Subject to the terms and conditions provided below, the rights may be exercised as follows:
The exercise of rights must not negatively affect the rights and freedoms of third parties. Hence, the Controller has the right and obligation, in necessary cases, to identify the data subject requesting the exercise of rights. For that reason, the Controller must choose a safe and reliable communication channel. Communication via electronic mail with a certified electronic signature, communication via a data box, or communication via a postal service provider, where an authenticated signature of the responsible person is attached to the document being delivered or where the reply is served upon the addressee personally, shall be considered a reliable communication where the identity of the addressee need not be further verified.
In exceptional cases, when requested by the data subject, the information may be provided or the rights exercised orally, provided that a written record is made of the oral provision of information or exercise or rights by the data subject. Where the rights are exercised orally, the identity of the data subject must be verified using an ID card, passport, driver’s license or another document that may serve as evidence that the rights are exercised by the person who is entitled to exercise those rights, unless the data subject is personally known to the person responding to the request.
Where the request is made or the rights exercised by electronic means, the response shall also be provided by electronic means, unless otherwise requested by the data subject.
The information provided to the data subjects, the copies of data provided to the data subjects and any communication and any action relating to the exercise of rights by the data subjects shall be free of charge.
Where the data subject's request (exercise of right) is manifestly unfounded or unreasonable, particularly because it is identical or predominantly identical or excessive, and cannot be complied with within the statutory deadline,
compliance with the request shall be subject to a deposit to cover the administrative costs associated with the provision of the requested information or communication or with the requested actions; the deposit may be claimed up to the amount of the estimated costs and the requested information, communication, etc. shall only be released to the data subject after full reimbursement of the incurred costs, or
the request shall not be complied with, or the exercise of the right shall be declined in writing with a reasoning.
The data subject’s requests and the exercise of the data subject’s rights are responded to without undue delay. A response containing the requested information or a description of the measures adopted following the data subject’s request, etc., must be delivered to the data subject no later than within 30 days from the date of receipt of the request. If, for serious reasons, the matter cannot be resolved within the above deadline, the data subject shall be notified in writing or by email, no later than by the end of the above deadline, that the deadline will not be met, together with the reasons for the delay and a new deadline within which the matter will be resolved; the deadline may not be extended by more than 60 days.
Upon request, the data subject shall have the right to obtain confirmation as to whether or not his/her personal data are being processed.
If the personal data concerning the data subject are being processed, the data subject shall receive the following information:
the purposes of the processing and the legal basis/title for the processing of personal data, including reference to the provisions of the applicable legal regulation, and the scope and consequences of the processing;
the recipients or categories of recipients of personal data, if any;
the transfer of personal data to third countries, where applicable, including information on the appropriate safeguards to ensure security of the data transferred to a third country;
the period for which the personal data will be stored, or if the period cannot be determined, the criteria used to determine that period;
the existence of the right to request access to and rectification or erasure of personal data concerning the data subject or the right to request restriction of processing or to object to the processing of personal data and the conditions under which the rights arise and the manner in which the rights may be exercised; the information shall only include the rights the exercise of which is relevant to the nature of the processing of personal data concerned;
the existence of the right to data portability, the conditions under which the right arises and the conditions under which it may be exercised, to the extent that the exercise of such right is relevant to the nature of the processing of personal data;
the existence of an automated decision-making process and the data subject’s rights connected with automated decision-making;
the source of personal data, and, where applicable, the fact that the personal data were obtained from publicly accessible sources;
the right to lodge a complaint with the supervisory authority (the Office for Personal Data Protection);
the existence of an automated decision-making in the form of profiling and the significance and the envisaged consequences of such processing, if any, for the data subject.
The data subject shall have the right to request a copy of the personal data undergoing processing. The first copy is free of charge. For any further copies, a reasonable fee may be charged. Article I, paragraph 6 shall apply accordingly.
Where the right to obtain a copy could adversely affect the rights and freedoms of third parties (e.g. copies containing third party personal data which the requesting data subject has no legal title to obtain), the copy shall be anonymised in an appropriate manner. If anonymisation is not possible or if, as a result of the anonymisation, the requested information loses the strength of evidence, no copy shall be provided.
The data subject shall have the right to obtain rectification of the personal data being processed, if the data are inaccurate or incomplete in relation to the purpose for which they are being processed. The data subject shall have the right to request that the personal data be rectified (and completed) or completed.
If the data subject has exercised the right to rectification of the personal data being processed, the Controller shall immediately review the processing of personal data that is the subject of the exercised right to rectification.
If the objection is found to be reasonable, at least to some degree, the Controller shall, without undue delay, ensure that the situation is remedied, i.e. that the processed personal data are rectified or completed.
The data subject will be notified in writing or by email of the result of the review and the measures adopted.
The data subject shall only have the right to obtain from the data Controller the erasure of personal data concerning him or her if one of the following grounds applies:
the personal data are not necessary in relation to the purposes for which they were collected or otherwise processed;
the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
the data subject has raised a reasonable objection to the processing;
the personal data have been processed unlawfully, especially without legal grounds;
the personal data have to be erased for compliance with a legal obligation arising from a particular legal regulation or a decision based on a legal regulation;
the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
An erasure of personal data shall mean the physical destruction of the personal data carrier (e.g. destruction of documents) or the deletion of the data (from multimedia carriers) or other permanent exclusion of the personal data from further processing.
