Benefity.cz - Exercise of data subject rights

Exercise of data subject rights

We have an obligation to assist data subjects in exercising their rights; therefore, we may be contacted with that regard through various means (personally, by mail, email, phone or data box). Our contact details for all those methods are provided in the section related to the Controller. As we have a duty to verify the identity of data subjects when processing their application, some methods of exercising your rights are more suitable than others. The following are the ideal ways of exercising rights in order to save time for ourselves as well as data subjects:

  • Sending a letter to the Controller’s address containing the data subject’s officially authenticated signature
  • Sending an email to the Controller’s email address signed using the data subject's authenticated electronic signature
  • Sending a data message to the Controller’s data box
  • Personally at a pre-arranged appointment

In order for us to be able to deal with applications of data subjects in a timely and proper manner the following must be clear from an application:

  • Who it is being submitted by (the applicant’s name and surname, date of birth and address)
  • What kind of right is exercised through the application (a description or a reference to the relevant article of the GDPR)
  • What kind of claim, and possibly why, the data subject is making (described in detail below with each right)
  • In what manner the data subject would like to receive the reply (by mail, email or phone, into a data box)
  • Contact details of the data subject (phone, email) in case we have any additional questions

We have an obligation to process applications free of charge; however, if an application is apparently illegitimate or unreasonable, particularly due to repetition, we have the right to be paid a reasonable fee reflecting the administrative cost related to the provision of the information required or a statement or the conducting of the steps required, and to reject an application.

We shall respond to an application within one month of receipt.

EXERCISE OF INDIVIDUAL RIGHTS IN DETAIL

Right of access

Data subjects have the right to demand confirmation from us as to whether we process their personal data and be provided with the overview of such data. Additionally, they have the right to be provided with the following information in relation to the processing of their personal data:

  • Purposes of their personal data processing
  • The category of personal data in question
  • Recipients or the categories of recipients which have been or will be provided with their personal data (particularly recipients from countries outside of the EU and the EEA or international organizations)
  • Envisaged retention period of their personal data
  • Existence of the right to demand from us rectification or erasure of their personal data, the right of restricting their processing or the right to object to their processing
  • The right of complaint to the supervisory authority
  • All available information regarding the source of personal data if such data are not obtained directly from the data subject
  • The fact that automated decision-making is applied and information related thereto

If the above is not clear from an application, we may request the data subject that they specify in detail which of their personal data the application is related to.

If data subjects would like to have the copy of their personal data we process, they have the right to be provided with it, and the first instance of such provision is free of charge. We may charge a reasonable fee for any further copies, which will not exceed the necessary cost of providing such information. The exercise of this right shall not adversely affect the rights and freedoms of other persons.

Right to rectification

The data subject has the right to demand rectification of their personal data we process which are incorrect or inaccurate. You only need to let us know which data should be rectified and how. We will do so without undue delay.

Data subjects shall also have the right to demand that we complete their personal data we process and which is incomplete as instructed by the data subject. We will comply with that demand provided that the personal data to be completed is actually needed for the purposes of such processing.

If we are requested to do so by data subjects within the scope of their exercise of this right, we will provide them with information on the recipients to whom their personal data has been disclosed and who we have notified on the requested rectification or completion of their personal data. 

Right to erasure (“right to be forgotten”)

Data subjects have the right to demand that we erase their personal data in the following events:

  • The data subject is of the opinion that we no longer need their personal data for the purposes it was collected or otherwise processed
  • The data subject withdraws consent on which the processing on our part is based, and is of the opinion that there is no longer any legal ground for the processing
  • The data subject objects to the processing on our part based on our legitimate grounds for the processing, and is of the opinion that we no longer have any overriding legitimate grounds for the processing
  • The data subject objects to the processing on our part for the purposes of direct marketing
  • The data subject is of the opinion we process their personal data unlawfully
  • The data subject is of the opinion that we are bound by the duty to erase their personal data stipulated by the laws of the European Union or an EU member state
  • The data subject is an under-age child whose personal data was collected with their consent in relation to the offer of information society services

Whilst exercising this right data subjects must specify in their applications which of the above cases their request for erasure is based on and which personal data exactly they want to have erased. Applications should also be duly justified; otherwise they cannot be complied with.

