Information for individuals

When your personal data is processed, you must receive, among other things, information about:

• the name of the company or organisation that is processing your data (including the contact details of the DPO, if there is one)
• the purposes for which the company/organisation will use your data
• the categories of personal data concerned
• the legal basis for processing your personal data
• the length of time for which your data will be stored
• other companies or organisations that will receive your data
• whether data will be transferred outside the EU
• your basic rights in the field of data protection (for example, the right to access and transfer data or have it removed)
• the right to lodge a complaint with a Data Protection Authority (DPA)
• the right to withdraw your consent at any time
• the existence of automated decision-making and the logic involved, including the consequences thereof

When your personal data has not been obtained directly from you but from another source, you must receive the same information as above (apart from the right to withdraw your consent). In addition, you should be informed from which sources your personal data originates and whether it comes from publicly accessible sources. 

In this case, you have the right to be informed at the latest within one month after your data has been obtained or when the controller is first communicating with you, unless it improves impossible or would involve disproportionate effort to inform you, or obtaining the information from you is based on law.

The information on the processing of your personal data should be presented in a concise, transparent, intelligible way and drafted in clear and plain language.

References

• Articles 12, 13 and 14 and Recitals (60) to (62) of the GDPR
• EDPB Guidelines on transparency under Regulation (EU) 2016/679

You have a right to ask for and obtain from the company or organisation confirmation as to whether or not it holds any personal data which concerns you.

If they do have your personal data then you have the right to access that data, be provided with a copy and get any relevant additional information (such as their reason for processing your personal data, the categories of personal data used, etc.).

This right of access should be easy and be made possible at reasonable intervals. The company or organisation should provide a copy of your personal data free of charge. Any further copies may be subject to a reasonable fee. When the request is made by electronic means (for example through an e-mail), and unless otherwise requested by you, the information should be provided in a commonly used electronic form.

This right is not absolute: the use of the right to access your personal data should not affect the rights and freedoms of others, including trade secrets or intellectual property.

Examples

You borrow books from a library. You can ask the library to provide you with the personal data which concerns you that they hold. The library should then provide you with all information about you that is stored by them. For example, when you first started using the library services, which books you have borrowed; whether you have ever had any book overdue and fines you might have incurred.

You subscribed to a loyalty card scheme of a supermarket chain located in different parts of the city and throughout the country. If you use your right to ask for information about and obtain your personal information stored by the loyalty card scheme, you should receive information about, for example, how often you used the card, at which supermarkets you did your shopping, any discounts you were awarded and whether you were targeted through the use of profiling techniques, and in which way, whether the supermarket, which is part of a multinational chain of companies, has disclosed your data to its sister company selling perfumes and cosmetics.

References

• Article 15 and Recitals 63 and 64 of the GDPR
• EDPB Guidelines 01/2022 on data subject rights - Right of access

If you believe that your personal data might be incorrect, incomplete or inaccurate you can ask the company or organisation to correct your data. They must do so without undue delay (in principle within 1 month) or justify in writing why the request cannot be accepted.

Example

A credit bureau processes information provided by your former landlord whereby it is stated that you owe him 3 months’ rent. You have just won a legal dispute and his claim for the 3 months’ rent was ruled to be unfounded. You may ask the credit bureau to correct the data it holds about you so that you aren’t put at a disadvantage in the future when credit requests are processed.

References

• Articles 12, 16, 19 and Recital (65) of the GDPR

You can ask for your personal data to be deleted when, for example, the data the company or organisation holds on you is no longer needed or when your data has been used unlawfully. Personal data provided when you were a child can be deleted at any time.

This right also applies online and is often referred to as the ‘right to be forgotten’. In specific circumstances, you may ask companies that have made your personal data available online to delete it. Those companies are also obliged to take reasonable steps to inform other companies (controllers) that are processing the personal data that the data subject has requested the erasure of any links to, or copies of, that personal data.

The right to erasure is not an absolute right. It does not apply, for instance, when the processing is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation which requires processing, or for the exercise of legal claims.

Examples

Data should be deleted

You have joined a social networking site. After a while, you decide to leave the networking site. You have the right to ask the company to delete the personal data belonging to you.

Data can’t immediately be deleted

A new bank offers good home loan deals. You’re buying a new house and decide to switch to the new bank. You ask the ‘old’ bank to close down all accounts and request to have all your personal details deleted. The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank can’t simply delete your personal details. In this case, you may want to ask for restriction of processing of your personal data. The bank may then only store the data for the period of time required by law and can’t perform any other processing operations on them.

Data should be deleted

When you do an online search using your name and surname the results show a link to a newspaper article. The information in the newspaper dates back a number of years and is related to an issue – a real-estate auction connected with debt recovery proceedings – settled a long time ago that is now irrelevant. If you are not a public figure and your interest in having the article removed outweighs the general public’s interest in having access to the information then the search engine is obliged to remove links to web pages including your name and surname from the results.

