 9 paragraph 3 GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 paragraph 1 GDPR in so far as the right referred to in a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  5. to assert, exercise or defence of legal claims.

5. Right to information

If you have exercised your right to have the controller correct, erase or restrict the processing of your data, the controller shall be obligated to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom your personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to demand that the controller inform you about those recipients.

6. Right to data portability

You have the right to to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to. Art. paragraph 1 lit. a GDPR or Art. 9 paragraph 2 lit. a GDPR or on a contract pursuant to point. Art. 6 paragraph 1 lit. b GDPR and
  2. the processing is carried out by automated means.

Furthermore, in exercising your right to data portability you shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

This shall not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to processing of personal data this is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 paragraph 1 lit. e or f GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you shall no longer be processed for such purposes.

In the context of the use of information society services - notwithstanding Directive 2002/58/EC - you may exercise your right to object by automated means using technical specifications.

8. Right to revoke the data protection declaration of consent

You shall have the right to withdraw your data protection declaration of consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision making, including profiling

You shall have the right not to be subject to a decision based solely on automated processing - including profiling - which produces legal effects concerning you or similarly significantly affects you.

This shall not apply if the decision

  1. is necessary for entering into, or performance of, a contract between you and the data controller;
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Art. 9 paragraph 1 GDPR, unless Art. 9 paragraph 2 lit. a or g applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.