Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") and Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Amendments to Certain Acts (hereinafter referred to as the "Act") guarantee you the following rights as a data subject:
(a) the right of the Data Subject to access to personal data, the content of which is:
o the right to obtain confirmation from the Data Controller as to whether personal data relating to the Data Subject is being processed;
o in the event that the personal data of the Data Subject is processed, the right to access the personal data processed and the right to obtain such information:
- information about the purposes of the processing;
- information on the categories of personal data concerned;
- information on the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
- where possible, information on the expected retention period of the personal data or, if this is not possible, information on the criteria for determining it;
- information on the existence of the right to request from the Data Controller the rectification of personal data relating to the Data Subject or their erasure or restriction of processing and the existence of the right to object to such processing;
- information on the right to lodge a complaint with the supervisory authority;
- if the personal data were not obtained from the Data Subject, any available information as to their source;
- information on the existence of automated decision-making, including profiling as referred to in Article 22(1) and (4). of the Regulation and, in such cases, at least meaningful information about the process used as well as the significance and the envisaged consequences of such processing of personal data for the Data Subject;
o the right to be informed of the adequate safeguards under Article 46 of the Regulation relating to the transfer of personal data where personal data are transferred to a third country or an international organisation;
o the right to be provided with a copy of the personal data being processed, provided, however, that the right to be provided with a copy of the personal data being processed shall not adversely affect the rights and freedoms of others;
The Data Subject's right of access to personal data inherently means that the Data Subject has the right to obtain confirmation from us as to whether personal data relating to him or her is being processed and, if so, the right to access that personal data. We will provide a copy of the personal data that is being processed to the Data Subject upon request. We may charge a reasonable fee for any additional copies requested by the Data Subject, commensurate with the administrative costs. Where the Data Subject has made a request by electronic means, the information will be provided in a commonly used electronic format, unless the Data Subject has requested otherwise. The information must be provided immediately and at the latest within 1 month. We have the right to extend the processing time for a request by a further 2 months if the request is complex or frequent. However, we must notify the Data Subject within 1 month of the reason for the extension of the processing period. If the request is unreasonable or too frequent, we have the right to charge a fee proportionate to the cost or refuse the request. We must explain the reason for the refusal and the Data Subject's right to complain to the supervisory authority.
(b) the Data Subject's right to rectification of personal data, which includes:
o the right to have incorrect personal data concerning the Data Subject corrected by the Controller without undue delay;
o the right to supplement incomplete personal data of the Data Subject, including by providing a supplementary declaration of the Data Subject;
The right of the Data Subject to rectification of personal data means that you can ask us to rectify or complete your personal data at any time if it is inaccurate or incomplete. The data subject has the right to have incomplete personal data completed, including by providing a supplementary declaration.
(c) the right of the Data Subject to have his or her personal data erased ("right to be forgotten"), which includes:
o the right to obtain from the Data Controller the erasure of personal data relating to the Data Subject without undue delay if one of the following grounds is met:
- the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- The data subject shall withdraw the consent on the basis of which the processing is carried out, provided that there is no other legal basis for the processing of the personal data;
- The data subject objects to the processing of personal data pursuant to Article 21(1). Regulation and there are no overriding legitimate grounds for the processing of personal data or the Data Subject objects to the processing of personal data pursuant to Article 21(2). Regulation;
- personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation under European Union law or the law of a Member State to which the Data Controller is subject;
- the personal data were collected in connection with the offer of information society services pursuant to Article 8(1). of the Regulation;
o the right to have the Data Controller who has disclosed the Personal Data of the Data Subject take reasonable measures, including technical measures, having regard to the technology available and the cost of implementing the measures, to inform other Data Controllers who process Personal Data that the Data Subject has requested them to erase all references to, copies of, or replicas of that Personal Data;
However, the right to erasure of personal data containing the rights under Article 17(1) and (2). Regulation [i.e. with the content of the rights under (i) and (ii) of this point (c) of point J. of this document] will not arise as long as the processing of the personal data is necessary:
1. to exercise the right to freedom of expression and information;
2. for compliance with a legal obligation requiring processing under European Union law or the law of a Member State to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
3. for reasons of public interest in the field of public health in accordance with Article 9(2)(h) and (i) of the Regulation as well as Article 9(3). Regulation;
4. for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1). Regulation, where the right referred to in Article 17(1) is likely to of the Regulation will make it impossible or seriously impede the achievement of the purposes of such processing of personal data; or
5. to prove, exercise or defend legal claims;
Thus, the Data Subject's right to erasure of personal data means that we must erase your personal data if (i) it is no longer necessary for the purposes for which it was collected or otherwise processed, (ii) the processing is unlawful, (iii) you object to the processing and there are no overriding legitimate grounds for the processing, or (iv) we are under a legal obligation to do so.
d) the right of the Data Subject to restrict the processing of personal data, which includes:
o the right to have the Controller restrict the processing of personal data in respect of one of the following cases:
- The data subject contests the accuracy of the personal data during a period allowing the Controller to verify the accuracy of the personal data;
- the processing of the personal data is unlawful and the Data Subject objects to the erasure of the personal data and requests instead the restriction of its use;
- The controller no longer needs the personal data for the purposes of the processing, but the Data Subject needs them to establish, exercise or defend legal claims;
- The data subject objected to processing pursuant to Article 21(1). Regulation, pending verification whether the legitimate grounds on the part of the Controller outweigh the legitimate grounds of the Data Subject;
o the right that, where the processing of personal data has been restricted pursuant to subparagraph (i) of this point (d) of paragraph J. hereof, such restricted personal data shall, except for storage, be processed only with the consent of the Data Subject or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State;
o the right to be informed in advance of the lifting of the restriction on the processing of personal data;
The Data Subject's right to restrict the processing of personal data means that until we have resolved any disputed issues regarding the processing of your personal data, we must restrict the processing of your personal data so that we can only store and not further process the Data Subject's personal data.
(e) the Data Subject's right to comply with a notification obligation to recipients, which includes:
o the right to have the Data Controller notify any recipient to whom personal data have been disclosed of any rectification or erasure of personal data or restriction of processing carried out pursuant to Articles 16, 17(1) and 18 of the Regulation, unless this proves impossible or involves disproportionate effort;
o the right for the Controller to inform the Data Subject about these recipients, if the Data Subject so requests;
The right of the Data Subject to comply with the obligation to notify the recipients means the obligation of the Data Controller to notify each recipient to whom the Data Subject's personal data has been provided of any rectification and erasure of personal data or restriction of their processing. The Controller does not have this obligation only if such notification is impossible or requires disproportionate effort for objective reasons.
(f) the right of the Data Subject to the portability of personal data, which includes:
o the right to obtain the personal data concerning the Data Subject which he or she has provided to the Controller in a structured, commonly used and machine-readable format and the right to transfer that data to another controller without being prevented by the Controller if:
- the processing is based on the Data Subject's consent pursuant to Article 6(1)(a) of the Regulation or Article 9(2)(a) of the Regulation, or on a contract pursuant to Article 6(1)(b) of the Regulation, and at the same time;
- the processing is carried out by automated means, and at the same time;
- the right to obtain personal data in a structured, commonly used and machine-readable format and the right to transfer such data to another controller without being hindered by the Data Controller will not have adverse effects on the rights and freedoms of others;
o the right to transfer personal data directly from one controller to another controller, where technically feasible;
The right to data portability means that you have the right to obtain from us your personal data that you have previously provided to us in a structured, commonly used and machine-readable format, and you have the right to request that we transfer your personal data to another controller, subject to the fulfilment of the legal conditions; the exercise of this right is without prejudice to your right to erasure of your personal data. However, the right of portability only applies to personal data that we have obtained from you on the basis of a contract to which you are a party.