References

• Articles 12 and 17 and Recitals (65) and (66) of the GDPR
• EDPB Guidelines 5/2019 on the criteria of the Right to Forgotten in the search engines under the GDPR 

Generally speaking, in cases where it’s unclear whether and when personal data will have to be deleted, you may exercise your right to restriction of processing. That right can be exercised when:

• you contest the accuracy of the data in question, for the time needed to verify its accuracy
• you do not want the data to be erased although the processing is unlawful
• the data is no longer needed for its original purpose but you need it for the exercise or defence of legal claims
• you object to the processing, for the time needed to verify whether the processing is lawful

‘Restriction’ means that your personal data may, with the exception of storage, only be processed with your consent for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person or for reasons of public interest of the EU or of an EU Member State.  You must be informed before the restriction is lifted.

Example

A new bank on the domestic market offers good home loan deals. You are buying a new house and so decide to switch banks. You ask the ‘old’ bank to close down all accounts and request to have all your personal details deleted. The old bank, however, is subject to a law obliging banks to store all customer details for 10 years. The old bank is legally obliged to store your data but you  can still ask for restriction of the data to make sure that it’s not accidentally used for unwanted purposes.

References

Article 18 and Recital (67) of the GDPR

If a company or organisation is processing your personal data by automated means, on the basis of your consent or a contract, you can ask the company to transmit your personal data to you.

You can also ask for your personal data to be transferred directly to another company whose services you would like to use, when it’s technically feasible.

Example

You are a member of an online social media network. You decide that a new rival social media network is better suited to your aims and age-group. You can ask your current online social media network to transfer your personal data, including your photos, to the new social media network.

References

• Article 20 and Recital (68) of the GDPR
• EDPB Guidelines on the right to data portability

You have the right to object to the processing of your personal data and ask a company or organisation to stop processing your personal data if is being processed for the purpose of:

• direct marketing
• scientific/historical research and statistics
• their own legitimate interest or in carrying out a task in the public interest or for an official authority

If you object to direct marketing, the company must stop using your personal data and comply with your request without asking for a fee.

However, a company or organisation can continue to process your personal data, despite your objections, if:

• in the case of processing for the purposes of scientific or historical research and statistics, the processing is necessary for the performance of a task carried out for reasons of public interest;
• in the case of processing based on legitimate interests or on the performance of a task in the public interest or exercise of official authority, they can prove that they have compelling legitimate grounds that override your interests, rights and freedoms. Therefore, a balancing exercise is required.

The company should inform you of your right to object when they first make contact with you.

Example

You bought two tickets to see your favourite band play live through an online ticketing company. Afterwards, you are bombarded with adverts for concerts and events that you’re not interested in. You inform the online ticketing service company that you don’t want to receive further advertising material. The company should stop processing your personal data for direct marketing and, shortly afterwards, you should no longer receive emails from them. They shouldn’t charge you for this.

References

• Articles 7, 12 and 21 and Recitals (69) and (70) of the GDPR

Profiling is done when your personal aspects are being evaluated in order to make predictions about you, even if no decision is taken. For example, if a company or organisation assesses your characteristics (such as your age, sex, height) or classifies you in a category, this means you are being profiled.

Decision-making based solely on automated means happens when decisions are taken about you by technological means and without any human involvement. They can be taken even without profiling.

The data protection law establishes that you have the right not to be subject to a decision based solely on automated means, if the decision produces legal effects concerning you or significantly affects you in a similar way. A decision produces legal effects when your legal rights are impacted (such as your right to vote). In addition, processing can significantly affect you if it influences your circumstances, behaviour or choices. For example automatic processing may lead to the refusal of your online credit application.

Profiling and automated decision-making are common practice in a number of sectors, such as banking and finance, taxation and healthcare. It can be more efficient, but may be less transparent and may restrict your choice.

Although, as a general rule, you may not be the subject of a decision based solely on automated processing, this type of decision-making may exceptionally be allowed if the use of algorithms is allowed by law and suitable safeguards are provided.

Decisions based solely on automated means are also allowed where:

• the decision is necessary - that is to say, there must be no other way to achieve the same goal to enter or perform a contract with you
• you have given your explicit consent

In both instances, the decision taken needs to protect your rights and freedoms, by implementing suitable safeguards. The company or organisation must, at least, inform you of your right to  human intervention and to make the required procedural arrangements. Furthermore, the company or organisation should allow you to express your point of view and inform you that you may contest the decision.

Algorithm-based decisions may not make use of special categories of data, unless you have given your consent or the processing is allowed by EU or national law (see above).

