Transparent information, communication and modalities for the exercise of the rights of the data subject (art. 12 GDPR)

The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information shall be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, provided that the identity of the data subject is proven by other means. The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject. The controller shall provide information on action taken on a request under Articles 15 to 22 to the data subject without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. Where the data subject makes the request by electronic form means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject. If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Information provided under Articles 13 and 14 and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request. Without prejudice to Article 11, where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject. The information to be provided to data subjects pursuant to Articles 13 and 14 may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner a meaningful overview of the intended processing. Where the icons are presented electronically they shall be machine-readable.

Information to be provided where personal data are collected from the data subject or not been obtained from the data subject (art. 13 and 14 GDPR)

A data subject must be informed of the fact that processing of his personal data takes place or will take place and what the purposes are. The GDPR indicates which information must in any case be provided, for example information about the period, the rights of the data subject, the source of data and the legal basis for the processing. If the purpose of the processing changes, information must also be provided.

Right of access by the data subject (art. 15 GDPR )

Data subjects have the right to know whether their personal data are processed by the controller. The gdpr contains a list of the information to which the right of access applies. The controller must provide the person concerned with a copy of the personal data being processed.

Right to rectification (art. 16 GDPR)

The person concerned is entitled to rectification of him concerning inaccurate personal data or the right to provide a supplementary declaration if the processing takes place on the basis of incomplete data. The rectification must take place immediately. The controller is obliged to notify any recipient to whom personal data have been provided of any rectification, unless this is impossible or requires a disproportionate amount of effort.

Right to erasure (‘right to be forgotten’) (art. 17 GDPR)

The controller is obliged to delete personal data of the data subject without unreasonable delay, if, for example: personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the person concerned has withdrawn his permission and there is no other legal basis for processing;
  • the person concerned objects to the processing and there are no compelling justified reasons for the processing that prevail;
  • the personal data have been processed unlawfully.

The data subject has the right to demand that all information that can be traced directly or indirectly to him is removed. This means that the organization that processed the personal data must also ensure that data that has ended up elsewhere (for example, a potential employer) is removed there. Data deletion is not always mandatory, for example when they are still needed for the purposes for which they were processed.

Right to restriction of processing (art. 18 GDPR)

The right to restriction means that the personal data may (temporarily) not be processed and may not be changed. The fact that the processing of the personal data is limited must be clearly indicated in the file by the controller, so that this is also clear for recipients of the personal data. When the restriction is lifted again, the person concerned must be informed. Processing must be limited, inter alia, when the data subject argues that the processed personal data is incorrect or the processing is unlawful and the data subject opposes erasure and requests a restriction

Notification obligation regarding rectification or erasure of personal data or restriction of processing (art. 19 GDPR)

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17 and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

Right to data portability (art. 20 GDPR)

The right to data portability means that a data subject has the right to obtain his personal data from a controller in a structured, current and machine-readable form. A data subject must thus be able to transfer his personal data without obstacles to a new controller, for example when switching service providers. The right to data portability exists only if the processing is based on consent or on an agreement and the processing is automated.

Right to object (art. 21 GDPR)

A person can, for reasons connected with his specific situation, make use of this right of objection (which is not comparable to an objection on the grounds of the AWB (AWB is a Dutch law that contains the general rules for the relationship between the government and individual citizens, companies and the like.) against the processing of personal data relating to him, if the requirements set out in the Regulation are met. . If a data subject objects, the controller will stop processing, unless compelling justified grounds determine otherwise.

Automated individual decision-making, including profiling (art. 22 GDPR)

This right can be considered, for example, the automatic refusal of an online application for credit or the processing of applications via the internet without human intervention. Automated individual decision making is possible in three cases:
  • it is necessary for the realization or execution of an agreement;
  • it is permitted by an EU or Member State provision;
  • it is based on the express permission of the person concerned.

Restrictions (art. 23 GDPR)

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
  • (a) national security
  • (b) defence
  • (c) public security
  • (d) the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security
  • (e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security
  • (f) the protection of judicial independence and judicial proceedings
  • (g) the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions
  • (h) a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g)
  • (i) the protection of the data subject or the rights and freedoms of others
  • (j) the enforcement of civil law claims

Directive 95/46/EC (General Data Protection Regulation)