GDPR — Your Rights and How to Exercise Them
If you are located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, you have specific rights under the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, and the Swiss FADP. This page summarises those rights and the procedure to exercise them.
Article 15 — Right of access
You can request a copy of the personal data we hold about you, the purposes of processing, the categories of data, the recipients, the retention period, and the source of the data (if not collected from you).
Article 16 — Right to rectification
You can request that we correct inaccurate or incomplete personal data about you.
Article 17 — Right to erasure ("right to be forgotten")
You can request deletion of your personal data where the data is no longer necessary, you withdraw consent and no other legal basis applies, you object and there is no overriding legitimate ground, processing is unlawful, or erasure is required by law.
Article 18 — Right to restriction
You can request that we limit processing of your personal data where you contest accuracy, the processing is unlawful but you oppose erasure, we no longer need the data but you need it for legal claims, or you object pending verification of overriding grounds.
Article 19 — Notification obligation
Where we have shared your personal data with third parties (we typically don't), we will notify them of any rectification, erasure, or restriction made pursuant to your request, unless impossible or disproportionate.
Article 20 — Right to data portability
For personal data you provided to us that we process by automated means on the basis of consent or contract, you can request a copy in a structured, commonly used, machine-readable format, and ask us to transmit it directly to another controller.
Article 21 — Right to object
You can object at any time to processing based on legitimate interests. If you object, we will stop unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
Article 22 — Automated decision-making
We do not make any solely automated decisions about you that produce legal or similarly significant effects. If we ever did, you would have the right to obtain human intervention, express your point of view, and contest the decision.
How to exercise your rights
Email peterdgarrido@proton.me with subject "Data Request — [right invoked]". Tell us which right you are exercising and what data the request relates to. Where reasonable doubt about your identity exists, we may ask for information sufficient to verify it (the minimum necessary).
Response time
We respond substantively within one month. The period may be extended by two further months for complex or numerous requests, with notice to you of the extension and the reasons within the first month.
Fees
Requests are free. We may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, in particular due to their repetitive character. Where we do so, the burden of demonstrating the manifestly unfounded or excessive character lies with us.
Right to lodge a complaint
You may lodge a complaint with the supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. UK: ICO (ico.org.uk). Ireland: DPC (dataprotection.ie). Germany: BfDI (bfdi.bund.de) plus each Land. France: CNIL (cnil.fr). EU-wide list: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en.
Contact (Data Protection Officer / Controller)
peterdgarrido@proton.me.