GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗
- Author: Adv. Prashant Mali
Book online «GDPR Articles With Commentary & EU Case Laws, Adv. Prashant Mali [books to read as a couple .txt] 📗». Author Adv. Prashant Mali
On the contrary, the elements of information are more numerous. Now it also includes in particular the period of data storage, or at least the criteria for determining the existence of all the rights of a person (including for example the right to data portability or withdrawal of consent), and the right to lodge a complaint with a supervisory authority.
The possible compulsory nature of the collection results in the highest precision (regulatory or contractual nature of the requirement of providing the data, including consequences on the conclusion of a contract for the provision of data, etc.). The controller should also, where appropriate, notify about the existence of any automated decision-making, including profiling under Articles 22 (1) and (4) as well as significant information of the underlying logic and consequences of the processing for the data subject.
Where appropriate, the changes of the purposes of processing data against the initial purpose must also be notified which means, if appropriate, new preliminary information on all of the above elements. Article 10 of the Directive provided for an obligation to notify the data subject that is differently implemented depending on whether the data are collected directly from the data subject or from a third party.
Art. 14 GDPR Information to be provided where personal data have not been obtained from the data subject
Where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
The identity and the contact details of the controller and, where applicable, of the controller’s representative;
The contact details of the data protection officer, where applicable;
The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
The categories of personal data concerned;
The recipients or categories of recipients of the personal data, if any;
Where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or
absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
Where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
Where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
The right to lodge a complaint with a supervisory authority;
From which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The controller shall provide the information referred to in paragraphs 1 and 2:
Within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
If the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
If a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject prior to that further processing with information on that other purpose and with any relevant further information as referred to in paragraph 2.
Paragraphs 1 to 4 shall not apply where and insofar as:
The data subject already has the information;
The provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
Obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
Where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.
Suitable Recitals
(60) Information obligation; (61) Time of information; (62) Exceptions to the obligation to provide information.
COMMENTARY:
In its Article 14, the Regulation reinforces the obligations to provide information when the data were not collected from the data subject, while extending the general exceptions. The obligatory elements of information already presented in the Directive are diversified: the information given should serve to identify the possible delegate to the data protection and the legal basis and indicate the purpose of processing or the legitimate interests on which the controller is processing data. Other mandatory information includes the will to make a transfer of data to a recipient in a third country or an international organization, the lack of decision on adequacy of the level of protection or, if appropriate, the appropriate or adequate safeguards provided and the ways to obtain a copy. The obligation to notify the other elements of information is necessary to ensure "fair and transparent processing" which should change nothing in substance.
On the other hand, the elements of information are more numerous.
Now it also includes in particular the period of data storage, or at least the elements allowing for determining it, the identification of the legitimate interests in case of lawfulness based on a balance of interests, rights and freedoms (Art. 6 (1), (f) of the Regulation), the existence of all the rights recognized to a person (including for example the right to data portability or withdrawal of consent), and the right to lodge a complaint with a supervisory authority. And finally, the sources that the data come from, including the sources that are publicly available are covered.
Where appropriate, the existence of any automated decision-making including profiling under Articles 22 (1) and (4) as well as significant information of the
underlying logic and consequences of the processing for the data subject shall also be notified. The Regulation also specifies that the controller must provide this information to the data subject either within a reasonable time not exceeding one month after the collection or, if it is envisaged to provide the information to another person or to use the data for communication to the data subject, when the information is communicated for the first time at the latest.
Where appropriate, the changes of the purposes for processing data against the initial purpose must also be notified which means, if appropriate, new information on all of the above elements. Exceptions are provided for. The information must not be provided if the data subject already has the information, if proven to be impossible or would require disproportionate efforts. There are clarifications concerning processing for archiving purposes in the public interest as well as for scientific purposes, historical or statistical research. Another exception is provided in the case of obtaining or communicating the information if subject to specific provisions in EU law or national law or if the data must remain confidential, subject to an obligation of professional secrecy in accordance with the EU law or the law of a Member State.
Articles 10 and 11 of the Directive provided for an obligation to notify the data subject that was differently implemented depending on whether the data were collected directly from the data subject or from a third party.
Art. 15 GDPR Right of access by the data subject
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
The purposes of the processing;
The categories of personal data concerned;
The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
The right to lodge a complaint with a supervisory authority;
Where the personal data are not collected from the data subject, any available information as to their source;
The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
Suitable Recitals
(63) Right of access; (64) Identity verification.
COMMENTARY:
The Regulation does not actually provide for anything new as to the right to access but accepts the principle contained in the Directive: the data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data. Specific information must be given pursuant to the right of access. Compared to the previous system, new information elements are provided for, such as, in particular, the obligation to inform the data subject about the period of storage, of their right to rectification and erasure, of their right to lodge a complaint with a supervisory authority, of the specific safeguards taken in case of data transfer to a third country or an international organization or information on the existence of an automated decision including profiling.
If so requested, the data subject is entitled to be issued a copy of the data. Such copy must be free of charge because the final text provide for a payment of fees on the basis of the administrative costs of controller for the subsequent copies only. On the other hand, the text says nothing about the possible costs related to the access without a copy (while the previous version explicitly provided for the free access with no payment at regular intervals). The provision also states that the information may be provided electronically, unless otherwise requested, when the request for access was made electronically.
Finally, the final version of the Regulation stipulates in paragraph 4 that the right to obtain a copy must not adversely affect the rights and freedoms of others. In the previous version of the Regulation, an exception to the right to obtain a copy could be made if the issue of copies involved the disclosure of confidential data or
was likely to infringe intellectual property rights on processing. In its Article 12, the Directive already granted a broad right of access to e data to data subjects.
Section 3: Rectification and erasure Art. 16 GDPR Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Suitable Recitals
(65) Right of rectification and erasure.
COMMENTARY:
Under this Article individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed
although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data. Data subjects are entitled to require a controller to rectify any errors in their personal data. Controllers must ensure that inaccurate or incomplete data are erased or rectified. Data subjects have the right to rectification of inaccurate personal data.
Rectification may be requested when the name, address or any other information has been misspelled. Usually, the
Comments (0)