Advice on rights

Advice on rights under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – this Regulation 2016/679 is hereinafter referred to as the General Data Protection Regulation, or GDPR.

I hereby confirm that I have been advised of my rights in connection with the processing of my Personal Data in compliance with Articles 13, 15–22, and 34 of the GDPR. I have also been informed that these rules are effective as of 25 May 2018.

I am especially aware of the fact that:

- under Article 13 GDPR

• I have the right to request access to my Personal Data from the Controller;
• I have the right to request the rectification or erasure of my Personal Data or restriction of the processing thereof, and to object to the processing thereof, as well as the right to data portability;
• I have the right to lodge a complaint with a supervisory authority;
• The provision of my Personal Data to the Controller is not a statutory or contractual requirement; I am not therefore obligated to provide my Personal Data to the Controller.

- under Article 15 GDPR – the right of access to my Personal Data

• I have the right to obtain from the Controller confirmation as to whether or not my Personal Data are being processed, and, where that is the case, access to my Personal Data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipient to whom my Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations; d) the envisaged period for which my Personal Data will be stored, or, if not possible, the criteria used to determine that period; e) the existence of the right to request from the Controller rectification or erasure of my Personal Data or restriction of processing of my Personal Date or to object to such processing; f) the right to lodge a complaint with a supervisory authority; g) where my Personal Data are not collected from me, any available information as to their source; h) the existence of automated decision-making, including profiling, referred to Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.
• I have the right to obtain a copy of my Personal Data processed by the Controller. The Controller may charge me a reasonable fee based on administrative costs for any further copies. Where I make the request by electronic means, and unless I request otherwise, the information shall be provided in a commonly used electronic form.

- under Article 16 GDPR – the right to rectification of my Personal Data

• I have the right to obtain from the Controller without undue delay the rectification of inaccurate personal data concerning me. Taking into account the purposes of the processing, I shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

- under Article 17 GDPR – the right to the erasure of my Personal Data

• I have the right to obtain from the Controller the erasure of my Personal Data without undue delay where one of the following grounds applies: a) my Personal Data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) I withdraw consent on which the processing of my Personal Data is based, and there is no other legal ground for the processing; c) I object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or I object to the processing pursuant to Article 21(2) GDPR; d) my Personal Data have been unlawfully processed; e) my Personal Data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject. The above grounds do not apply to the extent that the processing of my Personal Data is necessary: a) for exercising the right of freedom of expression and information; b) for compliance with a legal obligation which requires the processing of my Personal Data by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller; c) for reasons of public interest in the area of public health; d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR; e) for the establishment, exercise or defence of legal claims.

- under Article 18 GDPR – the right to the restriction of the processing of my Personal Data

• I have the right to obtain from the Controller restriction of the processing of my Personal Data where one of the following applies: a) I contest the accuracy of my Personal Data, for a period enabling the Controller to verify the accuracy of my Personal Data; b) the processing of my Personal Data is unlawful and I oppose the erasure of my Personal Data and request the restriction of their use instead; c) the Controller no longer needs my Personal Data for the purposes of the processing, but I require them for the establishment, exercise or defence of legal claims; d) I object to the processing of my Personal Data pursuant to Article 21(1) GDPR pending the verification whether the legitimate grounds of the Controller or any third party override my legitimate grounds.
• In the event that I have obtained restriction of the processing of my Personal Data in accordance with the above point, my Personal Data can be, with the exception of their storage, only processed subject to my consent or on the grounds of the establishment, exercise or defence of legal claims, on the grounds of the protection of the rights of another natural person or legal person or on the grounds of other important objectives of general public interest of the Union or of a Member State.

- under Article 19 GDPR – notification obligation regarding rectification or erasure of my Personal Data or restriction of processing

• The Controller shall communicate any rectification or erasure of my Personal Data or restriction of the processing of my Personal Data to each recipient to whom my Personal Data have been disclosed, unless this proves impossible or involves disproportionate effort. The Controller shall inform me about those recipients only if I request it.

- under Article 21 GDPR – the right to object

• I have the right to object, on grounds relating to my own particular situation, at any time to the processing of my Personal Data which is based on point (f) of Article 6(1) GDPR, including profiling based on those provisions. The Controller shall no longer process my Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing of my Personal Data which override my interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
  • I can exercise my right to object by automated means.

- under Article 34 GDPR – communication of a personal data breach

• When my Personal Data breach is likely to result in a high risk to my rights and freedoms, the Controller shall communicate such breach to me without undue delay.
• However, the communication referred to in the above point shall not be required if any of the following conditions are met: a) the Controller has implemented appropriate technical and organisational protection measures, and those measures were applied, in particular those that render my Personal Data unintelligible to any person who is not authorised to access them, such as encryption; b) the Controller has taken subsequent measures which ensure that the high risk to my rights and freedoms referred to in the above point is no longer likely to materialise; c) it would involve disproportionate effort.