Additional Services

Article 15 – 21 Rights of the data subject

The data subject has several rights outlined in Article 15 to 21 of the GDPR. These are:

  • The data subject has several rights outlined in Article 15 to 21 of the GDPR. These are:
  • The right of access by the data subject
  • The right to rectification
  • The right to erasure (“right fo be forgotten”)
  • The right to restriction of processing
  • The right to data portability
  • The right to object
  • The right not to be subject to automated individual decision-making, including profiling

Right of access by the data subject

The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If this is the case, the data subject has access to the personal data and the following information:

  • the purposes of the processing
  • the categories of personal data concerned
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
  • the right to lodge a complaint with a supervisory authority
  • where the personal data are not collected from the data subject, any available information as to their source
  • the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Where personal data are transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer.

Access to personal data must be granted without undue delay and in any event within a one-month period which can be extended by two further months.

Georgine Berger

"Where the data subject makes the request by electric form means, information must also be provided by electronic means (Article 12 para 3 of the GDPR)."

FAQs

The controller must provide the information to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.

On a website, the information obligation can be fulfilled in the form of a clearly visible link to a privacy policy at the bottom of each page.

Offline, the information can be provided on a separate information sheet or by reference to a notice board if the data is collected directly (for example, on business premises).

In the case of personal contact – e.g., by filling out a form – an information sheet can be enclosed., if the form refers to the additional sheet.

In the case of a telephone call in which data is collected, certain information must be provided directly in the conversation, and additional information can be referred to the website or a subsequent mailing.

To check the identity of the data subject, the controller may only request additional information if he has reasonable doubt about the data subject’s identity. The controller may not request an identification document by the data subject.

For example, if there was already e-mail communication between the controller and the data subject and the request came via the same e-mail, this is sufficient verification of the identity

The information must be provided free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee or refuse to act on the request.

The data controller must provide a free copy of the personal data upon request by the data subject. For any additional copies requested by the data subject, the data controller may charge a reasonable fee.

The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.

If you provide the information required under the GDPR to the wrong person, instead of the intended data subject, it can be considered a breach of the data subject’s privacy rights (“data breach”) and a violation of the GDPR. For more information see the article on [data breach].

The controller must provide information to the data subject without undue delay after his or her request and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In the case of such extension, the controller must inform the data subject about the extension within one month of receipt of the request, together with the reasons for the delay.

Besides a potential reputational damage, if you provide incorrect or inaccurate information to a data subject, you might violate the GDPR.

Data subjects have various rights under the GDPR, such as the right of access, rectification, erasure, and restriction of processing. If you provide incorrect information regarding these rights or fail to provide the necessary information to exercise these rights, the data subject may be unable to effectively exercise their rights or take appropriate actions to control their personal data.

This can lead to investigations, and potential fines or penalties imposed by the relevant data protection authority.

To mitigate the potential consequences, it is important to promptly rectify any incorrect information provided to data subjects. This may involve issuing corrected information, clarifying any misunderstandings, and ensuring that the accurate and updated information is provided to the data subjects in a timely manner. Taking corrective actions and demonstrating a commitment to rectifying the situation can help alleviate the negative impact and restore trust with the data subjects.

It is crucial to have proper data management processes in place, including data quality control mechanisms, regular data audits, and staff training, to minimize the likelihood of providing incorrect information to data subjects and to maintain compliance with the GDPR.

The information must be provided to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. The information must be provided in writing, or by other means, including, where appropriate, by electronic means. When requested by the data subject, the information may be provided orally, if the identity of the data subject is proven by other means.

The controller must provide information to the data subject without undue delay after his or her request and in any event within one month of receipt of the request.

That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In the case of such extension, the controller must inform the data subject about the extension within one month of receipt of the request, together with the reasons for the delay.

Employees should receive training on how to act from a data protection perspective. This is crucial to reduce the risk that employees will release data rashly in response to requests.

The primary responsibility for fulfilling the information obligations lies with the controller. The processor does not have direct information obligations vis-à-vis the data subjects under the GDPR.

If a request is mistakenly addressed to a processor, the processor does not have an explicit duty to forward the request to the controller. However, the processor has a duty to assist the controller.

Forwarding a request for information to the controller is therefore recommended.

Scroll to Top
legalweb.io
Privacy
Thank you for visiting dataprotectionofficer.io, the website of Formamentum Technology GmbH in Austria. We use technologies from partners (1) to provide our services. These include cookies and third-party tools to process some of your personal data. These technologies are not strictly necessary for the use of the website, but they do enable us to provide a better service and to interact more closely with you. You can adjust or withdraw your consent at any time.
asd as asd