Sadržaj/Table of Contents
- 1. Transparency and Modalities for the Exercise of the Rights
- 2. Information and Access to Personal Data
- Information to be Provided If Personal Data is Collected from the Data Subject
- Information to Be Provided If Personal Data Has Not Been Collected From the Data Subject
- Information that is Made Available or Provided to the Data Subject, If the Competent Authorities carry out Processing for Special Purposes
- Right of Access by the Data Subject
- Right to Access by the Data Subject to Data Processed by the Competent Authorities
- Restriction of the Right to Access
- 3. Right to Rectification, Supplement, Erasure, Restriction and Data Portability
- Right to Rectification and Supplement
- Right to Erasure of Personal Data
- Right to Restriction of Processing
- Right to Erasure or Restriction of Processing Carried Out by the Competent Authorities for Special Purposes
- Obligation of Notification Regarding Rectification or Erasure of Data, As Well As Restriction of Processing
- Obligation of Notification Regarding Rectification or Erasure of Data, as well as Restriction of Processing Carried Out by the Competent Authorities for Special Purposes
- Exercising of the Right of the Data Subject If Processing is Carried Out by the Competent Authorities for Special Purposes and Verification by the Commissioner
- Right to Data Portability
- 4. Right to Object and Automated Individual Decision-Making
- 5. Restrictions
1. Transparency and Modalities for the Exercise of the Rights
Transparent Information, Communication, and Methods for Exercising the Rights of Data Subjects
Article 21
The controller is obliged to take appropriate measures to provide complete information referred to in Articles 23 and 24 of this Law and/or information relating to the exercise of the rights referred to in Article 26, Articles 29 through 31, Article 33, Articles 36 through 38 and Article 53 of this Law to the data subjects, in a concise, transparent, intelligible and easily accessible manner, using clear and plain language, in particular in case of a piece of information intended to an underage person. Such information is provided in writing or in some other form, including, where appropriate, in electronic form. When requested by the data subject, information can be provided orally, provided that the data subject’s identity has been undoubtedly proven.
The controller is obliged to assist the data subject in exercising their rights under Article 26, Articles 29 through 31, Article 33, and Articles 36 through 38 of this Law. In the cases referred to in Article 20, paragraphs 2 and 3 of this Law, the controller may not refuse to act on the request of the data subject for exercising their rights under Article 26, Articles 29 through 31, Article 33 and Articles 36 through 38 of this Law, unless if the controller has demonstrated that it is not possible for them to identify the data subject.
The controller is obliged to provide information on action taken based on a request under Article 26, Articles 29 through 31, Article 33, and Articles 36 through 38 of this Law to the data subject without delay and within 30 days from the receipt of the request at the latest. That time limit can be extended by an additional 60 days if necessary, taking into account the complexity and number of requests. The controller is obliged to inform the data subject of any extension of the time limit and the reasons for such extension within 30 days of receiving the request. If the data subject has submitted the request by electronic means, information must be provided by electronic means if possible, unless the data subject has requested that information be provided by other means.
If the controller does not take action on the request of the data subject, they are be obliged to inform such data subject without delay and within 30 days from the date of receipt of the request at the latest of the reasons for not taking action, as well as on the right to file a complaint with the Commissioner, and/or to file a suit with the court.
The controller provides the information referred to in Articles 23 and 24 of this Law and/or information relating to exercising the rights referred to in Article 26, Articles 29 through 31, Article 33, Articles 36 through 38, and Article 53 of this Law free of charge. If the request of the data subject is manifestly unfounded or excessive, and in particular if the same request is frequently repeated, the controller may:
1) collect the necessary administrative costs of the provision of information and/or taking action on the request;
2) refuse to act on the request.
The burden of demonstrating that the request is manifestly unfounded or excessive lies with the controller.
If the controller has reasonable doubts concerning the identity of the person making the request referred to in Article 26, Articles 29 through 31, Article 33 and Articles 36 through 38 of this Law, the controller may request the provision of additional information necessary to confirm the identity of the data subject, which is without prejudice to application of Article 20 of this Law.
