Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Paragraph 2.4.2 Rights of access, to rectification, erasure, restriction of processing and to object
31. The international agreement should safeguard the data subject’s right to obtain information about and access to all personal data relating to him/her that are processed, the right to rectification, erasure and restriction of processing and where relevant the right to oppose to the data processing on grounds relating to his or her particular situation.
32. As regards the right of access, the international agreement should specify that individuals shall have the right vis-à-vis the receiving public body to obtain confirmation as to whether or not personal data concerning him/her is being processed, and if that is the case, access to that data; as well as to specific information concerning the processing, including the purpose of the processing, the categories of personal data concerned, the recipients to whom personal data is disclosed, the envisaged storage period and redress possibilities.
33. The agreement should furthermore specify when these rights can be invoked and include the modalities on how the data subjects can exercise these rights before both parties as well as on how the parties will respond to such requests. For example, with respect to deletion, the international agreement could state that data is to be deleted when the information has been processed unlawfully or is no longer necessary for the purpose of processing. Moreover, the international agreement should stipulate that the parties will respond in a reasonable and timely manner, and in any case within one month, extendable at maximum by two further months, to requests from data subjects. The international agreement could also state that the parties may take appropriate steps, such as charging reasonable fees to cover administrative costswhere requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.
34. The international agreement should also allot an obligation of the transferring public body to provide information to the data subject, once his/her personal data have been transferred, on the action taken on his/her request under the rights provided for by the international agreement without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. In addition, the transferring public body should inform the data subject of any such extension within one month of receipt of the request. Finally, information should be provided to the data subject, if the parties do not take action on the request of the data subject, without delay and at the latest within one month of receipt of the request, of the reasonsfor not taking action and on the possibility of lodging a complaint and of seeking a judicial remedy.
35. The international agreement can also provide for exceptions to these rights. These exceptions are limited and should be in line with the ones provided under Article 15 (4) and 17 (3) GDPR. The agreement may provide that the parties may decline to act on a request that is manifestly unfounded or excessive.