Under the GDPR, you have the right to obtain confirmation that their data is being processed and access to it, and other supplementary relevant information, largely in‐keeping with existing subject access rights under the DPA. However, the GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify that the processing is appropriate to consent.
You are entitled to have their personal data rectified if it is inaccurate or incomplete. If we have disclosed your personal data in question to third parties, we will inform them of the rectification where possible. We will also inform you about the third parties to whom the data has been disclosed where appropriate. We will respond to requests to rectify personal data within one month. This can be extended by two months where the request for rectification is complex.
Also known as ‘the right to be forgotten’ enables you to request the deletion or removal of personal data where there is no compelling reason for its continued processing. However, this right does not provide you with an absolute ‘right to be forgotten’. You have a right to have personal data erased and to prevent processing in specific circumstances:
· Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
· When you withdraws consent.
· When you object to the processing and there is no overriding legitimate interest for continuing the processing.
· The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
· The personal data has to be erased in order to comply with a legal obligation.
· The personal data is processed in relation to the offer of information society services to a child.
We may refuse to deal with this type of request for any of the following reasons where continued processing is necessary:
· to exercise the right of freedom of expression and information;
· to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
· for public health purposes in the public interest;
· for archiving purposes in the public interest, scientific research historical research or statistical purposes; or the exercise or defence of legal claims.
Similar to the Right to Rectification, if we have disclosed the personal data in question to third parties we will must inform them about the erasure unless it is impossible or would be too difficult.
When you request that processing is restricted we can continue to hold the personal data but we will not continue to process it. In order to ensure restriction of processing is respected we can retain enough data (suppressed list) to ensure the you are included in no further processing activity. We will restrict processing in the following circumstances:
· If accuracy of the personal data is contested we will restrict processing until accuracy is established.
· Where you have objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether your organisation’s legitimate grounds override those of the individual.
· When processing is unlawful and the you oppose erasure and requests restriction instead.
· If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim.
Allows you to obtain and reuse your personal data and to move and/or copy the data from one IT environment to another in a safe and secure way, without hindrance to usability. In short it obligates us to provide the you data we may hold on you to another business/organisation if requested to do so by the you. The right to data portability only applies:
· to the personal data the individual who has provided it;
· where the processing is based on the your consent or for the performance of a contract; and
· when processing is carried out by automated means.
Compliance requires us to provide the personal data in a structured, commonly used and machine readable form and allows the extraction of specific elements. The information will be provided free of charge and, if the you requests it, we may look to transmit the data directly to another organisation if this is technically feasible.
We will respond without undue delay, and within one month. This can be extended by two months where the request is complex or you receive a number of requests. Where you are refusing a request, we will explain why to you and inform you of your right to complain.
Under the GDPR, you can object to:
· processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
· direct marketing (including profiling);
· and processing for purposes of scientific/historical research and statistics.
If we process personal data for the performance of a legal task or our organisation’s legitimate interests you must have an objection on “grounds relating to your particular situation”.
We will stop processing the personal data unless we can demonstrate compelling legitimate grounds which override the interests, rights and freedoms of an individual. Or where processing is for the establishment, exercise or defence of legal claims.
We will inform you of your right to object “at the point of first communication” and in our privacy statement. This will be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
We will stop processing personal data for direct marketing purposes as soon as we receive an objection.
we will deal with an objection to processing for direct marketing at any time and free of charge. We will must inform you of your right to object “at the point of first communication” and in our privacy notice.