Rights of the interested party

Procedure for data subject rights pursuant to Articles 15 to 23 of Regulation 679/2016

EU Regulation 679/2016 on the Protection of Personal Data includes, among its cornerstones, the protection of data subjects' rights in the processing of personal data.

These rights allow the data subject to control the types of data used, the methods of processing, and give them the ability to limit such use, to object, and to delete personal data in certain circumstances.

A corollary of these rights is the right to lodge a complaint and seek legal protection in the event of violations relating to unauthorized or unlawful processing.

This procedure aims first and foremost to identify these rights, as well as establish the response timelines and methods for exercising them. Finally, this document identifies the entity responsible for responding to requesting parties.

The purpose of this procedure is to facilitate the interested party pursuant to Article 12, paragraph 2, in exercising his or her rights.

The rights of the interested party

Article 15 Right of access by the data subject

  1. The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and the following information:
  2. a) the purposes of the processing;
  3. b) the categories of personal data concerned;
  4. c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  5. d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  6. e) the existence of the right of the data subject to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning him or her or to object to such processing;

f) the right to lodge a complaint with a supervisory authority;

  1. (g) where the personal data are not collected from the data subject, any available information as to their source;
  2. h) the existence of automated decision-making, including profiling, referred to in Article 22, paragraphs 1 and 4, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.