14. Information about rights under GDPR:
I confirm I have learned about my rights relating to the processing of My Personal Data, in accordance with the provisions of Articles 13-22 and 34 of the GDPR.
I am in particular aware of the following:
Under Article 7 (3) of the GDPR
- I have the right to withdraw my consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal
Under Article 13-14 of the GDPR:
- I have the right to the provision of the information where personal data are collected from the data subject as well as where personal data have not been obtained from data subject.
Under Article 15 of the GDPR – Right to access to My Personal Data:
- I have the right to obtain from the Controller confirmation as to whether or not My Personal Data are being processed, and, if so, access to My Personal Data and the following information: a) the purposes of the processing; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom My Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations; d) where possible, the planned period for which My Personal Data will be stored, or, if it is not possible to determine it, the criteria used to determine it; e) the existence of the right to request from the Controller rectification or erasure of My Personal Data or restriction of processing of My Personal Data or to object to such processing;
- I have the right to lodge a complaint with a supervisory authority;
- I have the right to obtain all available information as to the source of My Personal Data if not acquired directly from me,; the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the procedure used, as well as the meaning and the expected consequences of such processing for me;
- I have the right to be provided with a copy of My Personal Data processed by the Controller. The Controller may charge a reasonable fee for any further copies requested by me based on administrative costs. If I make the application in electronic form, the information shall be provided in a commonly used electronic form, unless otherwise requested by me.
Under Article 16 of the GDPR – Right to rectification of My Personal Data:
- I have the right to rectification on the part of the Controller of inaccurate personal data concerning me without undue delay. Considering the processing purposes, I have the right to completion of incomplete personal data, even by providing a supplementary statement.
Under Article 17 of the GDPR – Right to erasure of My Personal Data:
- I have the right to erasure on the part of the Controller of My Personal Data without undue delay for one of the following reasons:
a) My Personal Data are no longer required for the purposes for which they have been collected or otherwise processed;
b) I have withdrawn my consent to the processing of My Personal Data, and there is no other legal grounds for the processing;
c) I have objected to the processing under Article 21, par. 1 of the GDPR, and there are no prevailing legitimate grounds for the processing, or I have objected to the processing under Article 21, par. 2 of the GDPR;
d) My Personal Data have been unlawfully processed;
e) My Personal Data have to be erased to comply with a legal obligation in the law of the European Union or a Member State to which the Controller is subject;
- what is specified under clauses (a) through (e) of this paragraph will not apply if the processing of My Personal Data is necessary:
a) for exercising the right to freedom of expression and information;
b) for compliance with a legal obligation that requires processing by the law of the European Union or a Member State to which the Controller is subject or for the performance of a task carried out in the public interest or in the scope of a public authority if the Controller has been authorised by it;
c) for reasons of public interest in the area of public health;
d) for archiving purposes in the public interest, for the purpose of scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR; or
e) for the establishment, exercise or defence of legal claims.
Under Article 18 of the GDPR – Right to restriction of processing of My Personal Data:
- I have the right to obtain from the Controller restriction of processing where one of the following applies:
a) If I contest the accuracy of My Personal Data for a period enabling the Controller to verify the accuracy of My Personal Data;
b) If the processing is unlawful and I oppose the erasure of My Personal Data and request the restriction of their use instead;
c) If the Controller no longer needs My Personal Data for processing purposes, but I would require them for the establishment, exercise or defence of legal claims;
d) I have objected to processing under Article 21, par. 1 of the GDPR pending the verification whether the legitimate grounds of the Controller prevail over mine.
- If the processing has been restricted under clauses a) through d) of this paragraph, My Personal Data, with the exception of storage, may only be processed with my consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.
Under Article 19 of the GDPR – Notification obligation regarding rectification or erasure of My Personal Data or restriction of their processing:
- The Controller advises individual recipients to whom My Personal Data have been disclosed of any rectification or erasure of My Personal Data or processing restrictions of , unless this proves impossible or involves unreasonable effort. The Controller informs me about these recipients only if I request it.
Under Article 20 of the GDPR – Right to data portability:
- I have the right to obtain the personal data concerning me, which I have provided to the Controller, in a structured, commonly used and machine-readable format and I have the right to transmit those data to another controller without hindrance from the Controller, provided that the processing is carried out by automated means. In exercising my right to data portability under the previous sentence, I have the right to have My Personal Data transmitted directly from the Controller to another controller, where technically feasible.
Under Article 21 of the GDPR – Right to object:
- I have the right to object, on grounds relating to my particular situation, at any time to the processing of My Personal Data under Art. 6(1)(f) of the GDPR – the Controller’s legitimate interest, including profiling based on those provisions. The Controller will no longer process My Personal Data unless the Controller demonstrates compelling legitimate grounds for the processing that outweigh my interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
- I can exercise my right to object by automated means using technical specifications.
Under Article 22 of the GDPR – Automated individual decision-making, including profiling:
I have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal impacts on me or similarly affects me in a material way. This does not apply if the decision:
a) is necessary to enter into, or perform, a contract between me and the Controller;
b) is permitted by the law of the European Union or a Member State to which the Controller is subject and which also determines suitable measures to safeguard my rights and freedoms and legitimate interests;
c) is based on my express consent.
Under Article 34 of the GDPR – Communication of a personal data breach
If it is likely that a specific instance of a security breach of My Personal Data will result in a considerable threat to my rights and freedoms, the Controller is required to report the breach to me without undue delay.
However, the reporting referred to in this paragraph is not required if any of the following conditions are met:
a) the Controller has introduced appropriate technical and organisational measures, and these measures have been applied to the personal data affected by the personal data breach, in particular measures that render the personal data unintelligible to anyone who is not authorised to access them, such as encryption;
b) the Controller has taken subsequent measures that ensure that no considerable threat to the rights and freedoms referred to in the first paragraph of this article is likely to materialise;
c) It would involve unreasonable effort. In this case, you will be advised in an equally effective manner by a public notice or similar means.