Personal data of each person are, in one way or another, processed by other subjects (data controllers). Being aware of the processing of personal data by the data controller, it is important to understand and exercise one’s rights.

In accordance with the General Data Protection Regulation, the data subject shall have the following rights:

  1. Access the personal data. You may contact the data controller and request information whether your personal data are processed and, if yes, you have the right to access the personal data processed.
  2. Get information about the processing of your personal data.
  3. Request rectification or erasure of personal data or restriction of data processing. You may contact the data controller with the request to rectify any of your personal data if you believe that they are inaccurate or incomplete. You may also contact the data controller for the erasure of your personal data if you believe after accessing your personal data that the data processing is unlawful or unfair.
  4. Object to the processing of personal data. You have the right to object to the relevant processing of your personal data on the basis of a legitimate interest.
  5. Withdraw your consent for personal data processing. Where your data are processed with your consent, you have the right to withdraw the consent given for the data processing at any time.
  6. Request to transfer the data.
  7. Lodge a complaint with a supervisory authority.
  8. Receive compensation from the data controller for the material or non-material damage suffered as a result of a breach of Regulation (EU) 2016/679.

In order to exercise your rights, you may contact the company or organisation processing the personal data, i.e. the data controller. If there is a data protection officer in the company or in the organisation, you may also contact him/her. In order to exercise his/her rights, the data subject has the right to apply orally or in writing, by submitting an application in person, by post or by electronic means. It is important to know that these rights are not absolute and certain legal acts may restrict them, provide for specific conditions under which some of the rights may be exercised or other exemptions.

The company or the organisation shall respond to the applications of persons without undue delay and not later than within one month. If the company or the organisation does not grant your application, it shall state the reasons. In case of failure to find a solution together with the data controller, you have the right to apply to the State Data Protection Inspectorate (, which is responsible for the supervision and control of legal acts regulating personal data protection.

All actions based on the data subject’s requests to exercise his/her rights are performed free of charge. An exception to this rule is set out in Article 12(5) of Regulation (EU) 2016/679 which states that in certain cases a fee may be charged for the implementation of a data subject’s rights. For example, when requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or may refuse to act on the request.

Regulation (EU) 2016/679 imposes an obligation on the companies, institutions, organisations and persons who process personal data for the purposes relating to a profession, i.e. on data controllers, to implement the rights of data subjects and the principle of accountability. To facilitate proper compliance with this obligation, the Rules for Implementing the Rights of Data Subjects (the State Data Protection Inspectorate published the Model Rules for Implementing the Rights of Data Subjects on 11 July 2018) have been drawn up in order to help data controllers have due regard for the human rights in the data protection area as provided for in the new legal regulation on personal data protection.

The Model Rules for Implementing the Rights of Data Subjects have been approved by Order No 1T-63(1.12.E) of 9 July 2018 of the Director of the State Data Protection Inspectorate and are available in the Register of Legislation:

More information about human rights in the area of personal data protection is available on the website of the European Commission: