interactive GDPR 2016/0679 EN

(63) A data subject should have the right of access to personal_data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing.

  This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided.

  Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal_data are processed, where possible the period for which the personal_data are processed, the recipients of the personal_data, the logic involved in any automatic personal_data processing and, at least when based on profiling, the consequences of such processing.

  Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal_data.

  That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software.

  However, the result of those considerations should not be a refusal to provide all information to the data subject.

  Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.

(71) The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention.

  Such processing includes ‘ profiling’ that consists of any form of automated processing of personal_data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her.

  However, decision-making based on such processing, including profiling, should be allowed where expressly authorised by Union or Member State law to which the controller is subject, including for fraud and tax-evasion monitoring and prevention purposes conducted in accordance with the regulations, standards and recommendations of Union institutions or national oversight bodies and to ensure the security and reliability of a service provided by the controller, or necessary for the entering or performance of a contract between the data subject and a controller, or when the data subject has given his or her explicit consent.

  In any case, such processing should be subject to suitable safeguards, which should include specific information to the data subject and the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.

  Such measure should not concern a child.

(87) It should be ascertained whether all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal_data breach has taken place and to inform promptly the supervisory_authority and the data subject.

  The fact that the notification was made without undue delay should be established taking into account in particular the nature and gravity of the personal_data breach and its consequences and adverse effects for the data subject.

  Such notification may result in an intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation.

(94) Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation, the supervisory_authority should be consulted prior to the start of processing activities.

  Such high risk is likely to result from certain types of processing and the extent and frequency of processing, which may result also in a realisation of damage or interference with the rights and freedoms of the natural person.

  The supervisory_authority should respond to the request for consultation within a specified period.

  However, the absence of a reaction of the supervisory_authority within that period should be without prejudice to any intervention of the supervisory_authority in accordance with its tasks and powers laid down in this Regulation, including the power to prohibit processing operations.

  As part of that consultation process, the outcome of a data protection impact assessment carried out with regard to the processing at issue may be submitted to the supervisory_authority, in particular the measures envisaged to mitigate the risk to the rights and freedoms of natural persons.