1.1. The GDPR (General Data Protection Regulation) creates some new Rights for Data Subjects as well as strengthening existing Rights. As a Data Controller, the Company must be in a position to comply with these Rights. This document provides guidance to follow when a Data Subject Request is received by the Company. Appendix 1 to this document, provides pertinent information on the following GDPR Rights for individuals:
1.2. It is important that should a member of the Company receive and identify a request meeting any of the above criteria that the procedure outlined in this document is carried out.
1.3. It is important to recognise that such requests may be made by current or past Clients or Employees, and may not follow a clear and standard format where the Data Subject clearly sets out which Right they are requesting to be exercised. For example they may simply say ‘I want to know what the Company is using my data for’ or ‘I want to see all emails about me in the Company system’.
1.4. When a request is recognised, it is important that the Company staff obtain some basic details about the request, such as the time frame, and whether the request is in relation to a particular property or time/activity. This will help the Company to provide timely and concise information prior to forwarding the request to the Data Protection Team for action.
1.5. It should be noted that Data Subjects can make such requests verbally (for example over the telephone), as well as by email or a posted request.
2.1. Company Compliance. This policy is to be read in conjunction with the Company ‘Data Protection Policy’.
2.2. Company Procedures. All staff have a responsibility to recognise a Data Subject Request, and to comply with the following:
Data Subject
|
An individual who is the subject of personal data and whom particular personal data is about.
|
Personal Data
|
‘Personal data’ means any information relating to an identified or identifiable person (‘data subject’).
An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; |
Legal Basis for Processing
|
Processing will only be lawful if at least one of the following applies:
|
Data Subjects have the Right to obtain:
Timelines. Right of access requests must be responded to within one calendar month.
Data Subjects are entitled to have their personal data rectified if it is inaccurate or incomplete. If the information in question has been disclosed to a third party, the Data Controller must inform them of the request for rectification where possible. Where appropriate, the Data Subject is also entitled to be informed of the third parties to whom the data has been disclosed.
Timelines. Rights to rectification must be responded to within one month.
This Right is also known as the ‘Right to be Forgotten’. It enables Data Subjects to request the deletion or removal of personal data where there is no compelling reason for its continued processing by the Data Controller.
The Right to Erasure applies in the following circumstances:
When this Right is exercised you are permitted to store the personal data but not further process it. Restricted information about the individual may be retained to ensure that the restriction is expected in the future.
The Right to Restrict Processing applies in the following circumstances:
This Right allows individuals to obtain and re-use their personal data for their own purposes across different services. This Right allows the individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way in a common data format, for example, Excel or CSV file.
The Right to Data Portability applies in the following circumstances:
Individuals have the Right to object to:
This Right provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
The Right not to be subject to a decision applies when:
It does not apply if the decision: