for the performance of a task carried out in the public
interest or in the exercise of official authority vested
in the controller.
74. While the Convention does not specify from
whom a data subject may obtain confirmation, communication, rectification, and so on, or to whom to
object or express his or her views, in most cases, this
will be the controller, or the processor on his or her
behalf. In exceptional cases, the means to exercise
the rights to access, rectification and erasure may
involve the intermediary of the supervisory authority.
Concerning health data, rights may also be exercised
in a different manner than through direct access. They
may be exercised, for instance, with the assistance of
a health professional when it is in the interest of the
data subject, notably to help him/her understand the
data or ensure that the data subject’s psychological
state is appropriately considered when imparting
information – in line, of course, with deontological
principles.
75. Littera a. It is essential that an individual who
may be subject to a purely automated decision has
the right to challenge such a decision by putting forward, in a meaningful manner, his or her point of view
and arguments. In particular, the data subject should
have the opportunity to substantiate the possible
inaccuracy of the personal data before it is used, the
irrelevance of the profile to be applied to his or her
particular situation, or other factors that will have an
impact on the result of the automated decision. This
is notably the case where individuals are stigmatised
by application of algorithmic reasoning resulting in
limitation of a right or refusal of a social benefit or
where they see their credit capacity evaluated by a
software only. However, an individual cannot exercise
this right if the automated decision is authorised by a
law to which the controller is subject and which also
lays down suitable measures to safeguard the data
subject’s rights and freedoms and legitimate interests.
76. Littera b. Data subjects should be entitled to
know about the processing of their personal data. The
right of access should, in principle, be free of charge.
However, the wording of littera b. is intended to allow
the controller in certain specific conditions to charge
a reasonable fee where the requests are excessive and
to cover various approaches that could be adopted
by a Party for appropriate cases. Such a fee should
be exceptional and in any case reasonable, and not
prevent or dissuade data subjects from exercising
their rights. The controller or processor could also
refuse to respond to manifestly unfounded or excessive requests, in particular because of their repetitive
character. The controller should in all cases justify such
a refusal. To ensure a fair exercise of the right of access,
the communication “in an intelligible form” applies to
the content as well as to the form of a standardised
digital communication.
Page 24 ► Convention 108+
77. Littera c. Data subjects should be entitled to
know the reasoning underlying the processing of
data, including the consequences of such a reasoning,
which led to any resulting conclusions, in particular in
cases involving the use of algorithms for automateddecision making including profiling. For instance in
the case of credit scoring, they should be entitled to
know the logic underpinning the processing of their
data and resulting in a “yes” or ���no” decision, and not
simply information on the decision itself. Having an
understanding of these elements contributes to the
effective exercise of other essential safeguards such
as the right to object and the right to complain to a
competent authority.
78. Littera d. As regards the right to object, the controller may have a legitimate ground for data processing,
which overrides the interests or rights and freedoms
of the data subject. For example, the establishment,
exercise or defence of legal claims or reasons of public
safety could be considered as overriding legitimate
grounds justifying the continuation of the processing.
This will have to be demonstrated on a case-by-case
basis and failure to demonstrate such compelling legitimate grounds while pursuing the processing could be
considered as unlawful. The right to object operates in
a distinct and separate manner from the right to obtain
rectification or erasure (littera e.).
79. Objection to data processing for marketing purposes should lead to unconditional erasing or removing of the personal data covered by the objection.
80. The right to object may be limited by virtue of
a law, for example, for the purpose of the investigation or prosecution of criminal offences. In this case,
the data subject can, as the case may be, challenge
the lawfulness of the processing on which it is based.
When data processing is based on valid consent given
by the data subject, the right to withdraw consent
can be exercised instead of the right to object. A data
subject may withdraw his or her consent and subsequently have to assume the consequences possibly
deriving from other legal texts such as the obligation
to compensate the controller. Likewise where data
processing is based on a contract, the data subject
can take the necessary steps to revoke the contract.
81. Littera e. The rectification or erasure, if justified,
must be free of charge. In the case of rectifications
and erasures obtained in conformity with the principle
set out in littera e., those rectifications and erasures
should, where possible, be brought to the attention of
the recipients of the original information, unless this
proves to be impossible or involves disproportionate
efforts.
82. Littera g. aims at ensuring effective protection
of data subjects by providing them the right to an
assistance of a supervisory authority in exercising the
rights provided by the Convention. When the data