Your rights as a data subject

You have the right to be given information when your personal data is being processed. Information about the personal data processing is to be given by the data controller both when the data is collected and when you request it. There are also certain other occasions when particular information is to be provided to you, for example if a data breach occurs, and there is a risk of, for example, identity theft or fraud.

The information shall be provided to you for free in easily accessible, written form (which may be in electronic form) and be worded in clear, simple language. The GDPR specifies in detail what information is to be provided. For example, you should be given information about the controller's contact details, the lawful basis for the processing and the purpose of the processing.

You have the right to contact a company or authority that processes your personal data and request that inaccurate information be corrected. This also means that you have the right to add personal data that is missing considering the purpose of the personal data processing. The data controller must also ensure that the data is accurate and up to date. This is also stated in the GDPRs fundamental principles.

If data is rectified at your request, the company or authority must also inform those to whom they shared the incorrect data with. This does not however apply if it should prove to be impossible or would involve excessive effort. You also have the right to request information about to whom your incorrect data has been shared with.

According to the GDPR, you have the right to contact a company or authority that processes your personal data and request erasure. The data is to be erased in the following cases:

• If the data is no longer needed for the purposes for which it was collected.
• If the processing is based on your consent and you withdraw it.
• If the processing is carried out for direct marketing and you object to the data being processed.
• If you object to personal data processing in the context of exercise of official authority or after a balancing of opposing interests and rights, and there are no legitimate reasons that override your interests.
• If the personal data has been processed unlawfully.
• If erasure is required in order to fulfil a legal obligation.
• If the personal data is about a child and was collected when the child created a profile on a social media platform.

If data is erased at your request, the company or authority must also inform those to whom they have shared your data with of the erasure. This does not however apply if it should prove to be impossible or would involve excessive effort. You also have the right to request to be given information about to whom data has been shared with.

There are exceptions to the right to erasure and the obligation to inform others if it is necessary in order to satisfy other important rights such as the right to freedom of expression and freedom of information, fulfil a legal obligation, carry out a task in the public interest or as part of the exercise of official authority.

In certain cases, you have the right to demand that the processing of your personal data be limited. By "limited" is meant that the data is flagged so that it in future may only be processed for certain limited purposes.

The right to limitation applies among other things when you consider that the data is inaccurate and request rectification. You can in such cases also request that the processing of your personal data be limited while the accuracy of the data is investigated.

You have the right to know when the limit on the use of your data has been removed.

If you have submitted your personal data, you may in certain cases have the right to be given and to use your personal data elsewhere, for example on another social media service. The controller is obliged to simplify such transfer of personal data. This assumes that the controller processes the personal data based on your consent or to perform a contract with you. It applies only to such personal data that you have provided yourself.  

In some cases, you have the right to object to your personal data being used.

The right to object applies when personal data is processed in order to carry out a task in the public interest, as part of the exercise of official authority, or after a balancing of opposing interests and rights has been carried out.

If you object to the processing in such cases, the controller may only continue to process the data

• if it can be demonstrated that there are legitimate reasons for the data needing to be processed that override your interests, rights and freedoms, or
• if the processing is carried out for the establishment, exercise or defence of legal claims.

You always have the right to object to your personal data being used for direct marketing. Such objections can be made at any time. If you object, the personal data may no longer be processed for such purposes.

Special rules apply in the case of personal data that is processed for scientific or historical research purposes or statistical purposes.

The data controller must inform you of your right to object.

You have the right not to be subject to a decision based solely on automated decision-making, including profiling, if the decision may have legal consequences or other significant consequences for you.

Automated decision-making may for example consist of automated refusal of a credit application on the Internet or a rejection from e-recruitment via the Internet without any personal contact.

Automated decision-making may be permitted if it is necessary for the entering into, or performance, of a contract between you and the controller, or if you have given your consent. It may also be permitted under special legislation.

The data controller must inform you that automated decision-making is used in accordance with the general information obligation in the GDPR.

Automated decisions can be made with or without profiling. Profiling can be used without this leading to an automated decision. Profiling means any form of automated processing of personal data where the data is used to assess certain personal qualities, in particular to analyse or predict the person's work performance, financial situation, health, personal preferences, interests, dependability, behaviour, place of residence or relocations.

Profiling is a type of personal data processing, and therefore it must follow the rules in the GDPR.