Privacy Policy

DATA MANAGEMENT INFORMATION

ON THE DATA SUBJECT RIGHTS

 ON THE MANAGEMENT OF PERSONAL DATA

 

 

TABLE OF CONTENTS

 

INTRODUCTION

CHAPTER I – THE DATA CONTROLLER

CHAPTER II – THE DATA PROCESSORS

  1. Hosting provider of our Company
  2. Package, mail and document delivery, freight and logistics

2.a Developer of bank card payment

2.b E-mail marketing system developer and operator

2.c Customer Relationship Management (CRM)

2.d Application development, application management, web development

2.e  Google G Suite service, full business application suite

CHAPTER III – ENSURING THE LAWFULNESS OF DATA PROCESSING

  1. Data processing with the consent of the data subject
  2. Data processing based on the fulfillment of legal obligation
  3. Facilitating data subject right

CHAPTER IV –   PROCESSING VISITOR DATA IN THE COMPANY’S WEBSITE – INFORMATION ON USING COOKIES

CHAPTER V – INFORMATION ON DATA SUBJECT RIGHTS

 

 

 

 

 

 

 

INTRODUCTION

 

EU law on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as Regulation) sets out that the Controller shall take appropriate measures to provide any information relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, and the Controller shall facilitate the exercise of data subject rights. 

 

We comply with this statutory obligation with the information provided below.

 

The information shall be published on the company’s website or sent to the person concerned upon request.

 

CHAPTER I

THE DATA CONTROLLER

 

The publisher of this information, and the controller at the same time:

Commercial name: AIR24

Company name: SD Industrial Equipment Limited

Seat: 5 West Main Street, Cahersiveen, Co.Kerry, Ireland, V23 PR84

Company registry No.: 521926

Tax identification No.: IE1113339IH

Representative: Andrea Dobos

Phone: +353 1 903 6330

E-mail address: air24@air24.ie

Website: http://vacuumpump.ie, http://vacuumpumpspareparts.ie/

 

(hereinafter referred to as Company)

 

CHAPTER II

THE DATA PROCESSORS

 

Data processor: means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the Regulation)

 

The use of data processing does not need the prior consent of the data subject, but they must be informed. In line with the above, we provide the following information:

 

 

  1. Hosting provider of our Company

 

To maintain the Company’s website(s), we require a data processor, who provides  hosting services; in the frame of which their task is to store personal data on the server, in the duration of the contract.

 

The details of the data processors are as follows:

Company name: Irish Domains Ltd.

Seat: 15 Joyce’s Court, Talbot Street,  Dublin 1, Ireland

Company registry No.: 306799

Tax identification No.: IE6326799W

Phone: +353 01 8507010

Fax: +353 01 8170001

E-mail address: sales@irishdomains.com

Website: www.irishdomains.com

 

  1. Package, mail and document delivery, freight and logistics

 

These processors receive personal information (name, address, phone number, email address of the person concerned) from the Company for the delivery of the ordered product, and they deliver the product using these data.

 

Service providers:

 

Company name: An Post is a Designated Activity Company

Seat: General Post Office, O’Connor Street Lower, Dublin 1, DO1 F5P2

Company registry No.: 98788

Tax identification No.: N/A

Phone: +353 1 7057600

 

Company name: Lando Hungária Kft.

Seat: 1046 Budapest, Kiss Ernő utca 3/A

Company registry No.:

Tax identification No.: 12865088-2-41

Phone: +36 1 231-0956

 

Company name: Gebrüder Weiss Kft.

Seat: 2330 Dunaharaszti, Raktár u. 2.

Company registry No.: 13-09-060856

Tax identification No.: 10323292-2-44

Phone: +36 24 506 700

 

Company name: Gebrüder Weiss s.r.o

Seat: 90301 Senec, Dial’nicá cesta 20, Slovakia

Company registry No.: 31341381

Tax identification No.: SK2020328948

Phone: +421 233066557

 

Company name: TNT Express (Ireland) Limited

Seat: Dublin 24, Unit 1 Belgard Ind. Est. Mayberry Road

Company registry No.: 74547

Tax identification No.: IE4599861K

Phone: +353 1 1 806 7888

 

Company name: DHL Express Ireland Ltd

Seat: Unit 3 Elm Road, Dublin Airport Logistics Park, St. Margarets Road St. Margarets, Co Dublin, Ireland

Company registry No.: N/A

Tax identification No.: IE4799587H

Phone: +353 818221188

 

Company name: Federal Express Europe INC.