The information to be provided to data subjects pursuant to Articles 23 and 24 of this Law can be provided in combination with standardized icons presented in electronic form to provide meaningful inspection of the intended processing in an easily visible, intelligible, and clearly noticeable manner. It must be provided that the standardized icons presented electronically are machine-readable.
The Commissioner determines the information that is to be presented electronically by standardized icons and regulates the procedure for determining thereof.
Provisions of paragraphs 1 through 9 of this Article do not apply to data processing carried out by the competent authorities for special purposes.
Information and Modality for Exercising the Rights of Data Subjects If Processing is Carried out by the Competent Authorities for Special Purposes
Article 22
If the competent authorities carry out the processing for special purposes, the controller is obliged to take reasonable measures to provide to the data subject complete information referred to in Article 25 of this Law and/or information relating to exercising of the rights referred to in Articles 27, 28, 32, 34, 35, 39 and 53 of this Law, in a concise, intelligible and easily accessible manner, by using clear and plain language. Such information is provided in any manner appropriate, including by electronic means. As a rule, the controller provides information in the same form as that of the request of the data subject.
The controller is obliged to assist the data subject in exercising their rights referred to in Articles 27, 28, 32, 34, 35, and 39 of this Law.
The controller is obliged to provide information to the data subject in writing on taking action on their request without delay.
The controller provides the information referred to in Article 25 of this Law and acts in compliance with Articles 27, 28, 32, 34, 35, 39, and 53 of this Law free of charge. If the request of the data subject is manifestly unfounded or excessive, and in particular if the same request is frequently repeated, the competent authority may:
1) collect the necessary administrative costs of the provision of information and/or taking action on the request;
2) refuse to act on the request.
The burden of demonstrating that the request is manifestly unfounded or excessive lies with the controller. If the controller has reasonable doubts concerning the identity of the person submitting the request referred to in Article 27 or Article 32 of this Law, the controller may request the provision of additional information necessary to confirm the identity of the data subject.
2. Information and Access to Personal Data
Information to be Provided If Personal Data is Collected from the Data Subject
Article 23
If personal data relating to a data subject is collected from the data subject, the controller is obliged, at the time when personal data is collected, to provide the data subject with the following information:
1) on the identity and contact details of the controller as well as on the controller’s representative, if they have been designated;
2) the contact details of the person tasked with personal data protection, if they have been designated;
3) on the purpose of intended processing and on the legal basis for the processing;
4) on the existence of a legitimate interest pursued by the controller or a third party, where the processing is carried out based on Article 12, paragraph 1, item 6) of this Law;
5) on the recipient and/or on the group of recipients of the personal data, if any;
6) on the fact that the controller intends to transfer personal data to another country or to an international organization, as well as on whether or not such country or international organization is on the list referred to in Article 64, paragraph 7 of this Law, and in the case of a transfer referred to in Articles 65 and 67 or Article 69, paragraph 2 of this Law, on the reference or the appropriate safeguards, as well as on the means by which the data subject can get acquainted with such measures.
In addition to the information referred to in paragraph 1 of this Article, the controller is obliged to, at the moment of collecting personal data, provide the following further information to the data subject, which may be necessary to ensure fair and transparent processing regarding such data subject:
1) on the period for which the personal data will be stored, or if that is not possible, on the criteria used to determine that period;
2) on the existence of the right to request from the controller access to, rectification, or erasure of their personal data and/or on the existence of the right to restriction of processing, the right to objection, as well as the right to data portability;
3) on the existence of the right to withdraw consent at any given time, as well as that the withdrawal does not affect the permissibility of processing based on consent before its withdrawal, in cases where processing is carried out based on Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law;
4) on the right to file a complaint with the Commissioner;
5) on whether the provision of personal data is a statutory or contractual obligation, or a requirement necessary to conclude a contract, as well as on whether or not the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
6) on the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4 of this Law, and, at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the data subject.