If we find an application justified and the processing of the data subject’s personal data is not necessary

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation requiring processing under the laws of the European Union or an EU member state applicable to us, or perform a task carried out in the public interest or in the exercise of official authority we are entrusted with
  • for public health purposes in the public interest
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • for the establishment, exercise or defence of legal claims,

we will erase the personal data as requested without undue delay.

If we have disclosed personal data and subsequently erased it within the scope of the exercise of the right to erasure, we have a duty, taking into account technology available and the cost of performance thereof including technical measures, to inform the controllers processing such personal data that they are also required to erase any links to the personal data and their copies or replications.

If we are requested to do so by data subjects within the scope of their exercise of this right, we will provide them with information on the recipients to whom their personal data has been disclosed and who we have notified on the requested erasure of their personal data. 

Right to restrict processing

Restriction of personal data processing means the indication of such data and the termination of all of its processing except storage. In other words, the controller shall continue to keep the data whose processing is restricted – i.e. it cannot be erased, but at the same time shall have no right to use such personal data in any manner.

Data subjects have the right to demand that we restrict their personal data processing in the following events:

  • the accuracy of the personal data is contested by the data subject
  • the data subject is of the opinion that the processing is unlawful, but opposes the erasure of the personal data and requests the restriction of their use instead
  • we no longer need the personal data for the purposes of the processing (and should therefore erase it), but it is required by the data subject for the establishment, exercise or defence of legal claims
  • the data subject has objected to the processing of their personal data pursuant to pending our decision whether we have legitimate grounds for such processing

Whilst exercising this right data subjects must specify in their applications which of the above cases their request for restriction of data processing is based on and the processing of which personal data exactly they want to restrict. Applications should also be duly justified; otherwise they cannot be complied with.

If we find an application justified, we will restrict the processing of requested personal data without undue delay. For the duration of such processing restricted we have the right to process such personal data only with the data subject’s consent, or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of an EU member state.

If reasons for the restriction of personal data processing cease to exist, we will inform the data subject about this and subsequently terminate such processing restriction.

If we are requested to do so by data subjects within the scope of their exercise of this right, we will provide them with information on the recipients to whom their personal data has been disclosed and who we have notified on the requested restriction of processing of their personal data. 

Right to data portability

If we process personal data based on consent provided by data subjects or on a contract with data subjects, which processing is conducted by automated means (not manually), data subjects have the right to request form us to be provided (or be allowed to download) their personal data they provided us with, in a structured, commonly used and machine-readable format and have the right to request that such personal data be transmitted directly to another controller.

We will comply with the request for transmission of the data subject’s personal data directly to another controller only if it is technically possible.

Whilst exercising this right data subjects must include in their applications as to which personal data the application concerns, and whether they wish for the personal date to be provided only to the data subject or directly to another controller and the means through which they would prefer us to do it. Without this information such applications cannot be complied with.

The exercise of this right shall not adversely affect the rights and liberties of other persons. If this were the case, we would have to reject the application or comply with it only in part.

Right to object

If we process personal data on legitimate grounds, the data subject has the right to object at any time and demand that we no longer process their personal data in such a manner. Such applications must clearly state as to which personal data the objection concerns and to which kind of processing it is raised. The applications should also be reasonably justified.

Having received an application from a data subject, we are obliged to discontinue the processing of such data or prove that compelling legal grounds exist for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

If we process personal data for marketing purposes, the data subject has the right to object at any time and demand that we no longer process their personal data in such a manner. The application must clearly state that the objection is raised against processing for the purposes of direct marketing and which personal data it concerns.

Following the receipt of an application from a data subject, we are obliged to discontinue the processing of their personal data for the purposes of direct marketing.

Other rights

Data subjects shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except for the cases when such a decision

  • is necessary for entering into, or performance of, a contract with the data subject
  • is authorised by European Union or member state law to which we are subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests
  • is based on the data subject’s explicit consent

If we process personal data based on the data subject’s consent, the data subject has the right to withdraw such consent at any time. However, the withdrawal of consent does not affect the legality of processing based on consent provided before such withdrawal.

If data subjects are of the opinion that the processing of their personal data constitutes breach of the GDPR, they have the right to file a complaint with a supervisory authority, in particular the one in the country of the data subject’s regular residence, place of work or place where such breach is alleged to have occurred. In the Czech Republic, this supervisory authority is The Office for Personal Data Protection at Pplk. Sochora 27, 170 00 Prague 7, Czech Republic, Company ID: 708 37 627, www.uoou.cz

We take care of employee happiness