Seat: PO Box 119 Coventry, CV1 4QD United Kingdom

Company registry No.: N/A

Tax identification No.: IE95071461

Phone: 1-800-535-800

 

Company name: General Logistics Systems Ireland Ltd.

Seat: Dublin 11, Unit 1 Stadium Business Park, Ballycoolin Road, Ireland

Company registry No.: 31843

Tax identification No.: IE183141434E

Phone: +353 1 8606200

 

Company name: Smartway Europe Limited

Seat: Covent Garden, London WC2H 9JQ, United Kingdom

Company registry No.: 08898147

Tax identification No.: N/A

Phone: N/A

 

Company name: Snapparcel part of Titan Logistics

Seat: Shannon Industrial Estate Co. Clare, Ireland

Company registry No.: N/A

Tax identification No.: N/A

Phone: +353 61 775 222

 

Company name: ComGate s.r.o

Seat: Nádrazná 1958, Ivanka pri Dunaji 90028

Company registry No.: 44465009

Tax identification No.: SK2022721525

Phone: + 421 917 525 072

 

Company name: ComGate a.s.

Seat: Jankovcova 1596/14a, Prága 7, 17000, Csehország

Company registry No.: 26508842

Tax identification No.: CZ26508842

Phone: +420 495 855 474

 

Company name: Pneumofore SPA

Seat: Via N. Bruno 34, 10098 Rivoli (TO) Italy

Company registry No.: 66626

Tax identification No.: IT00499530012

Phone: +39 011 950 40 30

 

Company name: Thyracont Vacuum Instruments GmbH

Seat: Max-Emanuel Str. 10, 94036 Passau, Germany

Company registry No.: HRB4409

Tax identification No.: DE130961148

Phone: +49 851 95986 28

 

2.a Developer of bank card payment

 

These processors receive personal information (name, email address of the person concerned) from the Company required for the payment obligation of the customer, and with these data they perform the collection of the counter value of the product paid with card through an external gateway, by sending an email link to the customer.

 

Service provider:

 

Company name: Pay2Sender C/O Púca Technologies Ltd

Seat: 8 Castlewood Place, Rathmines Dublin 6

Company registry No.: 299073

Tax identification No.: N/A

Phone: +353 1 499 5090

 

2.b  E-mail marketing system developer and operator

 

In this data processing system, our Company’s customer contact data is recorded (name, email address) in order to send advertising, direct email, and to gain business profit. The system works via SSL channel through https:// connection. SSL certificates authenticate the servers they use, their encryption secures the communication between the two sides.

 

Service provider:

 

Company name: MailChimp ™ by The Rocket Science Group LLC 

Seat: 675 Ponce de Leon Ave NE, Suit 5000, Atlanta GA 30308 USA

Company registry No.: N/A

Tax identification No.: N/A

Phone: N/A

 

2.c  Customer Relationship Management (CRM)

 

In this data processing system, our Company’s customer contact data is recorded (name, address(es), company name, phone number, tax identification number, email address) in order to gain business profit. The system works via SSL channel through https:// connection. SSL certificates authenticate the servers they use, their encryption secures the communication between the two sides.

 

Service provider:

 

Company name: Insightly.com

Seat: 680 Folsom St. 550 San Francisco, CA94107 USA

Company registry No.: N/A

Tax identification No.: N/A

Phone: +1 888 999 4039

 

Company name: MiniCRM Zrt.

Seat: 1075 Budapest, Madách Imre út 13-14.

Company registry No.: 01-10-047449

Tax identification No.: HU23982273

Phone: +36 (1) 999-0402

 

2.d  Application development, application management, web development

 

In this data processing system, our Company’s customer contact data is recorded (name, address(es), company name, phone number, tax identification number, email address) in order to gain business profit. The developer is not authorized to access the data.

 

Company name: Hunity Kft.

Seat: 2700 Cegléd, Jókai utca 27

Company registry No.: 13-09-166734

Tax identification No.: HU24749400

Ph: +36 30 300 88 96

 

Company name: Dupplak Kft.

