Your privacy rights
April 2018 Version 1.2
As a GPAL user you have privacy rights. We have listed them for you below. If you click on a term, you will be presented with information on how to exercise your rights. If you have any question, please call us on +31(0)50 2112935 or e-mail at firstname.lastname@example.org
- The right to data portability. The right to transmit personal data.
- The right to erasure: the right to be ‘forgotten’.
- The right of access. This is the right of people to obtain access to the personal data concerning him or her that are processed.
- The right to rectification and the right to have incomplete personal data completed. The right to change the personal data that are processed.
- The right to restriction of processing: the right to block or suppress processing of personal data.
- Rights with respect to automated individual decision-making and profiling. Or: the right to human intervention in decision-making.
- The right to object to processing of personal data.
The right to data portability
This right is described in Article 20 of the GDPR (General Data Protection Regulation). It means that individuals have the right to receive the personal data concerning them which they have provided to an organization.
What data can you ask for? Any personal data you have provided. You should interpret this broadly, however. This does not only cover data you have provided actively and consciously, such as your account details (email address, user name), but also data you have provided by using the application. For example, your search history or location info.
Please note that if you make a request further to your right to data portability, we are not required to provide any derived data, i.e. data you have generated yourself, for instance by means of data analysis. Examples include a credit rating or a profile we have created of you.
You can request your data by submitting a request via email@example.com. We will respond as soon as possible and at the latest within one month.
The right of access
You have the right to obtain access to your personal data. This means that you can ask us to confirm what personal data concerning you we have stored. You do not have to provide a reason for your request for access.
Before we address your request for access, we may ask you to prove your identity, for example by sending us a copy of your ID.
We can comply with your request for access in different ways: by providing a full specification, by furnishing copies/print-outs or by allowing you to inspect your data on site. As a rule we will send you a full specification. If you ask for access and we grant your request for access, we will let you know in a clear and understandable way:
- whether we use your personal data and, if so:
- what data we use
- the purpose of the use
- to whom we have provided the data (where applicable)
- from which source the data originate (if known).
If you make a request for access, you may expect to receive our response by email within four weeks.
The right to erasure: the right to be ‘forgotten’
This right means that we are obliged in certain circumstances to erase personal data at your request if we process your personal data.
The right to be forgotten applies only in the following circumstances:
- No longer necessary
We no longer need the personal data for the purposes for which we collected or processed them.
- Withdrawal of consent
You previously gave us your (express) consent to use your personal data, but now you withdraw that consent.
You object to the processing of your personal data. By virtue of Article 21 of the GDPR you have an absolute right to object to the processing of your personal data for direct marketing purposes. And you have a relative right to object if your rights outweigh the interests we have in processing the personal data. We will determine this on a case-by-case basis.
- Unlawful processing
The personal data have been unlawfully processed, for example because there is no legal basis for the processing.
- Statutory retention period
We are required by law to erase certain data after a certain time.
You are under the age of 16 and the personal data have been collected via our app or website (also termed ‘Information Society service’).
If you request us to erase your personal data by virtue of your right to be forgotten, we are obliged to do so immediately, but at the latest within one month. Only if the request is very complex do we have an extra two months to comply with it. In principle, we will comply with your request free of charge.
If we have transmitted your personal data to third parties, we will inform those third parties that we have erased your personal data and that they are under an obligation to erase your personal data as well.
The right to rectification
You have the right to have incorrect personal data rectified and to have incomplete personal data completed.
Are any personal data inaccurate, taking into account the purposes for which they are processed by us? Then we are obliged to take all reasonable measures to rectify those data or to complete them if they are incomplete.
If we have provided inaccurate or incomplete personal data to third parties, we must also provide the rectified or completed personal data to the organizations in question. At your request we will also let you know which organizations have received such information from us.
The right to restriction of processing
The right to restriction of processing applies in situations that meet one of the following criteria:
- Data may be inaccurate
If you indicate that the personal data concerning you that we use are inaccurate, we are not allowed to use those data until we have verified their accuracy.
- The processing is unlawful
We are not allowed to process certain personal data, but you do not want us to erase them either, for example because you want to retrieve them at a future date.
- Data are no longer necessary
We no longer need the personal data for the purposes for which we collected them, but you need the personal data for a legal claim, for example legal proceedings in which you are involved.
- You object to processing
If you object to our processing of your personal data, we are obliged to stop processing those personal data, unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms. We are not allowed to process the data pending the verification whether your interests, rights and freedoms override our grounds.
Inform third parties
If we have provided the personal data in question to third parties, we must notify those third parties that we have restricted the processing of those data and that they are also obliged to do so. At your request we will also let you know which organizations have received such information from us.
The right to human intervention in decision-making
Some organizations make decisions on the basis of automated processing of personal data, as in the case of profiling. The General Data Protection Regulation (GDPR) provides that data subjects have the right to human intervention in relation to decisions that affect them. GPAL or its co-controller does not make any decisions on the basis of automated data processing. Each decision that is made involves human intervention.
The right to object to processing of personal data
If an organization processes personal data for the performance of a task carried out in the public interest or on the grounds of a legitimate interest, you always have the right to object to the processing of your data.
We process your personal data on the grounds of a legitimate interest. Accordingly, you have the right to object to such processing. We informed you separately of this during the installation of the application. Our legitimate interests include retaining knowledge within the organization in which you work and encouraging the gathering and sharing of knowledge with others within your organization. You have the right to object to the processing of your personal data.
If you object to our processing of your personal data, we will stop doing so immediately. We will then determine whether we have compelling legitimate grounds for the processing of your personal data or whether your interests override ours. In that case we will not process your personal data until we have informed you whether we believe that our interests override yours.