If the controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller provides the data subject, before that further processing, with information on that other purpose as well as with any relevant additional information as referred to in paragraph 2 of this Article.
If the data subject has already been informed of any information referred to in paragraphs 1 through 3 of this Article, the controller is not obliged to provide such information. Provisions of paragraphs 1 through 4 of this Article do not apply to data processing carried out by the competent authorities for special purposes.
Information to Be Provided If Personal Data Has Not Been Collected From the Data Subject
Article 24
If personal data has not been collected from the data subject, the controller is obliged to provide the data subject with the following information:
1) on the identity and contact details of the controller and of the controller’s representative, if they have been designated;
2) on the contact details of the person tasked with the protection of personal data, if they have been designated;
3) on the purpose of the intended processing and on the legal basis for the processing;
4) on the type of data that is to be processed;
5) on the recipient, and/or on the group of recipients of the personal data, if any;
6) on the fact that the controller intends to transfer personal data to another country or to an international organization, as well as on whether or not such country and/or international organization is on the list referred to in Article 64, paragraph 7 of this Law, and in the case of a transfer referred to in Articles 65 and 67 or Article 69, paragraph 2 of this Law, on the reference or the appropriate safeguards, as well as on the means by which the data subject can get acquainted with such measures.
In addition to the information referred to in paragraph 1 of this Article, the controller is obliged to provide the following further information to the data subject, which may be necessary in order to ensure fair and transparent processing regarding such data subject:
1) on the period for which the personal data will be stored, or if that is not possible, on the criteria used to determine that period;
2) on the existence of a legitimate interest of the controller or a third party, if the processing is carried out based on Article 12, paragraph 1, item 6) of this Law;
3) on the existence of the right to request from the controller access to, rectification, or erasure of their personal data and/or on the existence of the right to restriction of processing, the right to objection to processing, as well as the right to data portability;
4) on the existence of the right to withdraw consent at any given time, as well as that the withdrawal of consent does not affect the permissibility of processing based on consent before its withdrawal, in cases where processing is carried out based on Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law;
5) on the right to file a complaint with the Commissioner;
6) on the source from which the personal data originates, and, where necessary, on whether the data originates from publicly available sources or not;
7) on the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4 of this Law, and, at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the data subject.
The controller is obliged to provide the information referred to in paragraphs 1 and 2 of this Article:
1) within a reasonable time limit following collection of the personal data, and within 30 days at the latest, having regard to all the specific circumstances of the processing;
2) at the latest on the occasion of establishing the first communication, if the personal data is used for communication with the data subject;
3) at the latest on the occasion when the personal data is first disclosed if disclosure of personal data to another recipient is planned.
If the controller intends to further process the personal data for a purpose other than that for which the personal data was collected, the controller is obliged to provide the data subject, before commencing such further processing, with information on that other purpose and with any relevant additional information on such other purpose, as well as any other pieces of information of relevance as referred to in paragraph 2 of this Article.
The controller is not obliged to provide the information referred to in paragraphs 1 through 4 of this Article to the data subject if:
1) the data subject already has the information;
2) the provision of such information proves impossible or would require disproportionate consummation of time and means, in particular in the case of processing for archiving purposes in the public interest, scientific or historical research purposes, as well as for statistical purposes, subject to the conditions and safeguards referred to in Article 92 paragraph 1 of this Law or in so far as the discharging of obligations referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the purposes of that processing. In such cases, the controller takes appropriate measures to protect the data subject’s rights and freedoms, as well as the legitimate interests of the data subject, which includes public publication of such information;
3) collecting or disclosure of personal data is expressly laid down by the law, providing for the appropriate safeguards for the legitimate interests of the data subject;
4) if the personal data must remain confidential subject to an obligation of professional secrecy prescribed by the law. Provisions of paragraphs 1 through 5 of this Article do not apply to data processing carried out by the competent authorities for special purposes.
