Rights of the data subjects

Printer-friendly versionPrinter-friendly version



The data subject is any natural person whose personal data are processed, regardless of whether that person is an EU citizen or not. The General Data Protection Regulation[1] regulates several rights of the data subject that can be exercised directly with the controller (the entity that processes his/her personal data).


1.Right of access

Example: If a data subject is requesting a copy of his or her personal data processed through video surveillance at the entrance of a shopping mall with 30 000 visitors per day, the data subject should specify when he or she passed the monitored area within approximately a one-hour-timeframe. If the controller still processes the material a copy of the video footage should be provided. If other data subjects can be identified in the same material then that part of the material should be anonymised (for example by blurring the copy or parts thereof) before giving the copy to the data subject that filed the request.[2]


2.Right to rectification

Example: The company maintains a telephone directory of all its employees containing the name, surname and work telephone number of each employee. The employee A noticed there is an error in the telephone directory for her surname, because the company added the suffix “-ová” to her surname. This employee can exercise her right to rectify the inaccurate personal data with the employer.  


3.Right to erasure (´right to be forgotten´)

  • you have the right to obtain from the controller the erasure of personal data concerning you, if one of reasons listed below is met
    • your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
    • you withdraws the consent on which the processing is based
    • you have exercised your right to object and the controller has complied with such request
    • your personal data have been unlawfully processed
    • it is a legal obligation of the controller to erase your personal data in accordance with the Union or Member State law to which the controller is subject
    • your personal data have been collected in relation to the offer of information society services
  • Art. 17 (3) provides for exemption from controller´s obligation to erase personal data

Example: A convenience store is having trouble with vandalism in particular on its exterior and is therefore using video surveillance outside of their entrance in direct connection to the walls. A passer-by requests to have his personal data erased from that very moment. The controller is obliged to respond to the request without undue delay and at the latest within one month. Since the footage in question does no longer meet the purpose for which it was initially stored (no vandalism occurred during the time the data subject passed by), there is at the time of the request, no legitimate interest to store the data that would override the interests of the data subjects. The controller needs to erase the personal data.


4.Right to restriction of processing

  • you have the right to obtain from the controller restriction of processing if one of the following applies
    • you contested the accuracy of the personal data
    • you oppose the erasure of the personal data and request the restriction instead in case of unlawful processing
    • the controller no longer needs the personal data, but you require them for the establishment, exercise or defence of legal claims
    • you have exercised your right to object and your personal data are processed on a legal basis such as a public interest or a legitimate interest

Example: The saver (data subject) notices that the supplementary pension company (SPC) registered a contribution lower that that deducted from the saver´s payment in June. He exercises his right to rectification of the inaccurate data with SPC and at the same time, as long as the controller complies with such right, the saver also exercises the right to restrict the processing.


5.Right to data portability

  • you have the right to obtain your personal data from the controller and transmit them to another controller while fulfilling these conditions
    • the processing is based on consent or on a contract and
    • the processing is carried out by automated means
    • the requested personal data should relate to the data subject and should be provided by that person
    • the exercise of this right should not adversely affect the rights and freedoms of others
  • exercising this right you can:
    • receive the personal data concerning you in a structured, commonly used and machine-readable format
    • request the direct transmission of your personal data to another controller

Example: As an example, the titles of books purchased by an individual from an online bookstore, or the songs listened to via a music streaming service are examples of personal data that are generally within the scope of data portability, because they are processed on the basis of the performance of a contract to which the data subject is a party.[4]


6.Right to object

  • you have the right to object to the controller in the following cases
    • if your personal data are processed on a legal basis, which is the public interest or a legitimate interest
    • if the profiling is based on the public interest or a legitimate interest

Example: The consumer orders clothes from an online store (e-shop). Based on this order, the online store will start sending her a newsletter with new offers and promotions to the e-mail address provided by the consumer as a contact information for the purposes of processing the order. The consumer does not want to receive such e-mails, so she exercises her right to object to the online store. As the online store sends the newsletters based on a legitimate interest, it is obliged to stop processing the e-mail address for this purpose.


7.The right not to be subject to automated individual decision-making, including profiling

Example: A business advertises an open position. As working for the business in question is popular, the business receives tens of thousands of applications. Due to the exceptionally high volume of applications, the business may find that it is not practically possible to identify fitting candidates without first using fully automated means to sift out irrelevant applications. In this case, automated decision-making may be necessary in order to make a short list of possible candidates, with the intention of entering into a contract with a data subject.[5]


8.Right to withdraw consent

  • if the controller processes your personal data on the basis of your consent/explicit consent, you have the right to withdraw your consent at any time 
  • the withdrawal of your consent shall be as easy as its giving

Example: A music festival sells tickets through an online ticket agent. With each online ticket sale, consent is requested in order to use contact details for marketing purposes. To indicate consent for this purpose, customers can select either No or Yes. The controller informs customers that they have the possibility to withdraw consent. To do this, they could contact a call centre on business days between 8am and 5pm, free of charge. The controller in this example does not comply with article 7(3) of the General Data Protection Regulation. Withdrawing consent in this case requires a telephone call during business hours, this is more burdensome than the one mouse-click needed for giving consent through the online ticket vendor, which is open 24/7.[6]


9.Right to lodge a complaint to initiate the personal data protection proceeding

  • As a data subject, you have the right to lodge a complaint to the Office for personal data protection of the Slovak Republic to initiate the personal data protection proceeding.
  • You can find more information about the complaint to initiate proceedings in this link and in the section What to do if the controller did not respond or did not comply with your request?



  • You always exercise your rights with the person who processes your personal data (the particular controller).
  • If the controller designated a data protection officer, you can also address your request to this person.
  • The request can be made in oral, written, electronic form or otherwise submitted (the General Data Protection Regulation does not prescribe a specific form). We recommend using particularly the written or electronic form to be able to prove that you have exercised your right in case any personal data protection proceedings.
  • You should prepare your identification data such as number of your contract, ID, username or password, etc. that means any identifier on the basis of which the controller will be able to identify you in its own environment and thus provide you with data concerning you.
  • The controller shall handle your request without undue delay, no later than 1 month of receipt of your request.




  • If the controller:
    • does not respond to your request within 1 month (or within an extended period)
    • does not comply with your request and you think he should have complied
    • replied to you request but you are not satisfied with his action

you have the right to lodge a complaint to the Office for Personal Data Protection of the Slovak Republic to initiate the personal data protection proceeding. 

  • The template of the complaint as well as all the necessary more detailed information on such complaint and procedure can be found here.
  • It is important to prepare evidence that confirms your statements in your complaint (e.g. a copy of the document by which you have exercised your rights with the controller, the controller´s response to your request, if he answered it).

In case you were unable to exercise your rights with the controller, it is necessary to state the reasons due to which it was not possible to do so.   


[1] REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

[5] Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, p. 23