ILN Data Privacy Paper

Portugal

5.3. Data correction, completion, updating or erasure of data According to the GDPR (Articles 12-23 GDPR), data subjects have several rights related to their personal data, framed in (i) information and access to personal data, (ii) rectification and erasure, (iii) right to object and to not be subject to automated individual decision-making. Such rights, however, can be restricted (Article 23 GDPR). In other words, data subjects have the right to correct, complete, update or even delete their personal data. A data subject may request the rectification or update of inaccurate or incomplete personal data (i.e., inaccurate or out of date personal data) to ensure that it is accurate and reflects reality. With respect to deletion, data subjects have the right to request the deletion of their personal data in certain circumstances (i.e., personal data is no longer necessary for the purposes for which it was collected, data subjects withdraw consent, or personal data is processed unlawfully). The rights of the data subject may be restricted, when such restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure to safeguard, for example, national security, defense or public security. In particular, the right to erasure (“right to be forgotten”) is restricted to the extent that processing is necessary for the exercise of the right

of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims. Organizations are required to provide mechanisms for data subjects to exercise their rights, usually through a process for requesting the correction, completion, updating, or deletion of personal data. This process should be easily accessible and data subjects should not be subject to unjustified obstacles in exercising these rights. 5.4 Data protection and security practices and procedures The security of processing of personal data is essential to ensure the privacy and integrity of the information of data subjects. Article 32(1) GDPR establishes that the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

www.mgra.pt

Made with FlippingBook - PDF hosting