Personal Data Protection Policy
Here at Inclave, we recognize the importance of protection of the personal data of our customers and business partners. The purpose of this Personal Data Protection Policy (the “Policy”) is to provide you with a complete and structured overview of the type of personally identifying information we collect, for what purpose and when we collect them. In this Policy, “Inclave”, “we”, “us” and “our” each means INCLAVE LIMITED registered in Ireland under Reg. No. 679202 with its registered address 77 Camden Street Lower, Dublin 2, Dublin, D02XE80, Ireland.
This site is structured to give you a comprehensive overview of the Policy and scope of gathered information.
In the chapters below, we will tell you everything about the personal data processing that we carry out. If we process your personal data, you will find more details about each individual processing, your rights and the manner in which your rights may be exercised under the following links designating specific purposes of personal data processing.
-
Using Inclave as a client – We are processing your personal data in order to give you access to our app and all its functionalities and features and in order our obligations under the Terms & Conditions of Inclave.
Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.
-
Marketing – We are collecting and processing data for the purposes of identifying the best service offer for you and supporting sales and Inclave’s reputation. Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.
-
Business cooperation – In order to secure full functionality of our app, we use third party suppliers and other business partners. We collect and process data necessary for the performance of contracts with the suppliers of services or goods, mainly contact information of suppliers’ representatives (employees, statutory representatives or other designated persons).
Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.
-
Applying for job at Inclave – We collect, process and maintain personal data collected in connection with our recruitment process (organized selection procedure for an open job position) or the offer of work for the company for the purposes of sending job offers. Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.
-
Employment by Inclave – We are processing our employees’ personal data in order to ensure compliance with our legal obligations as employers and to ensure exercise and protection of the employer’s rights and legal interests, or processing based on the employee’s consent.
Comprehensive information on the processing, including details of your rights, the requirements for exercising your rights and the manner in which your rights may be exercised, is available HERE.
I. USING INCLAVE AS A CLIENT
- In order to provide you with an access to our Inclave app, we will need some personal data from you, specifically your full name, email address and a cell phone number. The personal data controller in this case is INCLAVE LIMITED registered in Ireland under Reg. No. 679202 with its registered address 77 Camden Street Lower, Dublin 2, Dublin, D02XE80, Ireland (hereinafter the “Controller”). The legal reason for collecting and processing your personal data is our obligation to fulfill a contract concluded between you and us (Art. 6(b) of the GDPR). Provision of such data is necessary to use our app. We will store and process this information only for the duration of our contract and for the period required by law (for example for tax control purposes). Your data will be processed and stored only on our servers which are located in Ireland and will not be transferred or otherwise sent to third countries and will not be disclosed to anyone else other than the service providers you request we share the information with. If we ever decide that we need a third party data processor pursuant to Art. 4(8) of the GDPR or by authorizing a third party processor, we will make sure to minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. Please be advised that no Data Protection Officer has been designated in our company. However, if you wish to exercise any of your rights listed below, please contact us through [email protected].
-
WHAT ARE YOUR RIGHTS?
You have the following rights in respect of the personal data processing concerned:
- ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
- RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
- ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
- RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
- COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the relevant data protection authority. See https://edpb.europa.eu/about-edpb/about-edpb/members_en to find relevant contact details;
In addition, you have the following rights:
- RIGHT TO OBJECT – The right to request that your personal data no longer be processed for the purposes of the legitimate interests pursued by the Controller.
Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise your rights HERE HERE.
-
AUTOMATED DECISION-MAKING AND PROFILING
- Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
- Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.
- In connection with the processing of personal data, automated decision-making WILL NOT be used.
- In connection with the processing of personal data, profiling WILL NOT be used.
II. MARKETING
- From time to time, we may decide to send you information about our services and other commercial offers. Our commercial communication takes into account your envisaged needs, interests and preferences based on profiling using your previous browsing behavior through the usage of cookies to ensure relevance to your interests and needs. The data we will be collecting and processing are your full name, email and cell phone number. The personal data controller in this case is INCLAVE LIMITED registered in Ireland under Reg. No. 679202 with its registered address 77 Camden Street Lower, Dublin 2, Dublin, D02XE80, Ireland (hereinafter the “Controller”). The legal reason for collecting and processing your personal data is your consent (Art. 6(1)(a) of the GDPR). Provision of such data is voluntary. We will store and process this information only for the duration of your consent. Your data will be processed and stored only on our servers which are located in Ireland and will not be transferred or otherwise sent to third countries and will not be disclosed to anyone else. If we ever decide that we need a third-party data processor pursuant to Art. 4(8) of the GDPR or by authorizing a third-party processor, we will make sure to minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. Please be advised that no Data Protection Officer has been designated in our company. However, if you wish to exercise any of your rights listed below, please contact us through [email protected].