Information that is Made Available or Provided to the Data Subject, If the Competent Authorities carry out Processing for Special Purposes
Article 25
If the competent authorities carry out processing for special purposes, the controller is obliged to provide at the disposal of the data subject at least the following information:
1) on the identity and contact details of the controller;
2) on the contact details of the data protection office, where they are designated;
3) on the purpose of intended processing;
4) on the right to file a complaint with the Commissioner and the contact details of the Commissioner;
5) on the existence of the right to request from the controller access to, rectification, or erasure of his personal data and/or on the existence of the right to restrict the processing of such data.
In addition to the information referred to in paragraph 1 of this Article, the controller is obliged to provide the data subject with the following additional information, to enable, in some instances, exercising of the rights of the data subject:
1) on the legal grounds for data processing;
2) on the period for which the personal data will be stored, or if that is not possible, on the criteria used to determine that period;
3) on the group of recipients of personal data, if any, including those in other states or international organizations;
4) other data, where necessary, and particularly if the data subject has not been aware that their personal data had been collected.
The information referred to in paragraph 2 of this Article which relates to individual types of data processing can be denied and/or provided under restrictions or at a later time to the data subject only in so far as necessary and in the duration necessary and proportionate in a democratic society regarding the respect of the fundamental rights and legitimate interests of natural persons, in order to:
1) avoid disturbance of official or legally regulated collection of information, investigation, or procedure;
2) enable prevention, investigation, and uncovering of criminal offenses, the prosecution of the perpetrators of criminal offenses, or the enforcement of criminal sanctions;
3) protect public safety;
4) protect national security and defense;
5) protect the rights and freedoms of other persons.
The law can determine the types of processing which, in their entirety or in part thereof, can be covered by some of the cases referred to in paragraph 3 of this Article.
Right of Access by the Data Subject
Article 26
The data subject is entitled to request from the controller information on whether or not the personal data concerning the data subject is being processed, access to such personal data, as well as the following information:
1) on the purpose of the processing;
2) on the types of personal data which is being processed;
3) on the recipients or types of recipients to whom the personal data have been or will be disclosed, in particular on the recipients in other countries or international organizations;
4) on the envisaged period for which the personal data will be stored, or, if that is not possible, on the criteria used to determine that period;
5) on the existence of the right to request from the controller rectification or erasure of their personal data, the right to restriction of processing of personal data concerning the data subject, and to object to such processing;
6) on the right to file a complaint with the Commissioner;
7) available information on the source of personal data, if the personal data has not been collected from the data subject;
8) on the existence of automated decision-making, including profiling referred to in Article 38, paragraphs 1 and 4, and at least in those cases, meaningful information about the logic involved, as well as on the significance and the expected consequences of such processing for the data subject.
If personal data is transferred to a third country or to an international organization, the data subject has the right to be informed of the appropriate safeguards relating to the transfer in compliance with Article 65 of this Law.
The controller is obliged to provide a copy of the personal data undergoing processing at their request. For any further copies requested by the data subject, the controller may request compensation for the necessary costs of producing such additional copies requested by the data subject. If the data subject makes the request for a copy by electronic means, and unless otherwise requested by the data subject, the information is provided in a commonly used electronic form.
Exercising the rights and freedoms of other persons does not adversely affect the exercise of the right to obtain a copy referred to in paragraph 3 of this Article.
Provisions of paragraphs 1 to 4 of this Article do not apply to the processing carried out by the competent authorities for special purposes.
Right to Access by the Data Subject to Data Processed by the Competent Authorities
Article 27
If the competent authorities process personal data for special purposes, the data subject is entitled to obtain from the controller information on whether or not the personal data concerning them is being processed, access to such data, as well as the following information:
1) on the purpose of processing and on the legal basis for the processing concerned;
2) on the types of personal data that are being processed;
3) on the recipient or the types of recipients to which the personal data has been disclosed, and in particular on the recipients in other countries or international organizations;
4) on the envisaged period for storage of personal data or, If this is not possible, on the criteria used to determine such period;
5) on the existence of the right to request from the controller rectification or erasure of their personal data, and/or the right to restrict the processing of such data;
6) on the right to file a complaint to the Commissioner, as well as the contact details of the Commissioner;
7) information on the personal data being processed, as well as the available information on the source thereof.
Restriction of the Right to Access
Article 28
The right to access referred to in Article 27 of this Law can be restricted, in its entirety or in a part thereof, only in so far as such partial or complete restriction is necessary and in the duration necessary and a proportionate measure in a democratic society, with respect of the fundamental rights and legitimate interests of the natural persons whose personal data is being processed, in order to:
1) avoid disturbance of official or legally regulated collection of information, investigation, or procedures;
2) enable prevention, investigation, and uncovering of criminal offenses, prosecution of the perpetrators of criminal offenses, or enforcement of criminal sanctions;
3) protect public safety;
4) protect national security and defense;
5) protect the rights and freedoms of other persons.
The law can determine the types of processing which, in their entirety or in part thereof, can be covered by some of the cases referred to in paragraph 1 of this Article.
The controller is obliged to notify the data subject in writing of the rejection or restriction of access to their personal data without undue delay and within 15 days at the latest.
The controller is not obliged to comply with paragraph 3 of this Article if that would call into question the realization of the purpose for which access is refused or restricted.
In the case referred to in paragraph 4 of this Article, as well as in the case if it is determined in the procedure at the request for access to data that the personal data of the person submitting the request is not being processed, the controller is obliged to, without undue delay, and within 15 days at the latest, notify in writing the person submitting the request that verification has determined there is no personal data regarding which the rights provided by the law can be exercised, as well as that they can file a complaint to the Commissioner and/or action before a court.
The controller is obliged to document the factual and legal reasons for passing the decision on the restriction of right referred to in paragraph 1 of this Article, which must be placed at the disposal of the Commissioner at their request.
3. Right to Rectification, Supplement, Erasure, Restriction and Data Portability
Right to Rectification and Supplement
Article 29
The data subject has the right to have the inaccurate personal data concerning to them rectified without undue delay. Depending on the purpose of the processing, the data subject has the right to have the incomplete personal data concerning them completed, including by means of providing a supplementary statement.
Right to Erasure of Personal Data
Article 30
The data subject has the right to have the personal data concerning them erased by the controller.
The controller is obliged to erase the personal data referred to in paragraph 1 of this Article without undue delay in the following cases:
1) the personal data is no longer necessary for the realization of the purpose for which it was collected or otherwise processed;
2) the data subject has withdrawn the consent based on which processing has been carried out, in compliance with Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law, and if there is no other legal ground for the processing;
3) the data subject has filed a complaint about the processing in compliance with:
a) Article 37, paragraph 1 of this Law, and it there is no other legal ground for processing that overrides the legitimate interest, right, or freedom of the data subject,
6) Article 37, paragraph 2 of this Law;
4) the personal data has been unlawfully processed;
5) the personal data has to be erased with the aim of discharging of the legal obligations of the controller;
6) the personal data has been collected relating to the use of information society services referred to in Article 16, paragraph 1 of this Law.
If the controller has made the personal data public, their obligation to erase personal data in compliance with paragraph 1 of this Article includes taking all the reasonable measures, including technical measures, taking into account available technologies and the potential to bear the costs of their use, with the aim of informing other controllers which are processing such personal data that the data subject has submitted the request to erase all the copies of such data and references, and/or electronic links to this data.
The data subject submits the request to the controller for exercising the right referred to in paragraph 1 of this Article.
Paragraphs 1 through 3 of this Article do not apply to the extent that the processing is necessary:
1) for exercising the right of freedom of expression and information;
2) for compliance with a legal obligation of the controller which requires processing or for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller;
3) for reasons of public interest in the area of public health, in compliance with Article 17, paragraph 2, items 8) and 9) of this Law;
4) for archiving purposes in the public interest, scientific or historical research purposes, as well as for statistical purposes in compliance with Article 92, paragraph 1 of this Law, and it is justifiably expected that the right referred to in paragraphs 1 and 2 of this Article could render impossible or seriously impair the achievement of the objectives of that purpose;
5) submission, exercising, or defense of legal claims.
