What are the rights of persons providing their data?

RODO simultaneously extends consumer rights and obligations of entities processing their personal data. The new rules introduce five key rights that every data controller must comply with.

1. Extended right to information

Persons whose data is processed must be informed about details of such process. In accordance with the personal data protection regulation, personal data administrator must:

• Inform that their data is collected, used, reviewed or otherwise processed.
• Inform about the extent, to which data is or will be processed.
• Inform about the risks associated with operations related to personal data.
• Inform data subjects about their rights: the right to access personal data, rectify, delete or limit its processing, the right to object to the processing, as well as the right to transfer data.
• Inform about the company's automated decision-making process based on data collected, including profiling (see item 5).
• Inform about whether the provision of personal data is statutory, contractual, or if it is a condition for the conclusion of an agreement.
• Inform about the obligation to keep data and the possible consequences of its non-disclosure.

2. Right of access

The right to information is strictly connected with the right to access data. Everyone has the right to request confirmation that his/her personal data is processed by the administrator. An affirmative answer may be the basis for further demand for information about:

• the purpose of processing;
• categories of relevant personal data;
• recipients or categories of recipients to whom the data has been or will be disclosed;
• the planned period of data storage (or the criteria for determining this period);
• the right to require the controller to rectify, delete or limit the processing of personal data relating to the data subject, as well as to object to such processing (see items 3 and 4);
• the right to lodge a complaint with the supervisory authority;
• the source of data – if it has not been collected from the data subject;
• the automated decision-making, including profiling referred to in Art. 22 items 1 and 4 of GDPR;
• the principles for making these decisions, as well as of the significance and anticipated consequences of such processing for the data subject.

3. The right to rectify and delete data

At the request of the person concerned, the administrator is obliged to immediately rectify the incorrect personal data and supplement it, if incomplete. Rectification of data must take place each time the data subject points out any inconsistencies.

In addition, if personal data is no longer necessary to achieve purposes, for which it was originally collected, the data subject has the right to request the administrator to delete the data. The same shall apply should the data subject file an objection or withdraw the consent to process his/her data.

4. The right to object

The person whose data is being processed may, at any time, lodge an objection with the data administrator, who then must stop processing the data.

In addition, objection may be filed in the following situations:

• to the processing of personal data for direct marketing purposes, or
• to the processing of personal data for scientific or historical research, or statistical purposes pursuant to Article 89 clause 1 of GDPR, for reasons related to the specific situation of the data subject.
• Once an objection has been filed, the administrator can no longer process personal data unless there are premises strictly indicated in the GDPR.

The GDPR does not impose any specific requirements as to the form of objection – it can be made over the phone, by e-mail or by fax.

5. The right to be informed about profiling

Profiling is a form of automated processing of personal data that serves to assess personal factors of a natural person. Those who are affected by this process must be informed of this fact and its consequences. Profiling can be used to assess the economic situation, interests or preferences of people. The process of monitoring behaviour when using cookie files can serve as an example of profiling.

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW