Everyone who offers proof of identity has the right to know whether information concerning him/her is being processed, and to obtain it in an intelligible form.
- Such data must be processed fairly for the specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified.
- In order to have the most effective protection of his private life, every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files. If such files contain incorrect personal data or have been collected or processed contrary to the provisions of the law, every individual should have the right to request rectification or elimination.
- There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
- Individuals should have the right: a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to them; b) to have communicated to them, data relating to them i. within a reasonable time; ii. at a charge, if any, that is not excessive; iii. in a reasonable manner; and iv. in a form that is readily intelligible to them; c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and d) to challenge data relating to them and, if the challenge is successful to have the data erased, rectified, completed or amended.
- Everyone who offers proof of identity has the right to know whether information concerning him is being processed and to obtain it in an intelligible form, without undue delay or expense, and to have appropriate rectifications or erasures made in the case of unlawful, unnecessary or inaccurate entries, and when it is being communicated, addresses. Provision should be made for a remedy, if need be with the supervisory authority specified in principle 8 below. The cost of any rectification shall be borne by the person responsible for the file. It is desirable that the provisions of this principle should apply to everyone, irrespective of nationality or place of residence.
- Individuals should be able to: a) obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them; b) have communicated to them, after having provided sufficient proof of their identity, personal information about them; i. within a reasonable time; ii. at a charge, if any, that is not excessive; iii. in a reasonable manner; iv. in a form that is generally understandable; and, c) challenge the accuracy of personal information relating to them and, if possible and as appropriate, have the information rectified, completed, amended or deleted.
- The Committee of Ministers therefore, under the terms of Article 15.b of the Statute of the Council of Europe, recommends that member States, in consultation with private sector actors and civil society, develop and promote coherent strategies to protect freedom of expression, access to information and other human rights and fundamental freedoms in relation to search engines in line with the Convention for the Protection of Human Rights and Fundamental Freedoms (...), in particular by engaging with search engine providers to carry out the following actions: (...) – enhance transparency in the collection of personal data and the legitimate purposes for which they are being processed; – enable users to access easily, and, where appropriate, to correct or delete their personal data processed by search engine providers; – develop tools to minimise the collection and processing of personal data, including enforcing limited retention periods, adequate irreversible anonymisation, as well as tools for the deletion of data.
- Member States (through the designated authorities) should enforce compliance with the applicable data protection principles, in particular by engaging with search engine providers to carry out the following actions: – ensure that the collection of personal data by search engine providers is minimised. No user’s IP address should be stored when it is not necessary for the pursuit of a legitimate purpose and when the same results can be achieved by sampling or surveying, or by anonymising personal data. Innovative approaches promoting anonymous searches should also be encouraged; – ensure that retention periods are not longer than strictly necessary for the legitimate and specified purposes of the processing. Search engine providers should be in a position to justify with demonstrable reasons the collection and the retention of personal data. Information in this connection should be made publicly available and easily accessible; – ensure that search engine providers apply the most appropriate security measures to protect personal data against unlawful access by third parties and that appropriate data breach notification schemes are in place. Measures should include “end-to-end” encryption of the communication between the user and the search engine provider; – ensure that individuals are informed with regard to the processing of their personal data and the exercise of their rights, in an intelligible form, using clear and plain language, adapted to the data subject. Search engines should clearly inform users up front of all intended uses of their data (emphasising that the initial purpose of such processing is to better respond to their search requests) and respect the user’s right with regar to their personal data. They should inform individuals if their personal data has been compromised.
- Principle of respect for privacy 1. Public authorities shall have respect for privacy, particularly when processing personal data. 2. When public authorities are authorised to process personal data or files, particularly by electronic means, they shall take all necessary measures to guarantee privacy. 3. The rules relating to personal data protection, notably as regards the right to have access to personal data and secure the rectification or removal of any data that is inaccurate or shall not have been recorded, shall apply to personal data processed by public authorities.
- Users have the right to access their personal data and to obtain correction, deletion and blocking of it. Intermediaries should therefore provide them with relevant information at all stages of processing, using clear and plain language, especially where such information is addressed to children. Moreover, intermediaries should inform users clearly about the conditions under which they may exercise the right to personal data erasure, to object to the processing of data and to withdraw consent provided for the processing of personal data, following which all processing based on the consent of the user should be terminated.
- There are effective processes enabling every individual to obtain, on request, information on the processing of his or her personal data and the reason underlying processing; to object to processing; to obtain, on request, rectification or erasure of the personal data; and to consent to, object to or withdraw consent to personal data processing or profiling.
- Personal data that are processed must be adequate, relevant, correct and, if necessary, up to date; all reasonable measures must be taken to complete, correct, block or erase data that are incomplete or incorrect.
- Every person has the right to access in an intelligible form, at reasonable intervals and without excessive delay or expense, confirmation of whether her or his personal data are stored in an automated file.