New rights of data subjects

The fundamental rights of data subjects include the right to information, the right to rectification, the right to be forgotten (to erasure), the right to restriction of processing, the right to object to the processing on the basis of public interest, the right to object to an automated decision-making and profiling, an entirely new right is the right of access personal data, and the right to portability.

The right to object may be exercised by a data subject at any time to contest the processing of personal data which is carried out for reasons of public interest or on grounds of legitimate interests of the data controller or a third party, including objecting to profiling based on this data. Further, in the case the data subject’s personal data is processed for direct marketing purposes, including profiling to the extent that it is related to such direct marketing, and in this case the data controller shall immediately terminate the processing and profiling of the data for these purposes.

Data subjects will also be able to object and request that they are not subject to a decision which is based solely on the so-called Profiling – on automated processing of their personal data without any human intervention (e.g. assessment of creditworthiness when applying for a loan).

The right of access is the right of a data subject to be provided with the controller’s confirmation whether data concerning him or her is processed by the controller, and if so, at the same time, to be provided with further information about such data, the purposes of the processing, the recipients or third countries where the data was provided or is to be provided, the expected period of data storage, the information on the existence of an automated decision-making, including profiling, and more. Under the new legislation, the data controller will be required to provide the data subject with a copy of the data concerning him or her which the controller processes. Such a copy can be an extract from a records register, or it can be made available via an internal account of the data subject by the data controller where the data is available.

The right to portability  means that the person (data subject) shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format  (for the data to be fully usable) and have the right to transmit those data to another controller. The condition for the exercise of this right, however, is that the processing of data by the previous provider is based on consent or performance under a contract with the data subject, and at the same time it is a processing by automated means (not paper documents). Where technically feasible and, at the same time, where such procedure does not adversely affect the rights and freedoms of others, the data subject should have the right to have the personal data transmitted directly from one controller to another.

Controllers should provide the possibility to directly download the personal data and to transmit the data to another controller. Data controllers should be encouraged to develop interoperable formats that enable data portability. The aim of these procedures is to streamline processes, for example, when changing a service provider. However, the issue of the risks and security of processing by the next controller is not resolved, for example if data is to be transmitted to third countries. In principle, however, a controller transmitting personal data is not responsible for the subsequent personal data processing by the receiving controller or a data subject, but is responsible for the adoption of security measures to secure the data (e.g. by encryption) when it is transmitted and delivered to the right controller (e.g. additional authentication). A receiving data controller is not required to process the data transmitted for the purpose as the previous data controller, and the new data controller should make sure the data transmitted is appropriate for the new purpose of the processing and comply with all the conditions for lawfulness of the data processing.

A question arises here, whether all data is subject to portability, or whether there are any exceptions. Yes, there are some exceptions where there is an exemption to the right to portability. This concerns the so-called derived personal data. For example, it is data obtained by a data controller through personalisation, profiling, categorisation or further analysis of the data provided by a data subject. It follows from the above that the right to portability of personal data applies only to personal data provided by the data subject to the data controller on a legal basis of a consent or performance under a contract. The right of portability should not apply to personal data which the data controller has obtained from other entity than the data subject.

The use of the right to portability does not lead to the deletion of personal data in the previous controller who continues to process the personal data is processed, which is limited in time by a storage period.