Articles 15-34

Article 15 Data subject’s right to access personal data
1. The data subject shall have the right to obtain from the controller confirmation that personal data concerning him or her are being processed and, if so, have the right to access such personal data and the following information:

(a) processing purposes;

(b) the category of personal data concerned;

(c) the recipients or categories of recipients to whom personal data have been or will be made available, in particular recipients in third countries or international organizations;

(d) the planned period of time for which personal data will be stored or, failing that, the criteria used to determine that time;

(e) the existence of the right to require the controller to rectify or delete personal data relating to the data subject or to limit their processing or to object to such processing;

f) the right to file a complaint with the supervisory authority;

(g) any available information on the source of personal data, if not obtained from the data subject;

(h) the fact that there is automated decision-making, including profiling, as referred to in Article 22 (1) and (4), and at least in such cases meaningful information regarding the procedure used and the significance and implied consequences of such processing for the data subject.

2. Where personal data are transferred to a third country or international organization, the data subject shall have the right to be informed of the appropriate safeguards referred to in Article 46 which apply to the transfer.

3. The controller shall provide a copy of the personal data being processed. For additional copies at the request of the data subject, the controller may charge a reasonable fee based on administrative costs. If the data subject submits the application in electronic form, the information shall be provided in electronic form, which is commonly used, unless the data subject requests another.

4. The right to obtain the copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.

Article 16 Right to repair
The data subject has the right to have the administrator correct the inaccurate personal data relating to him without undue delay. Taking into account the processing purposes, the data subject has the right to complete incomplete personal data, including by providing an additional declaration.

Article 17 Right of cancellation (“right to be forgotten”)
1. The data subject shall have the right to have the data subject to the data subject’s personal data deleted by the controller without undue delay and the controller shall be obliged to delete the data without undue delay if one of the following reasons is given:

(a) personal data are no longer needed for the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on the basis of which the data referred to in Article 6 (1) (a) have been revoked. or Article 9 (2) (a) (a) processed, and there is no other legal ground for processing;

(c) the data subject objects to the processing referred to in Article 21 (1) and there are no overriding legitimate grounds for processing or the data subject objects to the processing referred to in Article 21 (2);

(d) personal data have been unlawfully processed;

(e) personal data must be erased to fulfill the legal obligation laid down in Union or Member State law applicable to the controller;

(f) personal data have been collected in connection with the supply of information society services pursuant to Article 8 (1).

2. Where the controller has disclosed personal data and is required to delete them under paragraph 1, it shall take reasonable steps, including technical measures, to take into account the technology available and the cost of implementation, to inform the controller who is processing that personal data, that the data subject requests them to deleted all references to such personal data, their copies or replication.

3. Paragraphs 1 and 2 shall not apply where processing is necessary:

(a) for exercising the right to freedom of expression and information;

(b) to fulfill a legal obligation requiring processing under Union or Member State law applicable to the controller, or to carry out a task performed in the public interest or in the exercise of official authority entrusted to it;

(c) for reasons of public interest in the field of public health, in accordance with Article 9 (2) (a); (h) and (i) and Article 9 (3);

(d) for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes, in accordance with Article 89 (1), if the right referred to in paragraph 1 is likely to make or jeopardize the achievement of the objectives of that processing;

(e) to determine, exercise or defend legal claims.

Article 18 Right to Restrict Processing
1. The data subject shall have the right to have the controller restrict processing in any of the following cases:

(a) the data subject denies the accuracy of personal data for the time needed for the controller to verify the accuracy of the personal data;

(b) processing is illegal and the data subject refuses to delete personal data and asks instead to limit their use;

(c) the controller no longer needs personal data for processing purposes, but the data subject requires them to determine, exercise or defend legal claims;

(d) the data subject has objected to the processing referred to in Article 21 (1) until it has been verified that the legitimate reasons of the controller override the legitimate grounds of the data subject.

2. Where processing has been restricted in accordance with paragraph 1, such personal data may be processed, with the exception of their storage, only with the consent of the data subject, or for the purpose, exercise or defense of claims, for the protection of the rights of another natural or legal person or reasons of important public interest to the Union or a Member State.

3. The data subject who has reached the limit of processing under paragraph 1 shall be notified in advance by the controller that the processing restriction will be revoked.

