Financial Crime World

Automated Processing and the Right to Object: What You Need to Know

As technology advances, automated decision-making processes are becoming increasingly common. However, this raises important questions about individual rights and protections.

Fair and Transparent Processing: A Must for Controllers

Controllers must provide relevant information to individuals about the processing of their personal data, unless they already have this information. This includes details such as:

  • Purpose and intended recipients
  • Whether supply is voluntary or mandatory
  • Existence of withdrawal consent and access rights
  • Automated decision-making and profiling information
  • Storage period and complaint mechanisms

When Must Controllers Provide Information?

Controllers must inform individuals about the personal data collected at the time of collection, unless they already have this information. If not obtained directly from the individual, controllers must provide information within a reasonable period.

Rights of Information and Access: What Individuals Can Demand

Individuals have the right to:

  • Confirm whether their personal data are being processed
  • Access their data (copy)
  • Be provided with supplemental information about processing

Controllers must respond to written requests without excessive delay and free of charge. In cases where requests are manifestly excessive, controllers may charge a fee or refuse the request.

Verifying Identity: A Crucial Step

Controllers must use reasonable means to verify the identity of individuals making requests. However, they should not collect data solely for this purpose.

Rectification Rights: Correcting Errors and Completing Incomplete Data

Individuals can require controllers to rectify inaccuracies in their personal data or complete incomplete data. Controllers may also be required to record a supplementary statement.

When Controllers Are Not Required to Provide Information

Controllers are not required to provide information where processing is prescribed by law, impossible, or involves disproportionate effort.

Erasure Rights: When Personal Data Must Be Deleted

Personal data must be erased in the following circumstances:

  • No longer necessary for original purpose
  • Withdrawal of consent (no other legal ground)
  • Overriding legitimate grounds do not exist
  • Unlawful processing

Informing Third Parties: A Key Step in Erasure Requests

Controllers should inform third parties processing personal data about requests to erase links, copies, or replications of the individual’s data.

Right to Restriction and Erasure: Best Practices for Controllers

To ensure compliance with erasure and restriction requirements, controllers should:

  • Educate staff and suppliers
  • Determine if exemptions are necessary in specific sectors
  • Develop systems to mark restricted data

When Controllers May Not Comply with Rectification and Erasure Requests

Controllers may not comply with requests when there are reasons of public interest in the field of public health, historical or scientific research, or compliance with legal obligations.

By understanding these rights and responsibilities, controllers can ensure fair and transparent processing of personal data, while individuals can exercise their right to object and demand accountability from those handling their personal information.