b) Right to information Every data subject affected by processing personal data shall have the right granted by the European directive and regulation legislator to be provided at any time by the controller responsible for processing with free information on personal data saved on him or her, as well as with a copy of this information. Moreover, the European directive and regulation legislator has granted the data subject information on the following information:
the recipients or categories of recipients the personal data have or will be disclosed to recipients in third countries or of international organizations
if possible, the planned term, during which the personal data shall be saved or if this is not possible, the criteria for specifying this term
the existence of a right to rectification or deletion of the personal data related to him or her or restriction of processing by the controller or a right to object to this processing
if the personal data are not collected with the data subject: all available information on the source of the data
the existence of automated individual decision-making, including profiling pursuant to Art. 22 (1) and (4) GDPR and -at least in these cases -significant information about the logic involved, as well as the significance and the effects of such processing hoped for the data subject
Moreover, the data subject shall have the right to be informed whether personal data have been transferred to a third country or an international organization. If this is the case, the data subject shall have the right to be provided with information on appropriate guarantees related to the transfer. If a data subject wants to exercise this right of information, he or she can contact our data protection officer or another staff member of the controller responsible for processing at any time.
c) Right to rectification Every data subject affected by the processing of personal data shall have the right granted by the European directive and regulation legislator to demand the immediate rectification of incorrect personal data related to him or her. Moreover, the data subject shall have the right to demand the completion of incomplete personal data -even by means of a complementary declaration -considering the processing purposes. If a data subject wants to exercise this right of rectification, he or she can contact our data protection officer or another staff member of the controller responsible for processing at any time.
d) Right to deletion (“right to be forgotten”) Every data subject affected by processing of personal data shall have the right granted by the European directive and regulation legislator to obtain from the controller the deletion of personal data concerning him or her without undue delay where one of the following grounds applies and processing is not required:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
the data subject withdraws consent on which the processing is based according to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR, and where there is no other legal ground for the processing.
the data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2) GDPR.
the personal data have been unlawfully processed.
the personal data must be deleted for compliance with the legal obligation in Union or Member State law to which the controller is subject.
the personal data have been collected in relation to the offer of information society
services referred to in Art. 8(1) GDPR. Provided that one of these grounds applies and a data subject wants to initiate the deletion of personal data saved at APT, he or she can contact our data protection officer or another staff member of the controller responsible for processing at any time. The data protection officer of APT or another staff member shall initiate that the demand for deletion is complied with immediately.
If the personal data have been published by APT and our company, as the controller pursuant to Art. 17(1) GDPR, is obliged to delete the personal data, APT shall take appropriate measures, also technical ones -under consideration of available technology and implementation costs -to inform other data controllers who process the published personal data that the data subject demanded from those other data controllers to delete any and all links to these personal data or copies or replications of these personal data provided that processing is not necessary. The data protection officer of APT or another staff member shall take the necessary steps on a case-by-case basis.
e) Right to restriction of processing Every data subject affected by processing of personal data shall have the right granted by the European directive and regulation legislator to obtain from the controller restriction of processing where one of the following applies:
the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
the processing is unlawful, and the data subject opposes the deletion of the personal data and requests the restriction of their use instead.
the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise or defence of legal claims.
the data subject has objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
Provided that one of these grounds applies and a data subject wants to initiate the restriction of personal data saved at APT, he or she can contact our data protection officer or another staff member of the controller responsible for processing at any time. The data protection officer of APT or another staff member shall initiate the restriction.
f) Right to data portability Every data subject affected by processing of personal data shall have the right granted by the European directive and regulation legislator to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. He or she shall also have the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to Art. 6(1) lit. a GDPR or Art. 9(2) lit. a GDPR or another contract pursuant to Art. 6(1) lit. b GDPR and processing is carried out by automated means, provided that the processing is not required for the performance of a task carried out in the public interest or exercise of official authority vested in the controller.
Furthermore, in exercising his or her right to data portability pursuant to Art. 20(1) GDPR, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible and the rights and freedoms of other persons are not impaired.
For the assertion of the right to data portability the data subject may contact at any time the data protection officer appointed by APT or another staff member.
g) Right to object Every data subject affected by processing of personal data shall have the right granted by the European directive and regulation legislator to object, on grounds relating to his or her situation, at any time to the processing of personal data concerning him or her which is based on Art. 6(1) lit. e or f GDPR. This shall also include profiling based on those provisions.
In the case of an objection to processing, your personal data will no longer be processed by APT, unless we are able to prove compelling legitimate reasons for the processing that override the interests, rights and freedom of the data subject or the processing is for asserting, execution or defence of legal claims.
Where personal data is processed by APT for direct marketing purposes, the data subject shall have the right to object to processing of personal data concerning him or her for such marketing at any time. This shall also include profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes vis-à-vis APT, the latter shall no longer process the personal data for such purposes. Furthermore, the data subject shall have the right for grounds based on his or her situation to object to processing of personal data concerning him or her by APT for scientific or historical research purposes or statistical purposes pursuant to Art 89(1) GDPR, unless such processing is for fulfilling a task in the public interest. For the assertion of the right to object, the data subject may directly contact the data protection officer of APT or another staff member. Furthermore, in the context of using services of the information society the data subject shall be free to assert his or her right to object by means of automated processes using technical specifications notwithstanding directive 2002/58/EC.
h) Automated individual decision-making, including profiling Every data subject affected by processing of personal data shall have the right granted by the European directive and regulation legislator not to be subject to a decision based solely on automated processing -including profiling -which produces legal effects concerning him or her or similarly significantly affects him or her, if this decision (1) is not necessary for entering into or fulfilling a contract between the data subject and the controller, or (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests or (3) is based on the data subject’s explicit consent. If the decision (1) is necessary for entering into or fulfilling a contract between the data subject and the controller or (2) is based on the data subject’s explicit consent, APT shall take appropriate measures to protect the rights and freedoms, as well as the legitimate interests of the data subject, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision. If a data subject wants to exercise rights referring to automated decisions, he or she can contact our data protection officer or another staff member of the controller responsible for processing at any time.
i) Right to revoke a declaration of consent under data protection law Every data subject affected by processing of personal data shall have the right granted by the European directive and regulation legislator to revoke at any time the consent to the processing of personal data. If a data subject wants to exercise his or her right to revoke the consent, he or she can contact our data protection officer or another staff member of the controller responsible for processing at any time.