Seat: 3327 Novaj, Bajcsy-Zs. u. 2/a

Company registry No.: N/A

Tax identification No.: N/A

Phone: N/A

 

2.e  Google G Suite service, full business application suite

 

In this data processing system, the Company performs emailing and data storage. The developer is not authorized to access the data. The system works via SSL channel through https:// connection. SSL certificates authenticate the servers they use, their encryption secures the communication between the two sides.

 

Google Ireland Limited

 

Company name: Google Ireland Limited

Seat: Gordon House, Barrow Street, Dublin 4, Ireland

Company registry No.: N/A

Tax identification No.: IE6388047V

Phone: N/A

 

 

 

 

CHAPTER III

ENSURING THE LAWFULNESS OF DATA PROCESSING

 

  1. Data processing with the consent of the data subject

 

(1) If the Company wishes to perform consent-based management of the data, the consent of the data subject to processing their personal data shall be requested with a data request form, of which content and the provided information must comply with data processing regulations.

 

(2) It constitutes a contribution if checking the relevant box when viewing the website of the Company concerned, setting technical adjustments when using information society services, or any other statement or action which, in the given context, clearly indicates the consent of the data subject to the intended treatment of their personal data. Silence, the pre-checked box or non-action is therefore not a consent. 

 

(3) The contribution covers all data processing activities for the same purpose or purposes. If data processing serves multiple purposes at a time, the consent must be given for all data processing purposes.

 

(4) If the data subject gives consent in a written statement that applies to other matters (e.g. conclusion of a sales, service contract), the request for consent must be presented in a clearly distinct manner in an understandable and easily accessible form using clear and simple language. If any part of such a declaration containing the consent of the data subject violates the Regulation, it shall not have binding force.

 

(5) The Company shall not stipulate the provision of concluding a contract or its performance to the condition of consent to processing personal data that is not necessary for the performance of the contract.

 

(6) The withdrawal of the consent must be allowed in the same simple way as the granting of the consent.

 

(7) If the personal data was collected with the consent of the data subject, the data controller may process the data recorded in the absence of a different legal provision without the need for a separate legal consent to fulfill its legal obligation, even after the withdrawal of the consent of the data subject.

 

  1. Data processing based on the fulfillment of legal obligation

 

 

(1) In the case of data processing based on legal obligation, the provisions of the underlying act shall govern the scope of the processed data, the purpose of data processing, the duration of the data storage and the recipients.

(2) Data processing based on the fulfillment of a legal obligation is independent of the consent of the data subject, as data processing is regulated by law. In this case the data subject shall be notified prior to data processing that the data processing is mandatory; and the data subject shall be provided clear and comprehensive information prior to data processing on all facts related to the processing of their data, in particular the purpose and legal ground of the data processing, the identity of the person authorized to data processing and control, the duration of data processing, the fact that the data processing complies with the relevant provisions, and who may know these data. The information should also contain the rights and remedies available to the data subject in question. In the case of mandatory data processing, information may also be disclosed by making public the reference to the legal provisions containing the foregoing information.

 

  1. Facilitating data subject rights

    In all data processing activities, the Company is obliged to ensure the exercise of the rights of the data subject.

  2. Information on processing data of customers, contracting parties, contact
    persons

(1) The Company shall process the name, address, tax number, tax ID, ID number
of entrepreneur, primary producer, address of the seat, establishment, telephone
number, e-mail address, website address, bank account number, client number
(customer number, order number), online identifier (list of buyers, suppliers,
purchase order lists) of a natural person contracted as a purchaser or supplier for
concluding, performance, cessation of the contract, or granting discounts. This data
processing is considered legitimate even if the data processing is necessary before
the contract is concluded to take action on the request of the person concerned. The
recipient of the personal data: the employees of the Company carrying out tasks in
connection with customer service, accounting, taxation, marketing, and data
processors. Storage period of personal data: 5 years following the cessation of the
contract.
(2) The legal basis for processing a natural person's contractual personal data for
accounting and taxation is a legal obligation; the duration of data storage is 8 years.
(3) The Company shall process the personal data, address, e-mail address, phone
number, online ID, provided in the contract, of the natural person acting on behalf of
the contracting legal entity (signing the contract) by virtue of a legitimate interest for
purposes of communication, the exercise of rights and obligations arising under the
contract. Storage period of these data: 5 years following the cessation of the
contract. In the case of data protection based on legitimate interest, the person
concerned has the right to object to data processing.
(4) The Company shall process the name, address, phone number, e-mail address,
online ID of the natural person appointed as contact person in the contract (not
signing the contract) by virtue of a legitimate interest for purposes of the exercise of
rights and obligations arising under the contract, with regard to the fact that the
contact person is employed by the contracting party; therefore the rights of the
person concerned are not affected negatively. The contracting party declares that
the contact person concerned has been informed of the data processing related to
the position of the contact person. Storage period of these data: 5 years following the
cessation of the contact person position.
(5) The recipient of the personal data in all relevant aspects: general manager of
the Company, and the employees and contact persons carrying out tasks in
connection with customer service, accounting, taxation, and data processors.
(6) The personal data may be transferred for processing to the accounting firm
acting on behalf of the Company for the purpose of taxation, accounting; to An Post
for the purpose of mailing and shipping; and to a courier service commissioned by
the Company.
(7) Data processing is considered legitimate if it is required under a contract or a
contractual intention (Preamble 44), if the data processing is necessary before the
contract is concluded to take action on the request of the person concerned (Section
(1) b/ of Article 6). Thus, as legal grounds of the performance of the contract,
personal data collected under contract offers can be processed as described in this
point. When submitting or receiving an offer, the Company must inform the tenderer
or the recipient of the offer.

