ODO24 Logo
ODO24 Logo
ODO24 Logo

Knowledge

Master GDPR
ABC GDPR
Category:
DPO Challenges
- all categories -
Data Processing
Documentation and Procedures
DPO Challenges
GDPR at Work
Incidents and Fines
Risk
UODO

What rights do the individuals whose personal data we process have?

FORMAL ANSWER

The data subject has the following rights: the right of access to data (Article 15 GDPR), the right to rectification of data (Article 16 GDPR), the right to be forgotten, i.e. the right to erasure of data (Article 17 GDPR), the right to restriction of processing (Article 18 GDPR), the right to data portability (Article 20 GDPR), the right to object (Article 21 GDPR), the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her (Article 22 GDPR).

Furthermore, the controller has an obligation to provide the data subject with information about the processing of personal data (Articles 13 and 14 GDPR), and where a request for rectification, erasure or restriction of processing is fulfilled — also an obligation to inform the recipients to whom the data have been disclosed (Article 19 GDPR).

PRACTICAL ANSWER

In addition to regulating the need to fulfil the information obligation towards data subjects, GDPR grants them the following rights:

  • the ability to access data and obtain information, including by whom and how they are processed (see the question: "What is the information obligation?"), as well as to obtain a copy of the data,
  • if the data are inaccurate — to request their prompt rectification, and if incomplete — to request their completion,
  • to request erasure of data (exceptions include, inter alia, situations where the controller processes data in order to comply with a legal obligation, perform a contract or pursue its rights),
  • to request that use of the data be stopped and that processing be limited to storage — not only where, for example for evidential reasons, the data subject does not want unlawfully processed data to be erased, but also pending resolution of various kinds of disputes (e.g. concerning the accuracy of data or the validity of an objection lodged),
  • to request receipt — in a commonly used format — of data that the individual provided to the controller (this concerns data processed on the basis of consent or a contract; it does not cover data processed in the exercise of official authority or in the public interest),
  • to object to processing of data for the purposes of pursuing the legitimate interests of the controller, third parties or in the exercise of official authority or in the public interest,
  • the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects.

If the controller fulfils a request for rectification, erasure or restriction of processing, it must inform all recipients to whom the personal data have been disclosed.

Where our rights are not fulfilled or where data are processed in a manner inconsistent with GDPR, we may lodge a complaint with the President of the Polish DPA, and where damage has occurred — also claim compensation from the controller, which may involve court proceedings.

MORE:

Show all
PreviousNext
Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
What rights do the individuals whose personal data we process have? | ODO 24