-
YOUR RIGHTS
You have the following rights in respect of the personal data processing concerned:
- WITHDRAWAL OF CONSENT – Your consent may be withdrawn at any time in the manner stipulated HERE. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal. Upon your withdrawal of consent, the processing of your data for marketing purposes will be terminated.
- ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
- RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
- ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
- RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
- COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the relevant data protection authority. See https://edpb.europa.eu/about-edpb/about-edpb/members_en to find relevant contact details;
- PORTABILITY – The right to receive, under certain conditions stipulated by law, personal data for the purposes of their further processing by another person designated by you and to transmit those data to such person or to request that the data be transmitted directly to the other person for processing.
In addition, you have the following rights:
- RIGHT TO OBJECT – The right to request that your personal data no longer be processed for the purposes of the legitimate interests pursued by the Controller or by a third party or for marketing purposes.
Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise your rights HERE .
-
AUTOMATED DECISION-MAKING AND PROFILING
- Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
- Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.
- In connection with the processing of personal data, automated decision-making WILL NOT be used.
- In connection with the processing of personal data, profiling WILL be used. Specifically, profiling will be used to determine preferences according to previous purchases.
III. BUSINESS COOPERATION
- As every company, Inclave relies on business cooperation with other companies or individuals to secure all the needs a company like Inclave might have. The information we collect and process regarding our business partners vary depending on their legal status. If our business partner is a legal entity, we store information about their representatives, i.e. full name, email, phone number and position in the company. If the business partner is a freelancer, the information we process is a full name, email, phone number, job description and other information required by law (mainly by tax laws). The personal data controller in this case is INCLAVE LIMITED registered in Ireland under Reg. No. 679202 with its registered address 77 Camden Street Lower, Dublin 2, Dublin, D02XE80, Ireland (hereinafter the “Controller”). The legal reason for collecting and processing your personal data is in the case the supplier is a natural person-freelancer our legitimate interest and our obligation to fulfill a contract pursuant to Article 6(1)(b) and (f) of the GDPR, if the supplier is a legal entity, the reason is also our legitimate interest and our obligation to fulfill a contract pursuant to Article 6(1)(b) and (f) of the GDPR. Provision of such data is necessary to fulfill our mutual contractual obligations. We will store and process this information only for the duration of our contract and for the period required by law (for example for tax control purposes). Your data will be processed and stored only in our offices and on our servers which are located in Ireland and will not be transferred or otherwise sent to third countries and will not be disclosed to anyone else. If we ever decide that we need a third-party data processor pursuant to Art. 4(8) of the GDPR or by authorizing a third-party processor, we will make sure to minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. Please be advised that no Data Protection Officer has been designated in our company. However, if you wish to exercise any of your rights listed below, please contact us through [email protected].
-
YOUR RIGHTS
You have the following rights in respect of the personal data processing concerned:
- ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
- RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
- ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
- RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
- COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the relevant data protection authority. See https://edpb.europa.eu/about-edpb/about-edpb/members_en to find relevant contact details;
In addition, you have the following rights:
- RIGHT TO OBJECT – The right to request that your personal data no longer be processed for the purposes of the legitimate interests pursued by the Controller.
-
AUTOMATED DECISION-MAKING AND PROFILING
- Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
- Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.
- In connection with the processing of personal data, automated decision-making WILL NOT be used.
- In connection with the processing of personal data, profiling WILL NOT be used.
