Rights of data subjects



Rights of data subjects

GDPR has enforced existing rights of data subjects, whose data are being processed, and has presented new rights as well. The data subject has the following rights:

  • right to be informed
  • right of access by the data subject
  • right to rectification
  • right to erasure ("right to be forgotten")
  • right of restriction of processing
  • right of data accuracy
  • right to raise objection
  • rights related to automated decision making including profiling

where to apply rights of data subjects

A responsible person - Data Protection Officer (hereinafter only DPO) shall deal with requests on exercising rights of data subjects in cooperation with respective specialized units of USSK, except for reporting changes of personal data of the employees by means of Annex No. 7 to Guideline 0203 (USM/0203) - Announcement of changes in personal data of an employee, which fall under competences of unit Director HR. It is also possible to hand in the form at the Employee Center.

DPO answers the requests of data subjects in the same way, as the request has been filed by data subject (orally, in writing, electronically - if the request contains qualified electronic signature), unless the data subject asks otherwise. Oral information providing may be conditioned by proving identity of the data subject. If DPO has any reasonable doubts about the identity of a natural person filing the request, DPO may ask for additional information for purposes of identity confirmation and they must deal with the request in a way, that no other person has access to protected data.

DPO is obliged to deal with the requests of data subjects immediately, one month from receipt of the request at the latest. If needed, this term may be prolonged (even repeatedly) by 2 additional months, and the complexity and number of requests shall be taken into consideration. DPO informs the data subject about each prolongation of the term, at the latest in one month since the receipt of the request, together with reasons of term default.

If the controller doesn't take measures based on data subject's request, DPO shall immediately, one month from the delivery of the request at the latest, inform data subject about reasons of non-acting and about the possibility to file a complaint with The Office and to claim damages.

DPO may refuse to act based on the request of data subject, when exercising their rights, if and only if, DPO gives proof of not being able to identify the data subject.

DPO leads a register of filed and arranged requests of data subjects. Changes in personal data, which are executed by the unit Director HR based on Annex. No. 7 to Guideline 0203 (USM/0203) - Announcement of changes in personal data of an employee, are not recorded in the register.


If exercise of the rights of data subject has impact on processing of personal data, both by controller or processor, DPO is obliged to inform both controller and processor about exercising this right.


More information in Guideline 0192 (USM/0192) personal data protection.

p e r s o n a l  d a t a  p r o t e c t i o n



Data protection officer:
Personal Data Protection Manager

  +421 918 321 550

Law Department:
Compliance & regulatory affairs manager

  +421 917 704 197

Cybersecurity team information architect

  +421 904 704 223

Team Manager Access Control and Security Systems

   +421 904 704 680

Privacy policy settings

We use cookies so that we can provide you with the best user experience possible. More info...