Article 19 Reporting obligation to correct or delete personal data or limit processing
The controller shall notify individual recipients to whom personal data have been made of any rectification or deletion of personal data or restrictions on processing carried out in accordance with Articles 16, 17 (1) and 18, except where this proves impossible or requires disproportionate effort. The controller informs the data subject of these beneficiaries, if requested by the data subject.

Article 20 Right to data portability
1. The data subject shall have the right to obtain personal data concerning him which he has provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit such data to another controller, without the controller to whom the personal data has been provided; if:

(a) the processing is based on the consent referred to in Article 6 (1) (a); or Article 9 (2) (a) (a) or on the contract referred to in Article 6 (1) (a) or b); and

(b) processing is carried out automatically.

2. In exercising its right to data portability under paragraph 1, the data subject shall have the right to have personal data transmitted directly by one controller to another’s controller, where technically feasible.

3. The exercise of the right referred to in paragraph 1 of this Article shall be without prejudice to Article 17. This right shall not apply to the processing necessary for the performance of a task performed in the public interest or in the exercise of official authority entrusted to it.

4. The rights referred to in paragraph 1 shall not adversely affect the rights and freedoms of others.

Article 21 Right to object
1. The data subject shall, on grounds relating to his particular situation, have the right at any time to object to the processing of personal data concerning him on the basis of Article 6 (1) (a). (e) or (f), including profiling based on those provisions. The controller shall not process the personal data unless it proves serious legitimate reasons for processing that outweigh the interests or rights and freedoms of the data subject, or for the determination, exercise or defense of claims.

2. Where personal data are processed for direct marketing purposes, the data subject shall have the right at any time to object to the processing of personal data concerning him for such marketing, including profiling in respect of such direct marketing.

3. If the data subject objects to processing for direct marketing purposes, personal data will no longer be processed for that purpose.

4. The data subject shall be explicitly notified of the right referred to in paragraphs 1 and 2 and shall be clearly and separately identified from any other information at the latest at the time of first communication with the data subject.

5. In relation to the use of information society services and without prejudice to Directive 2002/58 / EC, the data subject may exercise his right to object by automated means using technical specifications.

6. Where personal data are processed for scientific or historical research or for statistical purposes under Article 89 (1), the data subject shall, for reasons relating to his particular situation, have the right to object to the processing of personal data concerning him or her , unless processing is necessary for the performance of a task performed for reasons of public interest.

Article 22 Automated individual decision making, including profiling
1. The data subject shall have the right not to be the subject of any decision based solely on automated processing, including profiling, which has legal effects or has a significant bearing on it.

2. Paragraph 1 shall not apply where the decision is: \ t

(a) necessary for the conclusion or performance of the contract between the data subject and the data controller;

(b) authorized by Union or Member State law applicable to the controller and which also provide for appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject; or

(c) based on the data subject’s explicit consent.

3. In the cases referred to in paragraph 2 (a): (a) and (c), the data controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, at least the right of human intervention by the controller, the right to express his opinion and the right to challenge the decision.

4. The decisions referred to in paragraph 2 shall not be based on the specific categories of personal data referred to in Article 9 (1), unless Article 9 (2) (a) applies. or (g) and appropriate arrangements are not in place to ensure the rights and freedoms and legitimate interests of the data subject.

Article 34 Reporting personal data breaches to the data subject
1. Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall notify the data subject without undue delay.

2. The notification to the data subject referred to in paragraph 1 of this Article, using clear and simple language means, shall describe the nature of the breach of personal data, indicating at least the information and measures referred to in Article 33 (3) (a). b), c) and d).

3. The data subject’s notification referred to in paragraph 1 shall not be required if any of the following conditions is met:

(a) the controller has put in place appropriate technical and organizational safeguards, and such measures have been applied to personal data affected by the breach of personal data, in particular those that render such data incomprehensible to anyone not entitled to access such data, such as encryption;

(b) the controller has taken follow-up measures to ensure that the high risk to the rights and freedoms of the data subjects referred to in paragraph 1 is no longer likely to occur;

(c) this would require a disproportionate effort. In such a case, the data subjects must be informed in an equally effective manner by means of a public notice or similar measure.

4. If the controller has not yet notified the data subject of the breach of the personal data breach, the supervisory authority may, after assessing the likelihood that the breach will result in a high risk, shall request it or may decide to comply with any of the conditions set out in paragraph 3.

This English version is a translation of the original Czech version. It is only of an informative nature. In the event of any discrepancy between the English and Czech versions, the Czech version takes precedence.