The Data Controller (“DC”) is the person who, alone or jointly, determines the purpose and means of the processing of personal data; in other words, is the person who decides why other’s personal data is processed and how it would be processed. Art. 4 (7) GDPR determines the purpose and means of the processing of Personal Data (PD).
All natural persons whose personal data is processed by a Data Processor (DP) or Data Controller (DC) within the territorial scope of the GDPR, are Data Subjects and hence entitled to these rights.
Data Subjects (DS)
Data Subjects (DS) are all natural persons whose personal data (PD) is processed by a Data Controller (DC) or Data Processor (DP) in the line with art. 3 General Data Protection Regulation.
Right to be informed
Provide the information listed in art. 13 General Data Protection Regulation if the Personal Data (PD) was provided by the Data Subject (DS) or art. 14 General Data Protection Regulation, if not.
Right of Access
Confirm and if applies, provide access to the Data Subject (DS) own Personal Data (PD) and the information listed in art. 15 General Data Protection Regulation.
Right to rectification
Allow the rectification of inaccurate Personal Data (PD) and the provision of supplementary data.
Right to be Forgotten
Erase the Personal Data (PD), when a Data Subject (DS) request so and there are no legitimate grounds for retaining it.
Right to restriction of Processing
Impede the processing of Personal Data (PD) under the situations stated in art. 18 General Data Protection Regulation it is unlawful.
Notification Obligation
Notify any rectification or erasure or restriction of processing to each Recipient (art. 19 General Data Protection Regulation).
Right to Data Portability
If Art. 20 (1) General Data Protection Regulation applies, give back the Personal Data (PD) as required and allow the transfer to another Data Controller (DC).
Right to Object
Provide the option to object the processing if the conditions in art. 21 General Data Protection Regulation apply. Also, quickly respond and demonstrate legitimate grounds.
Automated decision-making
Do not base a decision solely on automated means, include profiling, which produces legal or similar effects (art. 22 (20 (4) General Data Protection Regulation).