IV. EMPLOYEMENT BY INCLAVE
- If you are an employee here at Inclave, we process your personal data as the laws require from us. We collect and process personal data such as full name, home address, date of birth, personal ID number, sex, wage and scope of work and other information required by law for the tax, social security and pension purposes. The personal data controller in this case is INCLAVE LIMITED registered in Ireland under Reg. No. 679202 with its registered address 77 Camden Street Lower, Dublin 2, Dublin, D02XE80, Ireland (hereinafter the “Controller”). The legal reason for collecting and processing your personal data is compliance with the legal obligations to which the Controller is subject pursuant to the labor law, social security and tax regulations (Art. 6(1)(c) of the GDPR) and performance of the contract with the employee (Art. 6(1)(b) of the GDPR). Provision of such data is mandatory. We will store and process this information for the duration of our employment and for the period required by law or other underlying obligations (for example a non-compete clause etc.). Your data will be processed and stored in our offices and on our servers and will not be transferred outside the EU. If we ever decide that we need a third-party data processor pursuant to Art. 4(8) of the GDPR or by authorizing a third-party processor, we will make sure to minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. Please be advised that no Data Protection Officer has been designated in our company. However, if you wish to exercise any of your rights listed below, please contact us through [email protected].
-
WHAT ARE YOUR RIGHTS?
You have the following rights in respect of the personal data processing concerned:
- ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
- RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
- ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
- RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
- COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the relevant data protection authority. See https://edpb.europa.eu/about-edpb/about-edpb/members_en to find relevant contact details;
- WITHDRAWAL OF CONSENT – concerning the use of photographs. Your consent may be withdrawn at any time. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal. In consequence of your withdrawal of consent, the photographs used by the Controlled on the grounds of your consent will be erased.
Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise your rights HERE .
-
AUTOMATED DECISION-MAKING AND PROFILING
- Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
- Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.
- In connection with the processing of personal data, automated decision-making WILL NOT be used.
- In connection with the processing of personal data, profiling WILL NOT be used.
V. APPLYING FOR A JOB AT INCLAVE
- If you are applying for a position at Inclave, we have to process certain personal data about you. Namely your identification data – the first name, surname, date of birth, permanent address, your contact data - permanent address, phone number, email address, information on educational qualifications, information on previous work experience and other necessary data collected in connection with our recruitment and hiring process (organized selection procedure for an open job position) or your offer of services submitted to us (enquiry about an opportunity to work for us without any previous demand placed by us). The personal data controller in this case is INCLAVE LIMITED registered in Ireland under Reg. No. 679202 with its registered address 77 Camden Street Lower, Dublin 2, Dublin, D02XE80, Ireland (hereinafter the “Controller”). The legal reason for collecting and processing your personal data is our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Provision of such data is voluntary. We will store and process this information for 3 years after our first contact. Your data will be processed and stored in our offices and on our servers and will not be transferred outside the EU. If we ever decide that we need a third-party data processor pursuant to Art. 4(8) of the GDPR or by authorizing a third-party processor, we will make sure to minimize the risk of unauthorized disclosure, destruction, processing or loss of the personal data. Please be advised that no Data Protection Officer has been designated in our company. However, if you wish to exercise any of your rights listed below, please contact us through [email protected].
-
YOUR RIGHTS
You have the following rights in respect of the personal data processing concerned:
- WITHDRAWAL OF CONSENT – Your consent may be withdrawn at any time. The withdrawal of consent shall not affect the lawfulness of the processing of personal data carried out before the withdrawal. Upon your withdrawal of consent, you will be excluded from the database of potential job seekers. After you are excluded from the database, you will no longer receive offers of job vacancies with the Controller;
- ACCESS – The right to be informed whether or not your personal data are being processed. If your personal data are being processed, you have the right to obtain the prescribed information about the processing and the right, under certain conditions, to obtain a copy of the processed personal data;
- RECTIFICATION – The right to request rectification if the personal data processed are inaccurate, or the right to request completion if the data are incomplete;
- ERASURE (right to be forgotten) – The right to request, under certain conditions stipulated by law (withdrawal of consent, termination of contract, unlawful processing), erasure of the personal data;
- RESTRICTION OF PROCESSING – The right to request marking and, if applicable, restriction (suspension) of the processing pending verification of accuracy of the data, lawfulness of the processing or response to an objection or to ensure protection of your interests (exercise or protection or defense of rights and legitimate interests);
- COMPLAINT – The right to lodge a complaint against the Controller, the processing or the terms and conditions of exercising your rights to the relevant data protection authority. See https://edpb.europa.eu/about-edpb/about-edpb/members_en to find relevant contact details;
- PORTABILITY – The right to receive, under certain conditions stipulated by law, personal data for the purposes of their further processing by another person designated by you and to transmit those data to such person or to request that the data be transmitted directly to the other person for processing.
