Regulation (EU) 2016/679 of the European Parliament and of the Council, referred to as the GDPR (hereinafter “the Regulation”), contains in its provisions Articles 15 to 22 an enumeration of specific rights of data subjects. Some of these rights are already known from the current legislation (for example, the right of access to personal data, the right to rectification of personal data), but some of them are new (the right to data portability). From a practical point of view, it must be stated that at present, existing entitlements are exercised by data subjects rather exceptionally. It may therefore be a question whether this practice will change following the new legislation. However, an important novelty is that these potential requests will have to be processed by traders free of charge (see below).

In connection with the regulation of data subjects’ rights, the Regulation also sets out how the controller or processor of personal data must proceed if any of these rights is exercised against it by a data subject. In the case of online traders, this will most frequently concern requests raised by their customers. This legal circular will be devoted to the legislative requirements on the procedure of traders when rights are exercised by data subjects.

Article 12(2) of the Regulation establishes the general principle that “the controller shall facilitate the exercise of data subject rights.” Article 12(3) of the Regulation is more practical, as it sets out time limits for processing requests from data subjects and also the manner of their processing. With regard to the manner of processing requests by the controller, it is specifically provided that “where the data subject makes the request by electronic means, the information shall be provided by electronic means where possible, unless otherwise requested by the data subject.”

With regard to the time limit for processing a request, it is provided that “the controller shall provide information to the data subject on action taken on a request … without undue delay and in any event within one month of receipt of the request.” The construction of this provision is therefore similar to that for processing complaints under the Consumer Protection Act. “That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.” Article 12(4) of the Regulation then supplements the regulation with situations where a request from a data subject will not be complied with by the controller: “where the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking judicial remedy.”

As mentioned above, “… any communication and any actions … shall be provided and taken free of charge.” Only in the case where “requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.”

A question frequently arises regarding the identification of the data subject exercising its rights against the trader. This issue is expressly regulated by Article 12(6) of the Regulation, which provides that “where the controller has reasonable doubts concerning the identity of the natural person making the request …, the controller may request the provision of additional information necessary to confirm the identity of the data subject.” This means that it should be considered legitimate if the controller of personal data requires the data subject to prove additional facts serving to identify such data subject. If the trader can demonstrate that “the controller is not in a position to identify the data subject, the controller shall inform the data subject accordingly, where possible.” In such cases, the rights of data subjects shall not apply, “unless the data subject, for the purpose of exercising his or her rights …, provides additional information enabling his or her identification.”

Josef Aujezdský, advocate

Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – online legal advice

This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 10/2017 intended for members of this association.

This text was translated from Czech to English using an AI translator.