Rights of Data Subjects

Data subject’s rights are laid out in the GDPR, in particular in Art. 15 – 23. These rights are:

  • Of compensation. The controller shall compensate any damage caused by the processing of data in violation of the provisions of the Act on Processing of Personal Data unless it is established that such damage could not have been averted through the diligence and care required in connection with the processing of data.
  • Right to be informed, including about the processing of their personal data, relating to the purposes of the processing, the categories of processed personal data and the recipients or categories of recipients to whom the data are disclosed; if applicable, information relating to the transfers of personal data intended towards a State that is not a member State of the European Union;
    Along with the confirmation, the data controller must provide the data subject at least the following information:
    • communication in an intelligible form of the processed data and of any other available information regarding the source of origin of the respective data;
    • the technical principles and mechanisms involved in the data processing concerning that data subject;
    • the existence of the right of intervention upon the data, and the right to object, as well as the conditions in which the data subject can exert these rights;
    • the possibility of consulting the Register of personal data processing before submitting a complaint to the supervisory authority, as well as to dispute the data controller’s decisions in court, according to the provisions of the law.


The first request per year is exempt from any taxes. The data controller must communicate the requested information within 30 days from the receipt of the request.

  • Right to access to their personal data being processed;
  • Right to rectification of data;
  • Right to erasure (‘Right to be forgotten’);
  • Right to restriction of processing;
  • Right to data portability;
  • Right to object to direct marketing. The data subject may at any time object in relation to the controller to the processing of data relating to him. If a consumer objects, a company may not disclose data relating to that person to a third company for the purposes of marketing or use the data on behalf of a third company for such purposes;
  • Right to not be subject of a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Please visit: https://gdpr-info.eu/chapter-3/


Under the DPA Authority Law, the Supervisory Authority must respond within 30 days from the date a data subject files a complaint and must also provide information on the progress of analysing the complaint within three months from the filing of the complaint.