The data subject has the right to:
a) except where otherwise provided by law, and at least in cases referred to in
Article 7 d) and e) to object at any time on compelling legitimate grounds
relating to his particular situation to the processing of data relating to him, and
where there is a justified objection, the processing effected by the controller may
no longer involve those data;
b) to object on request and free of charge to the processing of personal relating to
him which the controller anticipates being processed for the purposes of direct
marketing or any other form of research, or to be informed before personal data
are disclosed for the first time to third parties for the purposes of direct
marketing or for use on behalf of third parties, and to be expressly offered the
right to object free of charge to such disclosure or uses;
c) to object, without expense, that his personal data be communicated for the first
time to third parties for purposes provided for in b) above or to be used by third
parties.
Article 14
(Non-subjection to automated individual decisions)
1. Every person shall have the right not to be subject to a decision which produces
legal effects concerning him or significantly affects him and which is based
solely on automated processing of data intended to evaluate certain personal
aspects relating to him, in particular his performance at work, creditworthiness,
reliability or conduct.
2. Without prejudice to compliance with other provisions of this Law, a person
may be subject to a decision taken under 1 if that decision is taken in the course
of the entering into or performance of a contract, provided that the request for
the entering into or the performance of the contract has been satisfied, or that
there are suitable measures to safeguard his legitimate interests, particularly,
arrangements allowing him to put his point of view.
3. The taking of a decision under 1 may also be permitted when authorised by the
CNPD, which shall lay down measures to safeguard the data subject’s legitimate
interest.
Section III
Security and confidentiality of (data) processing
Article 15
(Security of processing)
1. The controller must implement appropriate technical and organisational
measures to protect personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure or access, in particular when
the processing involves the transmission of data over a network, and against all
other unlawful forms of processing.