Example

You use an online bank for a loan. You are asked to insert your data and the bank’s algorithm tells you whether the bank will grant you the loan or not and gives the suggested interest rate. You must be informed that you may express your opinion, contest the decision and demand that the decision made via the algorithm be reviewed by a person.

References

• Article 22 and Recitals (71) and (72) of the GDPR
• EDPB Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation (EU) 2016/679

If you think your data protection rights have been breached, you have three options:  

• lodge a complaint with your national Data Protection Authority (DPA)
  The authority investigates and informs you of the progress or outcome of your complaint within 3 months.
• take legal action against the company or organisation
  File an action directly in court against a company/organisation if you believe that it has violated your data protection rights. This doesn’t stop you lodging a complaint with the national DPA if you so wish.
• take legal action against the DPA
  If you believe that the DPA has not handled your complaint correctly or if you aren’t satisfied with its reply or if it doesn’t inform you with regard to the progress or outcome within 3 months from the day you lodged your complaint, you can bring an action directly before a court against the DPA.

Sometimes, the company against which the complaint has been lodged processes data in different EU Member States. In this particular case, the competent DPA handles the complaint in cooperation with the DPAs based in the other EU Member States. This system, called the ‘one-stop-shop mechanism’, ensures complaints are handled more efficiently. For example, it may help connect your complaint with similar complaints lodged in other EU Member States. The DPA where you have lodged the complaint is your main contact point.

Example

You enjoy running. You have bought a watch which calculates your heart rate and speed per kilometre, tracks your route and gathers other relevant data. You upload all your data on the website. You realise that your data has been mixed up with someone else’s. You can file a complaint before your DPA against the website.

References

• Articles 60, 77, 78, 79 and 80 and Recitals (141), (142), (143) and (145) of the GDPR

A personal data breach occurs when there’s a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed. If this happens, the organisation holding the personal data must notify the supervisory authority without undue delay. If the personal data breach is likely to result in a high risk to your rights and freedoms and the risk hasn’t been mitigated, then you, as an individual, must also be informed.

Example

You booked your taxi via an online application. The taxi company has suffered a massive personal data breach and driver and user data has been stolen. It appears that no specific security measure was in place to protect the personal data. The company should have informed you about the breach. In this case, you can file a complaint against the taxi company before the national Data Protection Authority ('DPA').

References

• Articles 32, 33 and 34 and Recitals (85) to (88) of the GDPR
• EDPB Guidelines 9/2022 on personal data breach notification under GDPR

DPAs are independent public authorities that monitor and supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints that may have breached the law.  

Contact your national Data Protection Authority

References

• Articles 51, 52, 55, 57 and 58 of the GDPR

You have the right to mandate an NGO to lodge a complaint on your behalf when the following conditions are fulfilled:

1. the NGO is constituted in accordance with the law
2. the NGO pursues a public interest objective (for example improving citizens’ life in the consumer area)
3. the NGO is active in the area of data protection

The complaint can be filed both before the relevant Data Protection Authority and also, if the case arises, before a judicial authority. In certain EU Member States, national legislation allows an NGO to lodge a complaint without your mandate.

References

• Article 80 and Recital (142) of the GDPR

You can claim compensation if a company or organisation hasn’t respected the data protection law and you’ve suffered material damages (for example financial loss) or non-material damages (for example distress or loss of reputation). You can make a claim to the company or organisation concerned or before the national courts. You can claim compensation before the courts of the EU Member State where the controller or processor is established. Alternatively, such proceedings may be brought before the courts of the EU Member State of your habitual residence.

Example

You place an order on a website. The site suffers a cyber-attack because it doesn’t have adequate security. Your credit card details have been put on another website and used to buy items you never ordered. You can claim compensation from the website for the financial damage as they have breached the data protection law by not providing adequate security when processing data.

References

• Article 82 and Recitals (146) and (147) of the GDPR

The GDPR applies strict rules for processing data based on consent. The purpose of these rules is to ensure that the individual understands what he or she is consenting to. Consent must be freely given, specific, informed and unambiguous.

A consent request needs to be presented in a clear and concise way, using language that is easy to understand, and be clearly distinguishable from other pieces of information such as terms and conditions. The request has to specify what use will be made of your personal data and include contact details of the company processing the data.

Informed consent means that you must be given information about the processing of your personal data, including at least: 

• the identity of the organisation processing data
• the purposes for which the data is being processed
• the type of data that will be processed
• the possibility to withdraw consent (for example by sending an email to withdraw consent)
• where applicable, the fact that the data will be used for decision-making based solely on automated processing, including profiling
• information about whether the consent is related to an international transfer of your data, the possible risks of data transfers to countries outside the EU if those countries are not the subject of a Commission adequacy decision and there are no adequate safeguards

Examples

Consent not requested as per terms of the law

You enrol at a music school to take piano classes. The enrolment form contains a long document drafted in small print using highly legal and technical terms, which includes the possibility that the school may pass on your personal details to retailers selling musical instruments. The school is in breach of the law as your consent to receive marketing material (potentially from instrument retailers) was not requested as stipulated by law. 

