The Data Controller (“DC”) is the person who, alone or jointly, determines the purpose and means of the processing of personal data; in other words, is the person who decides why other’s personal data is processed and how it would be processed. Art. 4 (7) GDPR determines the purpose and means of the processing of Personal Data (PD).

All natural persons whose personal data is processed by a Data Processor (DP) or Data Controller (DC) within the territorial scope of the GDPR, are Data Subjects and hence entitled to these rights.

Data Subjects (DS)

Data Subjects (DS) are all natural persons whose personal data (PD) is processed by a Data Controller (DC) or Data Processor (DP) in the line with art. 3 General Data Protection Regulation. 

Right to be informed

Provide the information listed in art. 13 General Data Protection Regulation if the Personal Data (PD) was provided by the Data Subject (DS) or art. 14 General Data Protection Regulation, if not. 

Right of Access

Confirm and if applies, provide access to the Data Subject (DS) own Personal Data (PD) and the information listed in art. 15 General Data Protection Regulation. 

Right to rectification

Allow the rectification of inaccurate Personal Data (PD) and the provision of supplementary data. 

Right to be Forgotten

Erase the Personal Data (PD), when a Data Subject (DS) request so and there are no legitimate grounds for retaining it. 

Right to restriction of Processing

Impede the processing of Personal Data (PD) under the situations stated in art. 18 General Data Protection Regulation it is unlawful. 

Notification Obligation

Notify any rectification or erasure or restriction of processing to each Recipient (art. 19 General Data Protection Regulation). 

Right to Data Portability

If Art. 20 (1) General Data Protection Regulation applies, give back the Personal Data (PD) as required and allow the transfer to another Data Controller (DC). 

Right to Object

Provide the option to object the processing if the conditions in art. 21 General Data Protection Regulation apply. Also, quickly respond and demonstrate legitimate grounds. 

Automated decision-making

Do not base a decision solely on automated means, include profiling, which produces legal or similar effects (art. 22 (20 (4) General Data Protection Regulation).


MR. BAS A.S. VAN LEEUWEN (LL.M., ESQ.), attorney at law and forensic auditor, assists clients with criminal matters, administrative supervision and enforcement cases, and internal and external investigations. Cases involving accusations of fraud, bribery, money laundering, corruption or violations, financial mismanagement, of international sanctions seriously disrupt a client’s operations and damage their reputation. At a client’s request, the attorney can conduct internal investigations, advice, litigate and negotiate with regulators and the Public Prosecution Service. He delivers swift solutions that address the underlying problems for urgent matters. Sometimes, his clients are injured by non-compliant conduct; sometimes they find themselves accused of the same.