Rights of data subjects

ROTO complies with the Dutch General Data Protection Regulation (Algemene Verordening Gegevensbescherming; AVG) and the European GDPR. Data are used solely for the purpose for which they have been obtained and not made available to third parties unless ROTO is required by law or by legal or governmental procedures to release the personal data.

This procedure describes the ROTO approach to the rights of data subjects whose personal data are recorded or processed. In general, data subjects will be informed in a “general notice” about the processing of personal data, such as employees being informed about salary administration in their employment contract and a cookie notice for website visitors, unless the registration derives naturally from, or is required in the light of, business considerations in order to conduct business correctly, for example with suppliers and customers, in which case such notice will not be given.

Data subjects always have the right to object or appeal, or to file a complaint, if they believe that ROTO, by recording or processing personal data, is infringing laws and regulations or disproportionately harming their interests. In this respect, the Privacy Policy as published on our website shall also serve as guidance.

Data Protection Officer (DPO)

To safeguard the correct recording and processing of personal data and to allow data subjects to exercise their legal rights, ROTO has appointed a Data Protection Officer (DPO). Requests from data subjects may be submitted in writing to c.bruin@rotogroep.nl or Roto B.V., Molenstraat 28, 1911 DA Uitgeest, Netherlands.

If it has been established that the applicant is a legitimate data subject and it is clear which rights the data subject wishes to exercise, the DPO will take the request into consideration. After investigation, the DPO will inform the data subject in writing and stating reasons within four weeks of the decision made, and other users of the personal data will be informed about the possible consequences of the investigation such as a rectification or deletion of personal data, or a restriction on the retention or processing of data, unless this is impossible or disproportionately burdensome.

 

Objection and appeal

Data subjects who disagree with the decision of the DPO relating to one or more of the rights mentioned below can inform the management of ROTO about their objections. Data subjects also have the right to submit a complaint to the Dutch Data Protection Authority.

 

Rights of Data Subjects

In accordance with the GDPR, data subjects have, inter alia, the rights listed below:

 

Right to information, investigation and decision by the DPO (Articles 13 & 14 GDPR)

Data subjects whose personal data are recorded or processed have the right to information and may authorise others to exercise those rights on their behalf. A data subject may ask, free of charge and no more than twice annually, which data have been recorded, unless such a request is unfounded or excessively burdensome.

 

The right of access (Article 15 GDPR)

Every data subject has the right to access their own data that have been stored or processed, with the following information being provided:

  1. the purposes of the processing;
  2. the categories of personal data in question;
  3. whether data are passed on to third parties and, if so, to whom;
  4. whether there are transfers to other countries or international organisations and, if so, to whom;
  5. the expected retention periods for the data;
  6. the rights of the data subject in relation to the data in question;
  7. the right of the data subject to submit a complaint to the Data Protection Authority (The Netherlands: Autoriteit Persoonsgegevens - AP);
  8. whether data about the data subject have been obtained from sources other than the data subject and, if so, which sources;
  9. whether there has been automated decision-making/profiling and, if so, how it works and what the possible consequences are for the data subject.

 

Rectification, erasure and restriction of processing (Articles 16, 17 and 18 GDPR)

Every data subject may ask for the rectification, erasure or restriction of the processing of the personal data recorded with respect to him or her:

1. rectification: to correct inaccurate or incomplete personal data;

2. erasure: to “forget” personal data (erase data) if:

  • the personal data are no longer necessary for the purpose for which they were collected and there is no other reason to retain those data;
  • the purpose for processing the personal data is based on the data subject’s consent and the data subject withdraws that consent;
  • the data subject objects to the processing and there are no compelling grounds for the further retention or processing of the data;
  • personal data have been unlawfully retained or processed.

3. the request for erasure will be denied if the personal data are necessary for specific purposes such as statutory obligations or legal proceedings; in that case, only the data necessary for this purpose will be retained and retention periods must be observed such as those pursuant to the archival laws and for scientific or historical research;

4. restriction of processing: data subjects may ask for the processing of their data to be restricted if the accuracy of the data is at issue or personal data are no longer needed for the original purpose; the processing may therefore be unlawful and the data subject may ask for the data to be blocked or moved during the investigation so that it is inaccessible to employees, during which time the data may not be deleted.

 

Data portability (Article 20 GDPR)

A data subject may ask for data to be forwarded to another party. The DPO then checks whether digital data are involved and whether there is a legal basis for this other party to process those personal data on the basis of an agreement or the data subject’s consent. The data will then be provided in digital form to the extent necessary for the intended purpose. This will also be the case if ROTO is the receiving party.

 

Right to object (Article 21 GDPR)

If data processing is not necessary for the performance of a task covered by the legitimate interest of the party responsible for processing, the data subject may object, for example, to processing for direct marketing or scientific research or for statistical purposes based on the specific situation of the data subject.

 

Right to object to automated processing/profiling (Article 22 GDPR)

The data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which results in legal effects concerning the data subject or significantly affects the data subject in another way, unless this is necessary for the performance of an agreement, is authorised by a legal provision or if the data subject has given their explicit consent.