With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.
Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:
The organization has created and communicated to registered users a process through which they can report questions, complaints or disputes related to data protection.
The organization has rules of procedure for handling, resolving and communicating issues that come to this channel. Valid issues that arise can be handled, for example, through the general non-conformity management process.
Organisaatio on määritellyt tunnistamansa henkilötietojen käyttötarkoituksen oikeusperusteen huomioiden, mitkä rekisteröidyn oikeudet liittyvät kyseiseen käsittelyyn.
Rekisteröity ei voi käyttää kaikkia oikeuksiaan kaikissa tilanteissa. Se, mitä oikeuksia rekisteröity voi kulloinkin käyttää, riippuu siitä, millä perusteella kyseessä olevia henkilötietoja käsitellään. Organisaatio voi hyödyntää tietosuojaviranomaisten ohjeistuksia siitä, kuinka käsittelyperuste vaikuttaa käytettävissä oleviin oikeuksiin. Oikeuksiin voi olla lisäksi säädetty poikkeuksia organisaatiota koskevassa erityislainsäädännössä tai niiden toteuttamisesta mahdollista kieltäytyä vahvoin perustein yksittäistapauksissa.
Toimiessaan yhteisrekisterinpitäjänä organisaatio määrittelee läpinäkyvällä järjestelyllä muiden yhteisrekisterinpitäjien kanssa rekisterinpitäjien velvoitteiden noudattamisesta sekä rekisteröityjen informoinnista.
Organisaatio voi esimerkiksi tehdä sopimuksen eri yhteisrekisteripitäjien kanssa tai dokumentoida kirjallisesti yhteisrekisterinpitäjyyteen liittyvät menettelyt sekä julkaista ne verkossa ja asettaa saataville toimipisteissä.
The organization must be able to provide the data subject with a copy of the personal data being processed at the data subject's request.
The organization must plan in advance a process by which a copy of the personal data can be delivered in a structured and commonly used format and securely to the data subject.
The organization should have pre-planned procedures for situations where third parties need to be notified of changes, deletions and prohibitions regarding shared personal data.
These parties can be, for example, partners who process data or organizations to which personal data has been disclosed forward.</p>
Registrants should be offered a mechanism by the organization to view and correct their personal data.
Data subjects should be offered a clear means by which they can object to the processing of personal data.
The implementation method for objecting to processing may vary, but it should be in line with the way of using the service offered (e.g. in online services, objecting to processing should also be possible online).
When personal data is processed on the basis of the data subject's consent, the organization should provide data subjects with a clear process for editing or withdrawing their consent. Editing may also mean limiting the processing of personal data, which may affect the controller's right to delete the data in question.
The process should include recording requests for editing in a way similar to recording consent. Changes to consent must be communicated to all relevant data systems, authorized users and third parties. The process should also define the response time in which the requests should be processed.
N.b.! Different jurisdictions may have restrictions on how and when the data subject can modify their consent.
The organization must have clear procedures for situations where the organization is required by law to disclose personal information to the authorities. In addition, a list must be kept of these individual data disclosures.
The organization shall pay particular attention to the communication of these situations and the timing of the communication to interested customers, unless this is illegal due to, for example, an ongoing investigation or other legal matter.
These practices must be describeable to interested customers upon request. Procedures and reporting obligations must be described, e.g. contracts for offered digital services.
The organization must define procedures for informing the controller of all processors of personal data before processing begins.
The notification shall include the data processed by the processors and the purposes for which they process the data.
Understanding data sources is important for understanding data flow. In addition, data protection communications shall be able to communicate the sources of personal data in cases where the data have not been collected directly from the data subject himself.
In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:
We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:
Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.
We have planned procedures for handling data subject requests, which may include e.g.:
The organization has defined clear procedures that it follows in informing data subjects when refusing to implement data protection requests (e.g. the right to access or correct data). In these situations, the reasons on which the request was refused must be clearly communicated to the registered.
The organization has defined the ways in which the data subject's understanding of the effects of his consent is ensured.
At least the following points of view are clearly communicated to the data subject:
The data subject shall have the right to obtain the personal data provided to the controller in a structured, commonly used and machine-readable form and, if he so wishes, to transfer such data to another controller. This can mean, for example, a way to download data added to a web service at a time in a general format (eg XLS, XML, JSON).
The right applies when the following conditions are met:
The right does not cover data that have been generated by the controller himself on the basis of data provided by the data subject (e.g. health assessments) or that have been compiled from the analysis of data generated from the data subject's monitoring (such as profiling).
Our organization is aware of situations where the data subject has the right to transfer their data. We have designed policies for these situations, which may include e.g.:
Privacy communications should be concise, easy to understand and easily accessible. To develop privacy communications, we test our communications for different uses by providing a snapshot of the privacy communications to a test group selected from among data subjects, and modifying the communications based on their feedback.
The purposes of the processing of personal data will change as the business develops. Privacy communications should stay up-to-date and reflect the actual state of processing.
We regularly make sure that all processing purposes are mentioned in communications (e.g. privacy statements), that the processing is accurately described, and that communications are provided to data subjects within the required time limits.