Provisions of paragraphs 1 through 5 of this Article do not apply to the processing carried out by the competent authorities for special purposes.
Right to Restriction of Processing
Article 31
The data subject has the right to restriction of processing of their personal data by the controller if one of the following cases applies:
1) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
2) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead;
3) the controller no longer needs the personal data for the realization of the purposes of the processing, but the data subject requested it for the submission, exercise, or defense of legal claims;
4) the data subject has submitted an objection to processing pursuant to Article 37, paragraph 1 of this Law, and the verification of whether the legitimate grounds for processing by the controller override the interests of the data subject or not.
If processing has been restricted in compliance with paragraph 1 of this Article, such personal data may only be further processed based on the data subject’s consent, except if it is a case of storage or for submission thereof, for the purpose of exercise or defense of legal claims or the protection of the rights of other natural and/or legal persons or for reasons of realization of important public interests.
If processing has been restricted in compliance with paragraph 1 of this Article, the data controller is obliged to inform the data subject of the termination of the restriction before the restriction of processing is lifted.
Provisions of paragraphs 1 through 3 of this Article do not apply to the processing carried out by the competent authorities for special purposes.
Right to Erasure or Restriction of Processing Carried Out by the Competent Authorities for Special Purposes
Article 32
If the competent authorities carry out processing for special purposes, the data subject has the right to have their personal data erased by the controller and the controller is obliged to, without undue delay, erase such data if the processing has been carried out in violation of the provisions of Articles 5, 13 and 18 of this Law or if the personal data must be erased for compliance with a legal obligation of the controller.
The controller is obliged to restrict the processing, instead of erasing the personal data, in the following cases:
1) the data subject has contested the accuracy of personal data, and the accuracy and/or inaccuracy thereof cannot be determined;
2) personal data must be stored with the aim of collecting and the provision of evidence.
If processing has been restricted in compliance with paragraph 2, item 1) of this Article, the data controller is obliged to inform the data subject of the termination of the restriction before the restriction of processing is lifted.
Obligation of Notification Regarding Rectification or Erasure of Data, As Well As Restriction of Processing
Article 33
The controller is obliged to notify all the recipients to which personal data has been disclosed on each rectification or erasure of personal data or restriction of the processing thereof in compliance with Article 29, Article 30, paragraph 1, and Article 31 of this Law, unless if that is impossible or requires disproportionate use of time and resources.
The controller is obliged to notify the data subject, at their request, of all the recipients referred to in paragraph 1 of this Article.
Provisions of paragraphs 1 through 2 of this Article do not apply to the processing carried out by the competent authorities for special purposes.
Obligation of Notification Regarding Rectification or Erasure of Data, as well as Restriction of Processing Carried Out by the Competent Authorities for Special Purposes
Article 34
If the competent authorities carry out the processing for special purposes, the controller is obliged to notify the data subject in writing of the rejection of rectification or erasure of their personal data, and/or of the restriction of processing, as well as of the reasons for such rejection or restriction.
The controller is completely or partially relieved from the obligation of notification referred to in paragraph 1 of this Article in so far as such restriction is a necessary and proportionate measure in a democratic society, with due respect to the fundamental rights and legitimate interests of the data subjects, in order to:
1) avoid disturbance of official or legally regulated collection of information, investigation, or procedures;
2) enable prevention, investigation, and uncovering of criminal offenses, prosecution of the perpetrators of criminal offenses, or enforcement of criminal sanctions;
3) protect public safety;
4) protect national security and defense;
5) protect the rights and freedoms of other persons.
In the case referred to in paragraphs 1 and 2 of this Article, the controller is obliged to inform the data subject that they can address a complaint to the Commissioner and/or take action before a court.
