General Data Protection Regulations – Individual Rights

What rights do customers have under the GDPR?

1. The right to be informed

The right to be informed encompasses the need for transparency over how we use personal data and is referenced in our Privacy Policy.

2. The right of access

Under the GDPR, you have the right to obtain confirmation that their data is being processed and access to it, and other supplementary relevant information, largely in‐keeping with existing subject access rights under the DPA. However, the GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify that the processing is appropriate to consent.

3.  The right to rectification

You are entitled to have their personal data rectified if it is inaccurate or incomplete. If we have disclosed your personal data in question to third parties,  we will inform them of the rectification where possible. We will also inform you about the third parties to whom the data has been disclosed where appropriate. We will respond to requests to rectify personal data within one month. This can be extended by two months where the request for rectification is complex.

4. The right to erasure

Also known as ‘the right to be forgotten’ enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. However, this right does not provide you with an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances:

·  Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.

· When you withdraws consent.
· When you object to the processing and there is no overriding legitimate interest for continuing the processing.
· The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
· The personal data has to be erased in order to comply with a legal obligation.
· The personal data is processed in relation to the offer of information society services to a child.

We may refuse to deal with this type of request for any of the following reasons where continued processing is necessary:

·  to exercise the right of freedom of expression and information;
·  to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
·  for public health purposes in the public interest;
·  for archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims.

Similar to the Right to Rectification, if we have disclosed the personal data in question to third parties we will must inform them about the erasure unless it is impossible or would be too difficult.

5. The right to restrict processing

When you request that processing is restricted we can continue to hold the personal data but we will not continue to process it. In order to ensure restriction of processing is respected we can retain enough data (suppressed list) to ensure the you are included in no further processing activity. We will restrict processing in the following circumstances:

· If accuracy of the personal data is contested we will restrict processing until accuracy is established.
·  Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether your organisation’s legitimate grounds override those of the individual.
· When processing is unlawful and the you oppose erasure and requests restriction instead.
· If  we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.

6. The right to data portability

Allows you to obtain and reuse your personal data and to move and/or copy the data from one IT environment to another in a safe and secure way, without hindrance to usability. In short it obligates us to provide the you data we may hold on you to another business/organisation if requested to do so by the you. The right to data portability only applies:

·  to the personal data the individual who has provided it;
·  where the processing is based on the your consent or for the performance of a contract; and
·  when processing is carried out by automated means.

Compliance requires us to provide the personal data in a structured, commonly used and machine readable form and allows the extraction of specific elements. The information will be provided free of charge and, if the you requests it, we may look to  transmit the data directly to another organisation if this is technically feasible.

We will respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. Where you are refusing a request, we will explain why to you and inform you of your right to complain.

7. The right to object

Under the GDPR, you can object to:

·  processing  based  on  legitimate  interests  or  the  performance  of  a  task  in  the  public interest/exercise of official authority (including profiling);
·  direct marketing (including profiling);
·  and processing for purposes of scientific/historical research and statistics.

If we process personal data for the performance of a legal task or our organisation’s legitimate interests you must have an objection on “grounds relating to your particular situation”.

We will stop processing the personal data unless we can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of an individual. Or where processing is for the establishment, exercise or defence of legal claims.

We will inform you of your right to object “at the point of first communication” and in our privacy statement. This will be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.

We will stop processing personal data for direct marketing purposes as soon as we receive an objection.

we will deal with an objection to processing for direct marketing at any time and free of charge. We will must inform you of your right to object “at the point of first communication” and in our privacy notice.

Go back to previous page