In addition, you have the following rights:
- RIGHT TO OBJECT – The right to request that your personal data no longer be processed for the purposes of the legitimate interests pursued by the Controller.
Use the relevant link to find details of individual rights, their characteristics and the conditions under which the rights arise and may be exercised. See how to exercise your rights HERE
-
AUTOMATED DECISION-MAKING AND PROFILING
- Automated decision-making means decisions that are made by automated means or based on the output of automated processes, without human intervention/volition.
- Profiling means the use of personal data to evaluate certain personal aspects relating to a natural person, e.g. to predict that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, etc.
- In connection with the processing of personal data, automated decision-making WILL NOT be used.
- In connection with the processing of personal data, profiling WILL be used. Specifically, profiling will be based on the obtained educational qualifications and previous work experience in order to only select those applicants from the database for whom the offered job position is suitable with respect to the given criteria.
ARTICLE I
EXERCISE OF RIGHTS IN GENERAL
- CHANNELS USED TO EXERCISE RIGHTS Subject to the terms and conditions provided below, the rights may be exercised via the Controller’s email address: [email protected];
- IDENTIFICATION AND SECURE COMMUNICATION The exercise of rights must not negatively affect the rights and freedoms of third parties. Hence, the Controller has the right and obligation, in necessary cases, to identify the data subject requesting the exercise of rights. For that reason, the Controller must choose a safe and reliable communication channel. Communication via electronic mail with a certified electronic signature, communication via a data box, or communication via a postal service provider, where an authenticated signature of the responsible person is attached to the document being delivered or where the reply is served upon the addressee personally, shall be considered a reliable communication where the identity of the addressee need not be further verified.
- RIGHTS EXERCISED ORALLY In exceptional cases, when requested by the person concerned, the information may be provided or the rights exercised orally, provided that a written record is made of the oral provision of information or exercise or rights by the data subject. Where the rights are exercised orally, the identity of the data subject must be verified using an ID card, passport, driver’s license or another document that may serve as evidence that the rights are exercised by the person who is entitled to exercise those rights, unless the data subject is personally known.
- ELECTRONIC APPLICATION Where the request is made or the rights exercised by electronic means, the response shall also be provided by electronic means, unless otherwise requested by the person concerned.
- CHARGE The information provided to the data subjects, the copies of data provided to the data subjects and any communication and any action relating to the exercise of rights by the data subjects shall be free of charge.
-
REJECTION AND CHARGE
Where the data subject's request (exercise of right) is manifestly unfounded or unreasonable, particularly because it is identical or predominantly identical or excessive, and cannot be complied with within the statutory deadline,
- compliance with the request shall be subject to a deposit to cover the administrative costs associated with the provision of the requested information or communication or with the requested actions; the deposit may be claimed up to the amount of the estimated costs and the requested information, communication, etc. shall only be released to the data subject after full reimbursement of the incurred costs, or
- the request shall not be complied with, or the exercise of the right shall be declined in writing with a reasoning.
- RESPONSE PERIOD The data subject’s requests and the exercise of the data subject’s rights are responded to without undue delay. A response containing the requested information or a description of the measures adopted following the data subject’s request, etc., must be delivered to the data subject no later than within 30 days from the date of receipt of the request. If, for serious reasons, the matter cannot be resolved within the above deadline, the data subject shall be notified in writing or by email, no later than by the end of the above deadline, that the deadline will not be met, together with the reasons for the delay and a new deadline within which the matter will be resolved; the deadline may not be extended by more than 60 days.
ARTICLE II
RIGHT OF ACCESS TO AND RIGHT TO OBTAIN A COPY OF PERSONAL DATA
- Upon request, the data subject shall have the right to obtain confirmation as to whether or not his/her personal data are being processed.