The controller is obliged to inform the competent authority from which such data has been obtained of the rectification of inaccurate data.
If the personal data has been rectified, erased, or if the processing thereof has been restricted in compliance with Article 29 and Article 32, paragraphs 1 and 2 of this Law, the controller is obliged to inform the recipients of such data of the rectification, erasure, or restriction of processing thereof.
The recipients of data that have been informed in compliance with paragraph 5 of this Article is obliged to rectify, erase, or restrict the processing of data they keep.
Exercising of the Right of the Data Subject If Processing is Carried Out by the Competent Authorities for Special Purposes and Verification by the Commissioner
Article 35
In the cases referred to in Article 25, paragraph 3, Article 28, paragraphs 3 and 4, and Article 34, paragraph 2 of this Law, the rights of the data subjects can additionally be exercised through the Commissioner, in compliance with their powers prescribed by this Law.
The controller is obliged to notify the data subject of the option of exercising their rights through the Commissioner in the cases referred to in paragraph 1 of this Article.
If, in the cases referred to in paragraph 1 of this Article, the rights of the data subjects are exercised through the Commissioner, the Commissioner is obliged to notify such data subject at least of the verification conducted and of the supervision of the processing of their personal data, as well as of the right to address the court for the protection of their rights.
Right to Data Portability
Article 36
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format and has the right to transmit such data to another controller without hindrance from the controller to which the personal data has been provided, if the following conditions have been aggregately fulfilled:
1) the processing is based on consent pursuant to Article 12, paragraph 1, item 1) or Article 17, paragraph 2, item 1) of this Law or based on a contract, in compliance with Article 12, paragraph 1, item 2) of this Law;
2) the processing is carried out by automated means.
The right referred to in paragraph 1 of this Article also includes the data subject’s right to have their personal data transferred directly to another controller by the controllers to which such data has previously been transferred, if technically feasible.
The exercise of the right referred to in paragraph 1 of this Article is without prejudice to Article 30 of this Law. The right referred to in paragraph 1 of this Article cannot be exercised if the processing is necessary for performing a task in the public interest or in the exercise of official authorities vested in the controller.
Exercising the right referred to in paragraph 1 of this Article may not adversely affect the rights and freedoms of other persons. Provisions of paragraphs 1 through 4 of this Article do not apply to the processing carried out by the competent authorities for special purposes.
4. Right to Object and Automated Individual Decision-Making
Right to Object
Article 37
If they consider that to be duly justified, on grounds relating to his or her particular situation, the data subject has the right to, at any time, submit an objection to the processing of personal data concerning him or her to the controller, which is carried out in compliance with Article 12, paragraph 1, items 5) and 6) of this Law, including profiling based on those provisions. The controller is obliged to discontinue processing of the personal data relating to the person submitting the objection unless the controller demonstrates the existence of the lawful reasons for the processing which override the interests, rights, and freedoms of the data subject or are relating to submission, exercise, or defense of legal claims.
The data subject has the right to, at any given moment, submit an objection to the processing of the personal data concerning him or her which is processed for direct marketing purposes, which includes profiling, to the extent that it is related to such direct marketing.
If the data subject submits an objection to processing for direct marketing purposes, the personal data may no longer be processed for such purposes.
At the latest at the time of the first communication with the data subject, the right referred to in paragraphs 1 and 2 of this Article is explicitly brought to the attention of the data subject by the controller and is presented clearly and separately from any other information.
In the context of the use of information society services, the data subject has the right to submit an objection by automated means, in compliance with the technical specifications for the use of services.
If personal data is processed for scientific or historical research purposes or for statistical purposes in compliance with Article 92 of this Law, the data subject, on grounds relating to their particular situation, has the right to submit an objection to the processing of personal data concerning them, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
Automated Individual Decision-Making and Profiling
Article 38
The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, if such a decision produces legal effects concerning such a person or if such a decision significantly affects his or her position.
