Data Management Policy – Data Subject Rights

Data Management Policy

Data Subject Rights

Right To Be Informed

ZTPL shall provide following mentioned information to Data Subject when collecting the personal data related to Data Subject. :

The identity and the contact details of the organization and, where applicable, of the organization’s representative.
The contact details of the GRC officer, where applicable.
The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
The legitimate interests pursued by the controller or by a third party.
The recipients or categories of recipients of the personal data, if any.
Where applicable, the fact that the organization intends to transfer personal data to a third country or international organization and the existence or absence of an adequacy.
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
The existence of the right to request from the organization the rectification or erasure of personal data or restriction of processing concerning Data Subject or to object to the processing as well as the right to data portability.
The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
The right to lodge a complaint with a supervisory authority.
Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter a contract, as well as whether the Data Subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
The existence of automated decision-making, including profiling, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject.
From which source the personal data originated, and if applicable, whether it came from publicly accessible sources where personal data have not been obtained from Data Subject.

The organization shall provide information on action taken on your request without undue delay and in any event within one month of receipt of the request, for the following rights:

Right to Access

The organization shall provide following mentioned rights to Data Subject:

Data Subject shall have the right to obtain from the organization confirmation as to whether the personal data concerning him or her is being processed.
Data Subject shall have the right of access to personal data which has been collected concerning him or her, and to exercise that right easily and at reasonable intervals, to be aware of, and verify, the lawfulness of the processing and the following information:

The purposes for which the personal data is processed and where possible the period for which the personal data is processed.
The categories of the personal data concerned.
The recipients or categories of recipient to whom the personal data have been or will be disclosed, recipients in third countries or international organizations.

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period.
The existence of the right to request from the organization the rectification or erasure of personal data or restriction of processing personal data concerning the data subject or to object to such processing.
The right to lodge a complaint with a Supervisory Authority/Commissioner.
Where the personal data is not collected from Data Subject, any available information as to their source.
The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the consequences of such processing for Data Subject.

The organization shall use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. The organization shall not retain personal data for the sole purpose of being able to react to potential requests.

Right to Rectification

The organization shall provide following mentioned data rectification rights to Data Subject:

Data Subject shall have the right to obtain from the organization without undue delay the rectification of inaccurate personal data concerning him or her.
Considering the purposes of the processing, Data Subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to Erasure (‘Right to be Forgotten’)

The organization shall provide following mentioned data erasure rights to Data Subject:

Data Subject shall have the right to have your personal data erased and no longer processed without undue delay where:

The personal data is no longer necessary in relation to the purposes for which it is collected or otherwise processed.
Data Subject has withdrawn his or her consent and where there is no other legal ground for processing.
Data Subject objects to the processing of personal data concerning him or her.
The processing of your personal data does not otherwise comply with the applicable regulations.
The organization has made the personal data public and is obliged to erase the personal data including any links or copy or replication of the personal data.
The personal data must be erased for compliance with a legal obligation to which the organization is subject.

The right to erasure shall not apply to the extent that processing is necessary for following mentioned scenarios:

For exercising the right of freedom of expression and information.
For compliance with legal obligation to which the organization is subject or for the performance of a task carried out in the public interest or in exercise of official authority vested in the organization.
For public interest in the area of public health.
For archiving purposes in the public interest, scientific or historical research purposes.
For the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing

Data Subject shall have the right to obtain from the organization restriction of processing where one of the following applies:

The accuracy of the personal data is contested by Data Subject, for a period enabling the organization to verify the accuracy of the personal data.
The processing is unlawful, and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.
The organization no longer needs the personal data for the purposes of processing, but it is required by Data Subject for the establishment, exercise, or defense of legal claims.
The Data Subject has objected to processing pursuant as mentioned below.

If the Data Subject has obtained restriction of processing, it shall be informed by the controller before the restriction of processing is lifted.
The restricted processing of personal data shall only be processed with your consent or for the establishment, exercise, or defense of legal claims or for protection of the rights of another natural or legal person or for public interest reasons.

Notification Obligation

The organization, on the request of data subject, shall provide the list of recipients to whom personal data has been disclosed.

Right to Data Portability

The Data Subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the organization, in a structured, commonly used, machine-readable and interoperable format.
Data Subject shall have the right to have the personal data transmitted directly from one organization to another, where technically feasible.
That right shall be strictly limited to your personal data.

Right to Object

The Data Subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on lawful processing. The organization shall no longer process the personal data unless the organization have compelling legitimate grounds for the processing which override the interests, rights, and freedom of the data subject or for the establishment, exercise, or defense of legal claims.
Where personal data is processed for direct marketing purposes, Data Subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing, whether with regard to initial or further processing, at any time and free of charge.
Data Subject may exercise his or her right to object by automated means using technical specifications.

Your Right Regarding Not to be Subject to a Decision Based Solely on Automated Processing.

Data Subject shall have the right not to be subject to a decision which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing, and which produces legal effects concerning him or her or similarly significantly affects him or her, such as e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyze or predict aspects concerning your performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location, or movements, where it produces legal effects concerning Data Subject or similarly significantly affects Data Subject.
In order to ensure fair and transparent processing in respect to Data Subject, taking into account the specific circumstances and context in which the personal data is processed, the organization shall use appropriate mathematical or statistical procedures for the profiling, implement technical and organizational measures appropriate to ensure, in particular, that factors which result in inaccuracies in personal data are corrected and the risk of errors is minimized, secure personal data in a manner that takes account of the potential risks involved for your interests and rights .
Automated decision-making and profiling based on special categories of personal data shall be allowed only under specific conditions.
The GRCO shall take an action as requested by Data Subject and shall provide the response to Data Subject, without undue delay.