-
If the personal data concerning the data subject are being processed, the data
subject shall receive the following information:
- the purposes of the processing and the legal basis/title for the processing of personal data, including reference to the provisions of the applicable legal regulation, and the scope and consequences of the processing;
- the recipients or categories of recipients of personal data, if any;
- the transfer of personal data to third countries, where applicable, including information on the appropriate safeguards to ensure security of the data transferred to a third country;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the existence of the right to request access to and rectification or erasure of personal data concerning the data subject or the right to request restriction of processing or to object to the processing of personal data and the conditions under which the rights arise and the manner in which the rights may be exercised; the information shall only include the rights the exercise of which is relevant to the nature of the processing of personal data;
- the existence of the right to data portability, the conditions under which the right arises and the conditions under which it may be exercised, to the extent that the exercise of such right is relevant to the nature of the processing of personal data;
- the existence of an automated decision-making process and the data subject’s rights connected with automated decision-making;
- the source of personal data, and, where applicable, the fact that the personal data were obtained from publicly accessible sources;
- the right to lodge a complaint with the supervisory authority (see https://edpb.europa.eu/about-edpb/about-edpb/members_en);
- the existence of an automated decision-making in the form of profiling and the significance and the envisaged consequences of such processing, if any, for the data subject.
- The data subject shall have the right to request a copy of the personal data undergoing processing. The first copy is free of charge. For any further copies, a reasonable fee may be charged. Article I, Paragraph 6 shall apply accordingly.
- Where the right to obtain a copy could adversely affect the rights and freedoms of third parties (e.g. copies containing third party personal data which the requesting data subject has no legal title to obtain), the copy shall be anonymized in an appropriate manner. If anonymization is not possible or if, as a result of the anonymization, the requested information loses the strength of evidence, no copy shall be provided.
ARTICLE III
RIGHT TO RECTIFICATION
- The data subject shall have the right to obtain rectification of the personal data being processed, if the data are inaccurate or incomplete in relation to the purpose for which they are being processed. The data subject shall have the right to request that the personal data be rectified (and completed) or completed.
- If the data subject has exercised the right to rectification of the personal data being processed, the Controller shall immediately review the processing of personal data that is the subject of the exercised right to rectification.
- If the objection is found to be reasonable, at least to some degree, the Controller shall, without undue delay, ensure that the situation is remedied, i.e. that the processed personal data are rectified or completed.
- The data subject will be notified in writing or by email of the result of the review and the measures adopted.
ARTICLE IV
RIGHT TO ERASURE
-
The data subject shall only have the right to obtain from the data Controller
the erasure of personal data concerning him or her if one of the following
grounds applies:
- the personal data are not necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing;
- the data subject has raised a reasonable objection to the processing;
- the personal data have been processed unlawfully, especially without legal grounds;
- the personal data have to be erased for compliance with a legal obligation arising from a particular legal regulation or a decision based on a legal regulation;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.
- An erasure of personal data shall mean the physical destruction of the personal data carrier (e.g. destruction of documents) or the deletion of the data (from multimedia carriers) or other permanent exclusion of the personal data from further processing.
- If the data subject has exercised the right to erasure of the processed personal data, the Controller shall review the data subject’s request. If the request is found to be reasonable, at least to some degree, the personal data shall be erased to the necessary extent. Article I, Paragraph 7 hereof shall apply accordingly.
- The data that are the subject of the right to erasure shall be marked until the data subject’s request is complied with.
-
The personal data shall not be erased to the extent that their processing is
necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation arising from legal regulations;
- for reasons of public interest in the area of public health (points (h) and (i) of Art. 9(2) and Art. 9(3) of the GDPR);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defense of the Controller’s rights.
ARTICLE V
RIGHT TO RESTRICTION OF PROCESSING
- Where the data subject has exercised the right to restriction of processing in respect of a specific processing of personal data, the Controller shall immediately assess relevance of the data subject’s request, primarily the existence of the grounds for exercising the right to restriction of processing; the assessment shall take into account the content of the request as well as other facts and circumstances relating to the processing concerned.
-
The data subject shall have the right to restriction of processing where one of
the following grounds applies:
- the accuracy of the personal data is contested by the data subject;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests restriction of their use instead;
- the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing.
- The personal data affected by restriction shall be marked.
- Where processing has been restricted, the personal data concerned may, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
- If the restriction of processing is lifted, the data subject shall be informed in writing or by email before the restriction of the processing of personal data is lifted. The information shall contain the date on which and the reasons why the restriction will be lifted.
