8. Rights of the data subject
We remind you that, in relation to the processing of your data in accordance with this policy, your rights are recognized under the GDPR regulations, in particular the right to access your data, to request its rectification, update and removal if incomplete, incorrect or collected in violation of the law, as well as to oppose its processing for legitimate reasons, addressing your requests to Foxwin S.r.l., Via Luigi Moretti 15, 33100, Udine (email: email@example.com).
In this case, the rights that the data subject could exercise against the company in question are the following.
One of the fundamental rights of the data subject guaranteed by the General Data Protection Regulation - GDPR - is certainly the right of access that is regulated by art. 15, where it is stated that the party shall have the right to obtain from the controller confirmation as to whether or not processing of personal data concerning the data subject is in progress, and in that case to access the data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular if the recipients are from third countries or international organisations;
(d) where possible, the envisaged period of retention of personal data or, if that is not possible, the criteria used to determine such period;
(e) the existence of the right of the interested party to request the controller to rectify or erase the personal data or limit the processing of personal data concerning him/her or to oppose their processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where data is not collected from the data subject, all available information regarding its origin;
(h) the existence of an automated decision-making process, including profiling, and at least in such cases, significant information on the logic used, as well as the importance and expected consequences of such a processing approach for the data subject.
The data controller must provide the data subject with information relating to the action taken with regard to a request for access, pursuant to articles 15 to 20, without undue delay and at the latest within one month after having received the request.
That period may be extended for a further maximum of two months, if necessary, taking into account the complexity of the request and the number of requests.
If the extension applies, the data subject shall be informed of the reasons for the delay within one month of receipt of the request. If the data subject submits the request in electronic format, the information shall be provided, where possible, in electronic format as well, unless otherwise specified by the data subject.
If it does not comply with the data subject’s request, the data controller shall inform the same without delay, and at the latest within one month of receipt of the request, of the reasons for the non-compliance and the possibility to lodge a complaint with a supervisory authority and seek judicial redress.
This right is not new compared to the previous legislation and also compared to Articles 16, 17 and 18 of the Regulation, which set out further important rights of the data subject which are already implemented in our regulations, such as the right of rectification, the right of removal (and the right to be forgotten) and the right limit the processing, in specific circumstances.
With the right of rectification, the data subject has the right to obtain from the controller the rectification of the data without undue delay. Taking into account the purposes of the processing, the data subject has the right to obtain the integration of incomplete personal data, including by providing a supplementary statement.
The data subject has the right to obtain from the data controller a limitation of the processing in one of the following cases:
(a) the data subject contests the accuracy of the personal data, for as long as it is necessary for the controller to verify the accuracy of such personal data;
(b) the processing is unlawful and the data subject objects to the cancellation of the personal data and requests its use to be restricted;
(c) although the controller no longer needs it for processing purposes, personal data is necessary for the data subject to establish, exercise or defend a right in court;
(d) the data subject has objected to the processing in accordance with Article 21, paragraph 1, pending verification with regard to the possible prevalence of the legitimate reasons of the data controller over those of the data subject.
If processing is limited, personal data are processed, except for storage, only with the consent of the data subject or for the establishment, exercise or defence of a right in judicial proceedings or to protect the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.
With the recognition of the right of removal or the right to be forgotten, the data subject has the right to request that his/her personal data which are no longer necessary are removed and no longer processed for the purposes for which they were collected or otherwise, if the data subject has withdrawn his/her consent or have opposed the processing of his/her personal data or when the processing of that personal data does not comply with the Regulation.
This right is particularly relevant if the data subject has given his/her consent when they were not of age, and therefore not fully aware of the risks arising from the processing, and subsequently wants to eliminate this type of personal data, in particular from the Internet (a circumstance that does not affect the state of the company in question).
However, further retention of the data should be permissible where it is necessary to exercise the right to freedom of expression and information, in order to fulfil a legal obligation, to carry out a task in the public interest or in the exercise of official authority vested in the data controller, for reasons of public interest in the field of public health, for purposes of public archiving, for purposes of scientific and historical research or statistical purposes or to ascertain, exercise or to defend a right in court.
The Regulation also reaffirms the right of the data subject to oppose, always with a view to a new dimension acquired by the right to privacy, which is no longer understood as purely negative, such as the right to reject the intrusions of strangers into one’s private life, or to refuse consent to the dissemination of personal information, to waive the participation in social life; but in a positive sense, as an affirmation of the freedom and dignity of the person, and as the power to limit the information, controlling its means and purposes.
Article 21, however, attributes autonomous importance to this right, stating that the data subject has the right to object at any time, on grounds relating to his/her particular situation, to the processing of personal data concerning pursuant to Article 6, par. 1, letters e) or f), including profiling based on these provisions.
The data controller shall no longer process personal data unless it provides evidence that there are legitimate and prevailing grounds for processing taking precedence over interests, rights and freedoms of the data subject or for the establishment, exercise or defence of a right in judicial proceedings.
In addition, if the personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of his/her personal data carried out for such purposes, including profiling, to the extent that processing is related to such direct marketing.
Where personal data is processed for purposes of scientific and historical research or for statistical purposes in accordance with Article 83, par. 1), the data subject, for reasons relating to his/her particular situation, has the right to object to the processing of personal data, unless the processing is necessary for the performance of a task of public interest.
The Regulation also pays particular attention to the automated processing of personal data that can lead to decisions that are machine specific and not human.
Article 22, therefore, reiterates as a general principle that the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject in a significant way.
This provision shall not apply when the decision taken:
(a) is necessary for the conclusion or performance of a contract between the data subject and a data controller, or
(b) is authorised by the law of the Union or of the Member States to which the controller is subject, which also specifies appropriate measures to protect the rights, freedoms and legitimate interests of the data subject
(c) is based on the explicit consent of the data subject.
Article 20 of the Regulation introduces a right that is in some ways new compared to the previous legislation, although it has already been the subject of numerous debates in the past, namely the right to data portability, according to which the data subject shall have the right to receive in a structured, commonly used and machine-readable format his/her personal data provided to a data controller and has the right to transmit such data to another data controller without hindrance from the data controller which has provided the data, if:
(a) the processing is based on consent in accordance with Article 6, par. 1, letter a) or Article 9, paragraph 2, letter a) or on a contract pursuant to Article 6, par. 1, letter b);
(b) processing is carried out by automated means.
Furthermore, in exercising his/her rights with regard to data portability, the data subject shall have the right to obtain the direct transmission of data from one controller to another, if technically feasible.