Frequently Asked Questions - The different rights
To exercise your right to object, you need to submit your request to the controller. As a data subject, you need to prove your identity, so it is bestto attach a copy of your identity card to your request.
The request must meet certain formal requirements. The Privacy Act stipulates that the request has to be signed and dated and has to be sent using a means of telecommunication (for example a fax or an e-mail with an electronic signature), but it can also be delivered personally.
For your convenience the Privacy Commission has elaborated two model letters to exercise your right to object, notably a letter for the general right to object (French/Dutch) and a letter for the right to object in the context of direct marketing (French/Dutch). You only need to add/complete your contact information and delete our explanations (highlighted in grey).
The controller has one month to respond to your request.
Everyone has the right to object to the processing of their data. However, this right is not absolute. You can always object to the use of your data, but only with serious reasons, i.e. you have to indicate that the processing operation can have a negative impact on you.
You can always object to the processing of your personal data if this processing operation is carried out in violation of the provisions of the Privacy Act, more specifically when the data, with regard to the purpose of the processing operation, are incomplete, irrelevant or when registration, disclosure or storage of the data is prohibited or when they are stored longer than authorised.
You cannot object, however, to a processing operation necessary to comply with a legal or regulatory provision, or if the processing operation is necessary for the implementation of an agreement.
When someone gathers your data for direct marketing purposes (for example promotions), you can always object, free of charge and without any justification.
For these processing operations the right of access cannot be exercised directly. The Privacy Act provides for a system of “indirect access” to the data. Access is, in other words, carried out trough mediation/intervention of the Privacy Commission.
The request for intervention by the Privacy Commission has to be submitted in writing, be dated and contain at least name, first name, date of birth and nationality, as well as a copy of an identity card, passport or equivalent document.
After having received a request for indirect access, the Privacy Commission will contact the relevant service and carry out all the verifications it deems useful. These verifications may take some time. In principel, as prescribed by law, the Privacy Commission can only communicate that the necessary verifications were carried out, in order to protect the confidentiality of the investigation.
For your convenience the Privacy Commission has elaborated a model letter regarding indirect access in French and Dutch. You can use this model to request an intervention ofthe Privacy Commission. All you have to do is complete it with some information (grey areas).
If the controller does not respond to your request or refuses to provide information or if his answer is unsatisfactory, you can always appeal to the Privacy Commission, which will mediate in order to enforce compliance with your right of access.
Concretely, you have the right to obtain the following information from the controller:
- whether or not your personal data are being processed;
- the purpose for which those data are processed;
- the nature of the data;
- the origin of the data;
- the categories of the recipients to whom the data is supplied.
The controller also has to provide you with the data that are being processed in a comprehensible form.
It is sufficient that the data are communicated to you. Controllers can dedide how they do this. They are not obliged to give you a copy of the processed data.
In order to exercise your right of access (which is free of charge) you need to submit your request to the controller. As a data subject you need to prove your identity, which means that it is recommended to attach a copy of your identity card to the request.
The request must meet certain formal requirements. The Privacy Act stipulates that the request has to be signed and dated and has to be sent by a means of telecommunication (for example a fax or an e-mail with an electronic signature), but it can also be delivered personally.
If these conditions have been met, the controller is obliged to communicate the requested and available information. The information has to be communicated at the latest within 45 days after having received the request.
The Privacy Commission has elaborated a model letter with regard to the right of access in French and Dutch. You only need to fill in some specific contact data, as well as indicating which information you wish to receive (grey zones).
If the controller does not respond to your request or refuses to provide information or if his answer unsatisfactory, you can always appeal to the Privacy Commission, which will mediate to enforce compliance with your right of access.