Paragraph 1 of this Article does not apply if the decision is:
1) necessary for the conclusion or performance of a contract between the data subject and a data controller;
2) based on the law, if such law prescribes suitable measures to safeguard the rights, freedoms, and legitimate interests of the data subject;
3) based on the explicit consent of the data subject.
In the case referred to in paragraph 2, items 1) and 3) of this Article, the controller is obliged to implement suitable measures to safeguard the rights, freedoms, and legitimate interests of the data subject, and at least the right to ensure a natural person’s intervention under control of the controller in decision-making, the right of the data subject to express his or her point of view with regard to the decision, as well as the right of the data subject to contest the decision before the authorized person with the controller.
The decisions referred to in paragraph 2 of this Article cannot be based on special types of personal data referred to in Article 17, paragraph 1 of this Law, unless Article 17, paragraph 2, items 1) and 5) of this Law apply and where suitable measures to safeguard the rights, freedoms and legitimate interests of the data subject are in place.
Provisions of paragraphs 1 through 4 of this Article do not apply to data processing carried out by the competent authorities for special purposes.
Automated Individual Decision-Making and Profiling Regarding the Processing Carried Out by the Competent Authorities for Special Purposes
Article 39
Decision-making based solely on automated processing carried out by the competent authorities for special purposes, including profiling, is prohibited, where such decision may produce adverse legal effects concerning the data subject or where such decision significantly affects his or her position, except if such decision-making is based on the law and where such law lays down suitable measures to safeguard the rights and freedoms of the data subject, and at least the right to ensure a natural person’s intervention under control of the controller in decision-making.
The decision referred to in paragraph 1 of this Article may not be based on special types of personal data referred to in Article 18, paragraph 1 of this Law unless suitable measures to safeguard the rights, freedoms, and legitimate interests of the data subject are applied.
Profiling leading to discrimination of natural persons on the grounds of the special types of personal data referred to in Article 18, paragraph 1 of this Law is prohibited.
5. Restrictions
Article 40
The rights and obligations referred to in Articles 21, 23, 24, 26, Articles 29 through 31, Article 33, Articles 36 through 39, and Article 53, as well as Article 5 of this Law, if such provisions pertain to exercising of rights and obligations referred to in Articles 21, 23, 24, 26, Articles 29 through 31, Article 33 and Articles 36 through 39 of this Law, can be restricted if such restrictions do not interfere with the essence of the fundamental rights and freedoms and if that is a necessary and proportionate measure in a democratic society for the safeguarding of:
1) national safety;
2) defence;
3) public security;
4) prevention, investigation, and uncovering of criminal offenses, prosecution of perpetrators of criminal offenses, or enforcement of criminal sanctions, including prevention and protection against threats to public security;
5) other important public interests, and in particular the important state or financial interests of the Republic of Serbia, including monetary policy, budget, tax system, public health, and social protection;
6) judicial independence and judicial proceedings;
7) the prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions;
8) the function of monitoring, supervision, or the performance of a regulatory function that is continuously or occasionally connected to the exercise of official authorities in the cases referred to in items 1) through 5) and item 7) of this paragraph;
9) the data subject or the rights and freedoms of other persons;
10) the enforcement of civil law claims.
If necessary, in the implementation of the restrictions of the rights and obligations referred to in paragraph 1 of this Article, at least the following must be taken into account:
1) the purposes of the processing or the types of processing;
2) the types of personal data;
3) the scope of restrictions;
4) the safeguards to prevent abuse, unlawful access, or transfer of personal data;
5) the specificities of the controller, and/or the type of controller;
6) the storage periods and the safeguards that can be applied, taking into account the nature, scope, and purposes of the processing or the types of processing;
7) the risks to the rights and freedoms of data subjects;
8) the right of data subjects to be informed about the restriction, unless such information is prejudicial to the realization of the purpose of the restriction
Provisions of paragraphs 1 and 2 of this Article additionally apply in cases processing by the competent authorities is not carried out for special purposes.