 

CHAPTER IV

PROCESSING VISITOR DATA IN THE COMPANY’S WEBSITE – INFORMATION ON USING COOKIES

 

  1. The visitor of the website must be informed of the use of cookies on the website, and consent must be sought.

 

  1. General information on cookies

 

2.1. The cookie is data sent to the visitor’s browser by the visited website (in variable name-value form) to store it, and later the same website can load its contents. Cookies may expire, they may be valid until closing the browser, or even for an unlimited period of time.  Later these data will be sent to the server by the browser in all HTTP(S) requests. Thus the data on the user’s computer is modified.

 

2.2. Due to the nature of web services, the purpose of cookies is designed to remember a user (e.g. entering a page) and handle them accordingly. The danger lies in the fact that this user is not always aware of this, and cookies enable tracking the user by the website operator or other service providers whose content is built into the site (e.g. Facebook, Google Analytics, AdWords), and to create a profile; in which case the content of the cookies can be considered personal data.

 

2.3. Types of cookies:

2.3.1. Technically indispensable session cookies: the page would not work functionally without these; they are used to identify the user, for instance, these are needed to check if the user signed in, what is in their basket, etc. This typically stores a session-id; other data is stored on the server, as it is safer. There is a security aspect when the session cookie value is not correctly generated, there is a risk of session hijacking; therefore it is critical that these values are generated correctly. In other terminology a session cookie means cookies that are deleted when closing the browser (a session is browser usage from start to exit).

2.3.2. Cookies assisting use: cookies that remember user choices, for example, in what form the page should be displayed. These are basically cookies storing settings.

2.3.3. Cookies assisting performance: although they do not have much to do with ‘performance’, they usually call cookies that gather information about the user’s behavior, time spent and clicks on the site they visit. These are typically applications of a third party (e.g. Google Analytics, AdWords, Yandex.ru), and are capable of creating profiles of users.

More information on Google Analytics cookies:

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

More information on Google AdWords cookies:

https://support.google.com/adwords/answer/2407785?hl=hu

 

2.4. It is not mandatory to accept or permit the use of cookies.  You can reset your browser settings to reject all cookies or to indicate when a cookie is just being sent.  Most browsers accept cookies automatically as default, but the settings can usually be changed to prevent automatic acceptance and offer options every time.

You can find more information on the cookie settings of the most frequently used browsers
• Google Chrome: https://support.google.com/accounts/answer/61416?hl=hu
• Firefox: https://support.mozilla.org/hu/kb/sutik-engedelyezese-es-tiltasa-amit-weboldak-haszn
• Microsoft Internet Explorer 11: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-11
• Microsoft Internet Explorer 10: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-10-win-7
• Microsoft Internet Explorer 9: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-9
• Microsoft Internet Explorer 8: http://windows.microsoft.com/hu-hu/internet-explorer/delete-manage-cookies#ie=ie-8
• Microsoft Edge: http://windows.microsoft.com/hu-hu/windows-10/edge-privacy-faq
• Safari: https://support.apple.com/hu-hu/HT201265

However, please note that certain website functions or services may not work properly without cookies.

 

  1. Information on cookies in the Company’s website:

 

3.1. Data used by cookies:  The Company’s website records and processes the following information about the visitor and the device they use for browsing:
• the visitor’s IP address,
• the type of browser,
• operation system settings of the device used for browsing (language settings),
• the time of visit,
• the visited (sub)page, function or service,

  • clicks.

 

3.2. Cookies used in the homepage

 

3.2.1. Technically indispensable session cookies

Purpose of the data processing: ensuring the proper functioning of the website. These cookies are required for visitors to browse the website, to smoothly and fully use its functions and the services available through the website, therefore, among others, but in particular, remember users’ operations during the visit. The duration of these cookies’ data processing is limited to the visitor’s current visit; they are automatically deleted at the end of the session or when closing the browser.

Data processed: AVChatUserId, JSESSIONID, portal_referer.

If the other conditions are identical, the service provider shall choose and always operate the tools used to provide the service related to information society in a way that personal data shall only be processed if this is strictly necessary for the provision of the service and for the fulfillment of other purposes specified in this Act, but even in this case only to the extent and time necessary.

 

3.2.1. Cookies assisting use:

These cookies remember user choices, for example, in what form the page should be displayed. These are basically cookies storing settings.

The legal basis for data processing is the visitor’s consent.

Purpose of the data processing: To improve efficiency of service, increase user experience, and easier use of the website.

 

3.2.2. Cookies assisting performance:

They usually gather information about the user’s behavior, time spent and clicks on the site they visit. These are typically applications of a third party (e.g. Google Analytics, AdWords).

The legal basis for data management: the consent of the data subject.

Purpose of the data processing: analyzing the website, sending advertisements.

 

 

 

CHAPTER V

INFORMATION ON DATA SUBJECT RIGHTS

 

  1. Brief summary of data subject rights:
  2. Transparent information, communication and facilitation of the exercise of data subject rights
  3. Right of prior information – if personal data is collected from the data subject
  4. Notifying the data subject and the information to be made available, if the data controller received the personal data from a different source other than the data subject
  5. The right of access of the data subject
  6. The right to rectification
  7. The right to erasure (“the right to be forgotten”)
  8. The right to the restriction of processing
  9. Notification obligation regarding rectification or erasure of personal data or restriction of processing
  10. The right to data portability
  11. The right to protest
  12. Automated individual decision-making, including profiling
  13. Restrictions
  14. Communication of a personal data breach to the data subject
  15. The right to lodge a complaint with a supervisory authority (right to appeal)
  16. The right to effective judicial remedy against a supervisory authority
  17. The right to an effective remedy against data controller or data processor

 

  1. The data subject rights in detail:

 

  1. Transparent information, communication and facilitation of the exercise of data subject rights

 

1.1. The data controller shall provide the data subject with all information and notification on the management of personal data in a concise, transparent, comprehensible and easily accessible form, in a clear and unambiguous manner, in particular for any information addressed to children. The information shall be provided in writing or otherwise, including, where appropriate, electronically. Oral information may be provided at the request of the data subject, provided that the identity of the data subject has been verified otherwise.

1.2. The data controller shall facilitate the exercise of the data subject rights.

 

1.3. The data controller shall inform the data subject of undue delay, but in any event within one month of the receipt of the request, of the measures taken on their application for the exercise of the rights. This time limit may be extended by two additional months under the terms of the Regulation, of which the data subject shall be informed.

 

1.4. If the data controller fails to take measures in response to the request, they shall inform the data subject without delay and within one month of the receipt of the request, about the reasons of non-action, and whether they may file a complaint with a supervisory authority and exercise the right of judicial remedy.

 

1.5. The data controller shall provide the user the information and notification of their rights free of charge, but fees may apply in the cases described in the Regulation.

 

The detailed regulations can be found in Article 12 of the Regulation.

 

  1. Right of prior information – if personal data is collected from the data subject

 

2.1. The data subject has the right to be informed about the facts and information related to data processing prior to commencing the processing of data.  The data subject must be informed about:

  1. a) the name and contact details of the data controller and their representative,
  2. b) the contact details of the Data Protection Officer (if any),
  3. c) the purpose of the planned management of personal data and the legal basis for the data management,
  4. d) the legitimate interests of the data controller or third party, in the case of data management based on the validation of a legitimate interest,
  5. e) the addressees of the personal data, with whom the personal data are communicated, and the categories of the recipients, if any;
  6. f) where appropriate, the fact that the data controller intends to transmit personal data to a third country or an international organization.

