When personal data are requested, data subjects have the right:
- to be informed of the processing operations (Articles 11 and 12)
- to access, rectify, block or erase the data (Articles 13-16)
- to object to the processing on compelling legitimate grounds (Article 18)
- to compensation for any damage (Article 32)
Other principles ACCESS-3DP Processing of personal data is only lawful, if the purpose(s) is legitimate and if it is necessary either:
- for the performance of a task carried out in the public interest or in the legitimate exercise of official authority (Article 5(a))
- for compliance with a legal obligation (Article 5(b))
- for the performance of a contract to which the data subject is party (Article 5(c))
- if the data subject has unambiguously given his or her consent (Article 5(d))
- in order to protect the vital interests of the data subject (Article 5(e)).
The Data Controller (i.e. the person who is responsible for the processing operation) must ensure that all provisions of the Regulation (EC) 45/2001 are complied with.
According to the principles of confidentiality and security, only those people who need access shall have it. By analogy:
- access to basic personal data shall be limited to staff who need it for their work (such as security guards).
- access to a staff evaluation report should be limited to the particular employee in question, as well as to a restricted number of people in the human resources department.
Sensitive data, such as medical files or an arrest warrant shall be treated even more carefully (Article 10). The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with even greater care than other personal data.
Personal data should in general be transferred neither internally nor externally, unless it is necessary for the legitimate performance of tasks covered by the competence of the recipient – the necessity of the transfer must be evaluated. In certain cases data subjects must be informed of the transfer.
Unauthorized access to personal data should be prevented by ensuring appropriate safeguards, both in terms of barriers that secure the system technically and logistically, by selecting a limited and appropriate number of people who have authorized access