IT
The EU data protection regulations formalise an extensive catalogue of rights incumbent on the data subject, which are listed below:
- Data subject’s right of access
The data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored or, if that is not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller the rectification or erasure of personal data concerning him/her or the restriction of the processing of personal data concerning him/her or to object to their processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the data are not collected from the data subject, all available information as to their source;
h) the existence of an automated decision-making process, including profiling as referred to in Article 22(1) and (4), and, at least in such cases, meaningful information on the logic used, as well as the importance and the envisaged consequences of such processing for the data subject.
Where personal data are transferred to a third country or an international organisation, the data subject shall have the right to be informed of the existence of appropriate safeguards within the meaning of Article 46 relating to the transfer.
The controller shall provide a copy of the personal data undergoing processing. In case of further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject makes the request by electronic means, and unless otherwise specified by the data subject, the information shall be provided in a commonly used electronic format.
The right to obtain a copy referred to in paragraph 3 shall not infringe the rights and freedoms of others.
- Right of rectification
The data subject shall have the right to obtain from the controller the rectification of inaccurate personal data concerning him or her without undue delay. Having regard to the purposes of the processing, the data subject shall have the right to obtain the integration of incomplete personal data, including by providing a supplementary declaration.
- Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the data controller the erasure of personal data concerning him/her without undue delay, and the data controller shall be obliged to erase the personal data without undue delay, if one of the following grounds applies
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws the consent on which the processing is based, in accordance with point (a) of Article 6(1) or point (a) of Article 9(2), and if there is no other legal basis for the processing
(c) the data subject objects to the processing pursuant to Article 21(1) and there is no overriding legitimate ground for the processing, or objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation laid down by Union or Member State law to which the controller is subject;
(f) the personal data have been collected in connection with the offering of information society services referred to in Article 8(1).
2. Where the controller has made personal data public and is obliged under paragraph 1 to erase them, taking into account the available technology and the costs of implementation, the controller shall take reasonable steps, including technical measures, to inform the controllers who are processing the personal data of the data subject’s request to erase any link, copy or reproduction of his or her personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that the processing is necessary
(a) for the exercise of the right to freedom of expression and information;
(b) for compliance with a legal obligation required by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (1)
(c) for reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) and Article 9(3)
(d) for archiving in the public interest, scientific or historical research or statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the purposes of such processing
(e) for the establishment, exercise or defence of legal claims.
- Right to restriction of processing
1. The data subject shall have the right to obtain from the controller the restriction of processing when one of the following cases occurs
(a) the data subject contests the accuracy of the personal data, for the period necessary for the controller to verify the accuracy of those personal data;
(b) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead that their use be restricted
(c) although the controller no longer needs the personal data for the purposes of processing, the personal data are necessary for the establishment, exercise or defence of legal claims by the data subject
(d) the data subject has objected to the processing pursuant to Article 21(1), pending verification as to whether the legitimate reasons of the controller prevail over those of the data subject.
2. Where processing is restricted pursuant to paragraph 1, such personal data shall, except for storage, only be processed with the consent of the data subject or for the establishment, exercise or defence of legal claims or the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or a Member State.
3. A data subject who has obtained a restriction of processing pursuant to paragraph 1 shall be informed by the controller before that restriction is lifted.
- Obligation to notify in case of rectification or erasure of personal data or restriction of processing
The controller shall notify each recipient to whom the personal data have been transmitted of any rectification or erasure or restriction of processing carried out pursuant to Article 16, Article 17(1) and Article 18, unless this proves impossible or involves a disproportionate effort. The controller shall inform the data subject of such recipients if the data subject so requests.
- Right to data portability
1. The data subject shall have the right to receive, in a structured, commonly used and machine-readable format, personal data concerning him or her that he or she has provided to a data controller and shall have the right to transmit those data to another data controller without hindrance from the data controller to whom he or she has provided them where:
(a) the processing is based on consent within the meaning of Article 6(1)(a) or Article 9(2)(a), or on a contract within the meaning of Article 6(1)(b);
(b) processing is carried out by automated means.
2. When exercising his or her rights in relation to data portability pursuant to paragraph 1, the data subject shall have the right to obtain the direct transmission of personal data from one controller to another, where technically feasible.
3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The right referred to in paragraph 1 shall not affect the rights and freedoms of others.
- Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her pursuant to points (e) or (f) of Article 6(1), including profiling on the basis of those provisions. The controller shall refrain from further processing the personal data unless he can demonstrate compelling legitimate grounds for processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
2. Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her carried out for such purposes, including profiling insofar as it is related to such direct marketing.
3. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
4. The right referred to in paragraphs 1 and 2 shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information at the latest at the time of the first communication with the data subject.
5. In the context of the use of information society services, and without prejudice to Directive 2002/58/EC, the data subject may exercise his/her right to object by automated means using specific techniques.
6. Where personal data are processed for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1), the data subject shall have the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning him or her, except where the processing is necessary for the performance of a task carried out in the public interest.
The so-called “Data Subjects”, have the right to obtain from the Institute, in the cases provided for: access to their data, rectification, erasure or restriction of the processing concerning them or to object to the processing (Art. 15 et seq. of EU Regulation 2016/679). The appropriate request, for the exercise of the rights related to the processing of your personal data, shall be submitted to the Data Protection Officer at the Institute in the following ways:
- by registered mail with return receipt, by sending the request to the National Institute for Public Policy Analysis Institute, Corso d’Italia 33, 00198 Rome, to the attention of the Data Protection Officer;
- by Pec, to the institutional address: [email protected] and, for the record, to the e-mail address: [email protected], enclosing the appropriate application, i.e., the completed form that can be downloaded from the institutional website of the Italian Data Protection Authority, at the following link: https://www.garanteprivacy.it/web/guest/home/docweb/-/docweb-display/docweb/1089924.
The exercise of rights as Data Subject is free of charge in accordance with Article 12 of the EU Regulation, except in cases of manifestly unfounded or excessive requests to which paragraph 5 of the same article applies. Candidates who consider that the processing of personal data relating to them occurs in breach of the provisions of the Regulation have the right to lodge a complaint with the Supervisory Authority, as provided for in Article 77 of the Regulation itself, or to take legal action (Article 79 of the GDPR).