 

2.2. In order to ensure fair and transparent data management, the data controller must inform the data subject of the following additional information:

  1. a) the duration of the storage of personal data or, where this is not possible, the criteria for determining that period;
  2. b) the right of the data subject to request access to, rectification, erasure or management restriction of the personal data of the data controller and to object to the handling of such personal data and the right of the data subject to data portability;
  3. c) in the case of data processing based on the consent of the data subject, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
  4. d) the possibility of lodging a complaint with a supervisory authority or seeking a judicial remedy;
  5. e) whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data, and of the possible consequences of failure to provide such data;
  6. f) the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

 

2.3. If the data controller intends to perform further data processing for personal purposes other than the purpose of their collection, they must inform the data subject about the different purpose and all relevant additional information prior to the further data processing.

 

 The detailed regulations of the right of prior information are set out in Article 13 of the Regulation.

 

  1. Information to the data subject and information to be made available if the data controller has not obtained the personal data from the data subject

 

3.1. If the data controller has not obtained the personal data from the data subject, it must inform the data subject about information referred to in section 2 above, the categories of personal data concerned, the source of personal data and, where applicable, the fact that the data comes from publicly available sources within no more than one month after the personal data has been obtained; or at least when contacting the data subject for the first time where personal data are used for contact with the data subject; or at the first disclosure if the personal data is expected to transmitted to other recipients.

 

3.2. As for further rules, the regulations referred to in section 2 (Right of prior information) prevail.

 

The detailed regulations of this information material are set out in Article 14 of the Regulation.

 

  1. The right of access of the data subject

 

4.1. The data subject has the right to be informed by the data controller about whether their personal data is being processed and, if yes, they have the right to gain access to the personal data and the related information referred to in sections 2-3. (Article 15 of the Regulation.)

 

4.2. If the personal data is transmitted to a third country or an international organization, the data subject has the right to be informed about the appropriate guarantees provided for in Article 46 of the Regulation.

 

4.3. The data controller shall provide the data subject with a copy of the personal data that is subject to data management. For additional copies requested by the data subject, the data controller may charge a reasonable fee based on administrative costs. 

 

The detailed regulations on the right of access can be found in Article 15 of the Regulation.

 

  1. The right to rectification

 

5.1. The data subject shall have the right to request the rectification of any inaccurate personal data and the data controller shall rectify them without undue delay.

 

5.2. Taking into account the purpose of data processing, the data subject has the right to request supplementing incomplete personal data, among others by means of a supplementary statement.

 

The rules are set out in Article 16 of the Regulation.

 

  1. The right to erasure (“the right to be forgotten”)

 

6.1. The data subject shall have the right to request the erasure of any personal data related to the data subject, and the data controller shall erase the relevant personal data without undue delay, if

  1. a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. b) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
  3. c) data subject objects to the data processing, and there are no overriding legitimate grounds for the processing;
  4. d) the personal data have been unlawfully processed;
  5. e) the personal data have to be erased for compliance with a legal obligation in the Union or Member State law to which the controller is subject;
  6. f) the personal data have been collected in connection with services related to information society offered directly to children.

 

6.2. The right to erasure cannot be applied if the data processing is required

  1. a) for exercising the right of freedom of expression and information;
  2. b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. c) for reasons of public interest in the area of public health;
  4. d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if the right to erasure would probably make it impossible or it would seriously jeopardize this data processing; or
  5. e) for the establishment, exercise or defense of legal claims.

 

The detailed regulations on the right of erasure can be found in Article 17 of the Regulation.

 

  1. The right to the restriction of data processing

 

7.1. In the case of restriction of data processing, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

 

7.2. The data subject shall have the right to request the restriction of data processing by the data controller if one of the following conditions is met:

  1. a) the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data;
  2. b) the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead;
  3. c) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or
  4. d) data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.

 

7.3. The data subject must be informed in advance of the discontinuation of the data processing.

 

The relevant rules are set out in Article 18 of the Regulation.

 

  1. Notification obligation regarding rectification or erasure of personal data or restriction of processing

The data controller shall communicate any rectification or erasure of personal data or restriction of processing carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.

 

The rules are set out in Article 19 of the Regulation.

