Within the scope of his/her rights, the User may request in a verifiable manner that the Controller inform him/her whether the Controller processes any of his/her personal data and, if so, provide access to the electronic and paper records and project documents of the Controller related to such data, if so requested.
In addition to the personal data processed by the Controller, the User’s request for information may include the source of the personal data, the purpose, legal basis and duration of the processing and transfer, the data of any data processors, service providers and other activities related to the processing.
The User may request the modification of his/her personal data by the Controller in a verifiable manner. Once the request becomes fulfilled, the modified data (except for data changes requiring further modification) can no longer be restored.
The User may also request the erasure of his/her personal data by the Controller in a verifiable manner. Deletion may be refused, in case:
- the request infringes the exercise of the right to freedom of expression and information;
- further processing of the personal data requested to be deleted is authorised by legislation;
- it prevents the enforcement or defence of legal claims.
The Controller shall inform the User of the refusal of the deletion request, stating the reason. Once the request for erasure of personal data becomes fulfilled, the previously erased data can no longer be restored.
The procedure for erasure of personal data must be clear and verifiable.
The User may request in a verifiable manner that the Controller restricts the processing of his or her personal data, in case:
- he/she contests the accuracy of the personal data processed: this way, the limitation applies for the period of time during which the data are checked and, where necessary, rectified;
- the processing is unlawful, but the User objects to the deletion of the personal data in question and requests only the restriction of their use;
- the purpose of the processing has been achieved, but the User requests further processing of his or her personal data by the Controller in order to assert or defend legal claims.
The User may object to the processing of his/her personal data, in case:
- the processing of the User’s personal data is necessary solely for the purposes of the legitimate interests pursued by the Controller or by a third party, except in cases of mandatory processing;
- the processing is for direct marketing, public opinion polling or scientific research purposes;
- other cases specified by law.
The Controller shall be obliged to assess the merits of the User’s request for restriction or the lawfulness of the User’s objection as soon as possible after the request is submitted, but within 30 days at the latest if the User is prevented from doing so.
If the User’s request or objection is justified, the Controller shall restrict or terminate the processing of the personal data and, if necessary, take measures to ensure that the correct data are recorded, in cooperation with the User, as appropriate; the Controller shall then notify the persons to whom the relevant personal data were previously disclosed of the measures taken.
The User warrants that the personal data provided or made available to the Controller about another natural person is accurate, that the consent of the natural person concerned has been obtained lawfully for its processing and, where applicable, that the User is acting lawfully on behalf of the other natural person. If the User has unlawfully provided the personal data, the User shall be fully liable in this respect.