10 tips on how to exercise the rights guaranteed by the GDPR

Based on the experience of the first six months of the application of the GDPR, the Personal Data Protection Office prepared 10 tips on how to use the rights guaranteed by the Regulation.

1. You have the right to know what will happen with your data

You should know who, on what basis and why is processing your personal data. The company or institution that has obtained your data should inform you about it. The company is also obliged to indicate your GDPR rights. You have the right, among others to: access to your data, rectification, erasure, limitation of processing, portability, objection or the right to be informed about automated decision making, including profiling. In performing the information obligation, the controller must indicate how long he or she will store your data and provide the contact details to the Data Protection Officer (DPO), if the DPO has been designated.

2. You have the right to withdraw your consent at any time

If the informed and free consent expressed by you is the basis for the processing of your data, you have the right to withdraw it at any time and this can not give you any negative consequences (e.g. increasing the service fee). Remember that withdrawal of consent should be as easy as giving the consent.

3. Youshould be informed in an easy way

All information provided to you as regards the processing of your data should be formulated in a clear and simple language that you will understand. This also applies to information related to the use of Internet services or mobile applications. If you do not understand it or do not understand it enough, ask the controller to provide additional explanations.

4. You do not always have the right to be forgotten

Although the GDPR has granted you the right to be forgotten (data deletion), remember that it is not unconditional. You can request its implementation, e.g. when: the data have become unnecessary for the intended purposes, the data have been processed unlawfully or you have withdrawn your consent and there is no other legal basis for their use.

Remember that in not every situation you have the right to be forgotten. This happens when a given entity (e.g. a school, a commune or a clinic) must use your data to fulfil the legal obligation which is imposed on the entity.

5. You have the right to information about your data breaches

Data leakage, loss or sharing it with unauthorized persons happens. And if it poses a serious threat to you, do not be surprised that the controller informs you about it - this is his or her obligation. Follow his or her instructions to minimize the threat. Sometimes, e.g. changing the password in the Internet system or putting a hold on the documents will allow you to protect your data and avoid, e.g. the identity theft and the related consequences, such as e.g. incurring loans on your behalf. If in doubt, contact the controller or Data Protection Officer who is designated by the controller. They should help you in this situation.

6. If you object to the processing of your data - marketing can not be carried out

If your data is used for marketing purposes, so as to present you with offers of goods or services, you can object to this processing at any time. If you do this, your data may no longer be used for such purposes.

7. Protect children from dishonest practices

If you are a parent or a legal guardian of a person under the age of 16, remember that when she or he uses the so-called information society services (provided electronically), e.g. social networks, applications or games, you decide on the consent to the processing of personal data. This is important, because children are often less aware of the risks and consequences of processing of their personal data. The GDPR indicates that special protection should be provided to them when their data is used for marketing purposes or for the creation of personal profiles. Pay attention whether the messages addressed to them by the controller are formulated in a language that they are able to understand.

8. Ask the controller to exercise your rights

If you think that someone is incorrectly dealing with your data, contact him or her or the appointed DPO first and ask for clarification or fulfilment of your request, e.g.  rectification of data, notification of objection, erasure of data.

9. You can claim damages before a court

Remember! If the entity is in possession of your data uses it in contrary to the GDPR rules and you have suffered material or non-material damage, you can claim damages from this entity by initiating the proceeding  before a court. You have the right to do so regardless of the fact whether you intend to file a complaint to the President of Personal Data Protection Office.

10. You have the right to file a complaint to the President of the Personal Data Protection Office

Regardless of the above mentioned rights, you can also file a complaint to the President of the Personal Data Protection Office. Remember, in order to be effective, indicate: your name, address of residence. Please also provide the full name / surname and address of the registered office / residence, the name of the person you are complaining about and describe the violation thoroughly. Specify what actions do you expect from the President of Personal Data Protection Office. Also, do not forget about the signature! Detailed information about filing complaints is available on the website of the office www.uodo.gov.pl in the "Complaints" section.