 

  1. The right to data portability

 

9.1. The data subject shall have the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

  1. a) the processing is based on the data subject’s consent or on a contract concluded by them; and
  2. b) the processing is carried out by automated means.

 

9.2. The data subject may also request the direct transfer of personal data between data controllers.

 

9.3. The exercise of the right to data portability shall be without prejudice to Article 17 of the Regulation. (The right to erasure (“the right to be forgotten”). The right to data portability shall not be exercised in cases where data processing is carried out in the public interest or is required to carry out a task in the exercise of official authority vested in the controller. This right shall not prejudice the rights and freedoms of others.

 

The detailed regulations can be found in Article 20 of the Regulation.

 

  1. The right to protest

 

10.1. The data subject shall have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on exercising public interest duties or legitimate interest ((e) or (f) of Article 6(1), respectively), including profiling based on those provisions. In that case, the controller is no longer allowed to process the personal data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

10.2. Where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing, including profiling to the extent that it is related to such direct marketing.  If the data subject objects to the processing for direct marketing purposes, the personal data is no longer allowed to be processed for such purposes.

10.3. At the latest at the time of the first communication with the data subject, the right shall be explicitly brought to the attention of the data subject, and shall be presented clearly and separately from any other information

10.4. The data subject may exercise their right to object by automated means using technical specifications.

10.5. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to their particular situation, shall have the right to object to processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

 

The relevant rules are set out in Article of the Regulation.

 

  1. Automated individual decision-making, including profiling

 

11.1. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.

 

11.2. This right shall not apply if the decision:

  1. a) is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. b) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  3. c) is based on the data subject’s explicit consent.

 

11.3. In the cases referred to in points a) and c) above, the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express their point of view and to contest the decision.

 

Further rules are set out in Article 22 of the Regulation.

 

  1. Restrictions

 

Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights (Articles 12 to 22, Article 34, and Article 5 of the Regulation), when such a restriction respects the essence of the fundamental rights and freedoms.

 

The conditions of this restriction are set out in Article 23 of the Regulation.

 

  1. Communication of a personal data breach to the data subject

 

13.1. Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay. The communication to the data subject shall describe the nature of the personal data breach in a clear and understandable manner, and contain at least the following information:

 

  1. a) the identity and contact details of the Data Protection Officer and other contact persons;
  2. c) possible adverse effects of the personal data breach;
  3. d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

 

13.2. The communication to the data subject shall not be required if any of the following conditions are met:

  1. a) the controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  2. b) the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize;
  3. c) communication would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

Further rules are set out in Article 34 of the Regulation.

 

  1. The right to lodge a complaint with a supervisory authority (right to appeal)

 

The data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to them infringes the Regulation.  The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy.

 

The rules are set out in Article 77 of the Regulation.

 

  1. The right to effective judicial remedy against a supervisory authority

 

15.1. Without prejudice to any other administrative or non-judicial remedy, each natural or legal person shall have the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them.

 

15.2. Without prejudice to any other administrative or non-judicial remedy, each data subject shall have the right to an effective judicial remedy where the supervisory authority which is competent does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged.

 

15.3. Proceedings against a supervisory authority shall be brought before the courts of the Member State where the supervisory authority is established.

 

15.4. Where proceedings are brought against a decision of a supervisory authority which was preceded by an opinion or a decision of the Board in the consistency mechanism, the supervisory authority shall forward that opinion or decision to the court.

 

The rules are set out in Article 78 of the Regulation.

 

  1. The right to an effective remedy against data controller or data processor

 

16.1. Without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, each data subject shall have the right to an effective judicial remedy where they consider that their rights under this Regulation have been infringed as a result of the processing of their personal data in non-compliance with this Regulation.

 

16.2. Proceedings against a controller or a processor shall be brought before the courts of the Member State where the controller or processor has an establishment. Such proceedings may be brought before the courts of the Member State where the data subject has their habitual residence, unless the controller or processor is a public authority of a Member State acting in the exercise of its public powers.

 

Data Protection Commissioner
Address: Canal House, Station Road, Portarlington,R32 AP23 Co. Laois, Ireland
Phone: +353 57 8684800
Fax: +353 57 868 4757
Lo Call Number: 1890 252 231
Email: info@dataprotection.ie

 

The rules are set out in Article 79 of the Regulation.

 

Dublin, 25 May 2018

 

 

 

_________________________