Management of data subject requests

Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.

We have planned procedures for handling data subject requests, which may include e.g.:

• the ways in which the data subject may make a request for information
• methods to verify the identity of the sender
• the persons to whom requests for information are forwarded in relation to each register

In the absence of specific situations as defined in the Data Protection Regulation, but one of the following criteria is met, the data subject has the right to have his or her personal data deleted:

• the processing is based on consent (and there is no other reason for processing) and the data subject withdraws her consent
• the data subject objects to the processing of his or her personal data for the purposes of direct marketing or otherwise exercises his or her right of objection and there is no valid reason for such processing
• personal data have been collected in connection with the provision of information society services

We are aware of the situations in which the "right to be forgotten" is realized in our actions. We have designed policies for these situations, which may include e.g.:

• the ways in which the data subject may request the deletion of data
• the means by which the identity of the sender of the request for information is verified
• persons assisting the contact person of the databank in processing the request
• the means by which data are securely and permanently deleted and the data subject is informed

The data subject shall have the right to obtain the personal data provided to the controller in a structured, commonly used and machine-readable form and, if he so wishes, to transfer such data to another controller. This can mean, for example, a way to download data added to a web service at a time in a general format (eg XLS, XML, JSON).

The right applies when the following conditions are met:

• personal data is processed automatically
• the personal data concern the data subject and are provided by her
• the processing of personal data is based on consent or agreement
• when the transfer of data does not adversely affect the rights and freedoms of third parties

The right does not cover data that have been generated by the controller himself on the basis of data provided by the data subject (e.g. health assessments) or that have been compiled from the analysis of data generated from the data subject's monitoring (such as profiling).

Our organization is aware of situations where the data subject has the right to transfer their data. We have designed policies for these situations, which may include e.g.:

• the ways in which the data subject may request the transfer of data
• the means by which the identity of the sender of the request for information is verified
• the forms in which the information is provided to the data subject
• ways in which the data subject is informed