If the data subject has exercised the right to erasure of the processed personal data, the Controller shall review the data subject’s request. If the request is found to be reasonable, at least to some degree, the personal data shall be erased to the necessary extent. Article I, paragraph 7 hereof shall apply accordingly.
The data that are the subject of the right to erasure shall be marked until the data subject’s request is complied with.
The personal data shall not be erased to the extent that their processing is necessary:
for exercising the right of freedom of expression and information;
for compliance with a legal obligation arising from legal regulations;
for reasons of public interest in the area of public health (points (h) and (i) of Art. 9(2) and Art. 9(3) of the GDPR);
for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
for the establishment, exercise or defence of the Controller’s rights.
Where the data subject has exercised the right to restriction of processing in respect of a specific processing of personal data, the Controller shall immediately assess relevance of the data subject’s request, primarily the existence of the grounds for exercising the right to restriction of processing; the assessment shall take into account the content of the request as well as other facts and circumstances relating to the processing concerned.
The data subject shall have the right to restriction of processing where one of the following grounds applies:
the accuracy of the personal data is contested by the data subject;
the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead;
the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
the data subject has objected to the processing.
The personal data affected by restriction shall be marked.
Where the processing has been restricted, the personal data concerned may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
If the restriction of processing is lifted, the data subject shall be informed in writing or by email before the restriction of the processing of personal data is lifted. The information shall contain the date on which and the reasons why the restriction will be lifted.
If the processing of personal data involves personal data obtained from the data subject (either data directly provided by the data subject or data obtained about his/her activities, etc.) and concerning the data subject, the data subject shall have the right to portability (receipt and transmission) of those data if the processing is based on consent of the data subject or on a contract with the data subject and the processing is carried out by automated means. The right to portability does not apply to the data and information created by the Controller on the basis of the data obtained from the data subject (e.g. profiling of the envisaged consumer behaviour of the data subject based on the data obtained from the data subject, etc.).
In exercising the right to portability of data, the data subject may request the following:
have the personal data that are subject to the right to portability transferred to the data subject in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided;
have the personal data that are subject to the right to portability transferred to another personal data controller designated in the data subject’s request for the transfer of data, in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided.
A request of the data subject shall not be complied with if, inter alia (Article I(6)), compliance with the request would adversely affect the rights and freedoms of other persons (data subjects).
A request for portability of data pursuant to paragraph 2(b) shall further not be complied with, if the transfer of data is not technically feasible; transfer of data that cannot be adequately secured by available technical means given the nature of the transferred personal data and the risks involved shall also be considered not technically feasible.
In addition to the transferred personal data, information on the purposes of the processing of personal data shall be transferred and, where requested by the data subject, also information on the processing of personal data to the extent of Article 13 of the GDPR.
No decision or juridical action concerning the data subject or other measures or procedures which produce adverse legal effects concerning the data subject or similarly significantly affect the data subject (e.g. automated refusal of an online credit application, e-recruiting practices without any human involvement and review of the electronic system’s negative decisions) can be based on automated individual decision-making, including profiling, unless the decision is:
necessary for entering into, or performance of, a contract between the data subject and the data controller;
authorised by legal regulations which lay down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
based on the data subject's explicit consent.
In the cases referred to in points (a) and (c) of paragraph 1, the Controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and prevent them from negative effects of automated individual decision-making. Such measures include at least the data subject having a chance to express his/her point of view prior to the implementation of the action with negative consequences, a chance to have the decision reviewed by the Controller-appointed person and the right to obtain human intervention, e.g. a regular review of the functionality of the automated decision-making system and a setup of its functionality so as to exclude unreasonable interference with the rights and freedoms or legitimate interests of the data subject.
Where the processing involves sensitive data, or where individual decisions pursuant to paragraph 1 are to be based on sensitive data, paragraph 2 shall only apply if sufficient safeguards have been ensured pursuant to paragraph 2 of this Article on condition that the processing of personal data is based on explicit consent of the data subject pursuant to Article 9(2) point (a) of the GDPR, or the processing is necessary for reasons of important public interest stipulated by law and the processing is adequate to the envisioned objectives, compliant with the personal data protection law and provides sufficient and specific safeguards of the protection of fundamental rights and interests of the data subject.
If the processing of personal data is based on point (e) of Article 6(1) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller) or point (f) of Article 6(1) of the GDPR (processing is necessary for the purposes of protection of the rights and legitimate interests pursued by the controller), the data subject shall have the right to object to the processing of personal data concerned.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of the personal data concerning him or her for such marketing, including profiling to the extent that it relates to such direct marketing. Where the data subject has objected to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
If the data subject has exercised the right to object, the Controller shall investigate the objection without undue delay.
The personal data or the processing of personal data concerned shall be marked until the data subject’s objection is resolved.
The personal data that are the subject of a justified objection can no longer be processed, unless:
further processing is important for serious legitimate reasons that override the interests or rights and freedoms of the data subject, or
further processing is necessary for the establishment, exercise or defence of the Controller’s rights.