(g) the right of the Data Subject to object, which includes:
o the right to object at any time, on grounds relating to the particular situation of the Data Subject, to processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the Regulation, including objections to profiling based on these provisions of the Regulation;
o [in the case of the exercise of the right to object at any time, on grounds relating to the particular situation of the Data Subject, to processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(a)(1)(b) of the GDPR]. (e) or (f) of the Regulation, including to object to profiling based on these provisions of the Regulation] the right not to further process the Data Subject's personal data unless the Data Subject demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims;
o the right to object at any time to the processing of personal data concerning the Data Subject for direct marketing purposes, including profiling to the extent that it is related to direct marketing; provided that if the Data Subject objects to the processing of personal data for direct marketing purposes, the personal data may no longer be processed for such purposes;
o (in relation to the use of information society services) the right to exercise the right to object to the processing of personal data by automated means using technical specifications;
o the right to object, on grounds relating to the particular situation of the Data Subject, to processing of personal data concerning the Data Subject where the personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1). Regulation, except where the processing is necessary for the performance of a task carried out for reasons of public interest;
The right of the Data Subject to object therefore means that you, as a Data Subject, can object to the processing of your personal data that we process for direct marketing purposes or for legitimate reasons. We will stop processing personal data for marketing purposes as soon as we receive your objection.
h) the right of the Data Subject related to automated individual decision-making, which includes:
o the right not to be subject to a decision which is based solely on automated processing of personal data, including profiling, and which has legal effects concerning him or her or similarly significantly affects him or her, except pursuant to Article 22(2). Regulation [i.e. except where the decision is: (a) necessary for entering into, or performance of, a contract between the Data Subject and the Data Controller, (b) permitted by European Union law or the law of a Member State to which the Data Controller is subject and which also provides for appropriate measures to safeguard the rights and freedoms and legitimate interests of the Data Subject, or (c) based on the Data Subject's explicit consent];
The Data Subject's right relating to automated individual decision-making means that as a Data Subject you have the right not to be subject to a decision which is based solely on automated processing, including profiling, and which has legal effects concerning you or similarly significantly affecting you. Where such processing is necessary for entering into or performance of a contract or based on the Data Subject's explicit consent, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the Data Subject, in particular by adopting minimum measures such as the right to human intervention on the part of the controller, the right of the Data Subject to express his or her point of view and the right of the Data Subject to contest the decision.
The controller shall provide the data subject with information on the measures taken following a request pursuant to Articles 15 to 22 of the GDPR without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months if necessary, taking into account the complexity of the request and the number of requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for missing the deadline. Where the data subject has made the request by electronic means, the information shall, where possible, be provided by electronic means, unless the data subject has requested otherwise.
In the cases mentioned above, the controller may refuse to act on the data subject's request in exercising his or her right under Articles 15 to 22 of the GDPR only if he or she demonstrates that he or she is unable to identify the data subject.
(i) The right of the data subject to lodge a request for the initiation of proceedings within the meaning of Article 100 of the Data Protection Act, which shall include:
o the right of a Data Subject who believes that his or her personal data is being unlawfully processed or that his or her personal data has been misused to file a petition with the Office for Personal Data Protection of the Slovak Republic (hereinafter referred to as "the Office") to initiate a personal data protection proceeding;
o The application to initiate proceedings may be made in writing, in person or orally on the record, by electronic means and must be signed by a certified electronic signature, by telegraph or by telefax, but must be completed in writing or orally on the record within 3 days at the latest;
o In accordance with the provisions of Section 100(3) of the Personal Data Protection Act, the proposal in question must include:
- the name, surname, permanent address and signature of the applicant;
- identification of the person against whom the application is directed; name or first and last name, registered office or permanent residence, or legal form and identification number;
- the subject matter of the application, indicating which rights the applicant claims have been infringed in the processing of personal data;
- evidence in support of the claims made in the application;
- a copy of the document evidencing the exercise of the right under section 28, if such right could have been exercised, or a statement of reasons of special consideration;
o The Authority shall then decide on the petitioner's application within 60 days from the date of initiation of the proceedings. In justified cases, the Office may extend this period accordingly, but not for more than 6 months. The Office shall inform the parties in writing of the extension of the time limit;
o A template for the initiation of a personal data protection procedure can be found on the website of the Office (https://dataprotection.gov.sk/uoou/sites/default/files/vzor_navrhu_na_zacatie_konania_podla_noveho_zakona.docx).