You are opening a bank account online and want to confirm your request. You are shown a page with two tick boxes saying ‘I accept the terms and conditions’ and ‘I agree that the decision whether I am entitled to a credit card is solely based upon profiling without any human intervention’. Both tick boxes are activated (checked) by default. You have to deactivate the tick box if you do not want to be subject to a decision on whether you are entitled to a credit card based solely on profiling. Even if you do not deactivate the tick box, the bank would not have obtained valid consent as pre-ticked boxes are not considered to be valid consent under the GDPR.

References

• Articles 6 and 7 and Recitals (42) and (43) of the GDPR
• EDPB Guidelines on Consent under Regulation (EU) 2016/679

The employer-employee situation is generally considered as an imbalanced relationship in which the employer wields more power than the employee. Since consent has to be freely given, and in light of the imbalanced relationship, your employer in most cases can’t rely on your consent to use your data.

There might be situations in which processing of an employee’s personal data based on the employee’s consent is lawful, especially if there cannot be any adverse consequences whether or not the consent is given. For example, if a company grants benefits to the employee or their family members (e.g. discounts on the company’s services), processing of the employee's personal data is allowed and lawful, if informed prior consent was given.

Example

Consent not valid

Your employer believes that work productivity needs to be improved. To do this he intends to install CCTV cameras in the corridors and at the entrance to the bathrooms. He asks you to give your consent so that he can monitor your movements and the time spent out of office. Even if you do consent, it would be considered invalid and your employer can’t install CCTV based on that consent.

References

• Articles 7 and 88 and Recital (43) of the GDPR
• Article 29 Working Party Guidelines on Consent under Regulation (EU) 2016/679 (WP 259)
• Article 29 Working Party Opinion 2/2017 on data processing at work (WP 249)
• EDPB Guidelines 5/2020 on consent under Regulation 2016/679

Additional protection is granted to this type of personal data since children are less aware of the risks and consequences of sharing data and of their rights. Any information addressed specifically to a child should be adapted to be easily accessible, using clear and plain language.

For most online services the consent of the parent or guardian is required in order to process a child’s personal data on the grounds of consent up to a certain age. This applies to social networking sites as well as to platforms for downloading music and buying online games.

The age threshold for obtaining parental consent is established by each EU Member State and can be between 13 and 16 years. You should check the age threshold with your National Data Protection Authority.

Companies have to make reasonable efforts, taking into consideration available technology, to check that the consent given is truly in line with the law. This may involve implementing age-verification measures such as asking a question that an average child would not be able to answer or requesting that the minor provides his parents' email to enable written consent.

Preventive or counselling services offered directly to children are exempted from the requirement for parental consent as they seek to protect a child’s best interests.

Examples

Parental consent required

You have a 12-year-old daughter. She would like to join a popular social media network and is asked for consent to process information about her religion. You would need to give your consent in case you want her to join that social media network.

Parental consent not required

Your 17-year-old son is considering participating in an online survey about his clothes consumption patterns. The website requests consent to process his data. As he is over 16, he can give his consent without asking for yours.

References

• Article 8 and Recitals (38) and (58) of the GDPR

The following categories of personal data are deemed ‘sensitive’ and get specific protection under the GDPR:

• data revealing racial or ethnic origin
• data revealing political opinions
• data revealing religious or philosophical beliefs
• data revealing trade union membership
• genetic data
• biometric data for the purpose of uniquely identifying a natural person
• data concerning health
• data concerning individual’s sex life or sexual orientation

As a general rule, processing of the types of data listed above is prohibited. However, in certain cases, a company or organisation may be allowed to process sensitive personal data, when for example:

• you have made your sensitive data manifestly public
• you have given your explicit consent 
• processing is necessary for the exercise of defence of legal claims
• there is a law including adequate safeguards that provides for the processing of sensitive personal data in areas such as public health, employment and social protection
• there is a law including adequate safeguards that provides for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Example

The National Statistics Office (a State entity) organises a public census every 5 years. You receive a link to a survey that you’re obliged to fill in. It includes fields such as sex and racial or ethnic origin. In such a situation, since the survey is based on a law which serves a public interest aim and contains safeguards to protect your sensitive data (for example, the data is only accessed by authorised recipients working on the census) your sensitive personal data can be processed by the National Statistics Office.

References

• Articles 4(13), 4(14), 4(15) and 9 and Recitals (51) to (56) of the GDPR