ARTICLE VI
RIGHT TO PORTABILITY
- If the processing of personal data involves personal data obtained from the data subject (either data directly provided by the data subject or data obtained about his/her activities, etc.) and concerning the data subject, the data subject shall have the right to portability (receipt and transmission) of those data if the processing is based on consent of the data subject or on a contract with the data subject and the processing is carried out by automated means. The right to portability does not apply to the data and information created by the Controller on the basis of the data obtained from the data subject (e.g. profiling of the envisaged consumer behavior of the data subject based on the data obtained from the data subject, etc.).
- In exercising the right to portability of data, the data subject may request the
following:
- have the personal data that are subject to the right to portability transferred to the data subject in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided;
- have the personal data that are subject to the right to portability transferred to another personal data controller designated in the data subject’s request for the transfer of data, in a structured, commonly used and machine-readable format; format requiring special paid license or format excluding further editing of or other manipulation with (processing of) the personal data (e.g. *.pdf) shall be avoided.
- A request of the data subject shall not be complied with, inter alia (Article I(6)), if compliance with the request would adversely affect the rights and freedoms of other persons (data subjects).
- A request for portability of data pursuant to Paragraph 2(b) shall further not be complied with, if the transfer of data is technically not feasible; transfer of data that cannot be adequately secured by available technical means given the nature of the transferred personal data and the risks involved shall also be considered to be technically not feasible.
- In addition to the transferred personal data, information on the purposes of the processing of personal data shall be transferred and, where requested by the data subject, also information on the processing of personal data to the extent of Article 13 of the GDPR.
ARTICLE X
AUTOMATED INDIVIDUAL DECISION-MAKING INCLUDING PROFILING
- No decision or legal act concerning the data subject or other measures or
procedures which produce adverse legal effects concerning the data subject or
similarly significantly affect the data subject (e.g. automated refusal of an
online credit application, e-recruiting practices without any human involvement
and review of the electronic system’s negative decisions) can be based on
automated individual decision-making, including profiling, unless the decision
is:
- necessary for entering into, or performance of, a contract between the data subject and the data Controller;
- authorized by legal regulations which lay down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or
- based on the data subject's explicit consent
- In the cases referred to in points (a) and (c) of Paragraph 1, the Controller shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests and prevent them from negative effects of automated individual decision-making. Such measures include at least the data subject having a chance to express his/her point of view prior to the implementation of the action with negative consequences, a chance to have the decision reviewed by the Controller-appointed person and the right to obtain human intervention, e.g. a regular review of the functionality of the automated decision-making system and a setup of its functionality so as to exclude unreasonable interference with the rights and freedoms or legitimate interests of the data subject.
- Where the processing involves sensitive data, or where individual decisions pursuant to Paragraph 1 are to be based on sensitive data, Paragraph 2 shall only apply if sufficient safeguards have been ensured pursuant to Paragraph 2 of this Article on condition that the processing of personal data is based on explicit consent of the data subject pursuant to Article 9(2) point (a) of the GDPR, or the processing is necessary for reasons of important public interest stipulated by law and the processing is adequate to the envisioned objectives, compliant with the personal data protection law and provides sufficient and specific safeguards of the protection of fundamental rights and interests of the data subject.
ARTICLE XI
RIGHT TO OBJECT
- If the processing of personal data is based on point (e) of Article 6(1) of the GDPR (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller) or point (f) of Article 6(1) of the GDPR (processing is necessary for the purposes of protection of the rights and legitimate interests pursued by the Controller), the data subject shall have the right to object to the processing of personal data concerned.
- Where personal data are processed for direct marketing purposes, the data subject shall have the right to object, at any time, to the processing of the personal data concerning him or her for such marketing, including profiling to the extent that it relates to such direct marketing. Where the data subject has objected to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
- If the data subject has exercised the right to object, the Controller shall investigate the objection without undue delay.
- The personal data or the processing of personal data concerned shall be marked until the data subject’s objection is resolved.
- The personal data that are the subject of a justified objection can no longer be
processed, unless:
- further processing is important for serious legitimate reasons that override the interests or rights and freedoms of the data subject, or
- further processing is necessary for the establishment, exercise or defense of the Controller’s rights.