Note – As the applicability of many of these rights are dependent on the designation of the entity (whether it is a Data controller or a Data processor), the following rights are listed in general and are not intended to indicate whether they are exercisable by us in all cases.
The right of access
Data controllers, must provide you with:
- confirmation that your data is being processed and why.
- access to your personal data.
- other supplementary information as detailed in data privacy regulations.
This information is provided by way of a Data Subsect Access Request (DSAR).
In most cases, no charge is made for this service.
If an exemption or restriction applies, or if the request is manifestly unfounded or excessive, this right may be refused partially or in whole.
The right to rectification
You can ask a Data controller to correct any personal information it holds about you to ensure it is accurate.
The right to erasure (sometimes referred to as the right to be forgotten)
Under certain circumstances, you have the right to ask that your personal data is erased where:
- It is no longer necessary in relation to the purpose for which it was collected or is being processed;
- you withdraw your consent or object to the processing and there is no other legal ground to continue processing;
- you object to the processing and there are no overriding legitimate grounds for the processing;
- it was unlawfully processed or should be erased to comply with a legal obligation;
- you object to the processing and your personal data was processed for direct marketing purposes; or
- it is processed in relation to the offer of information society services to a child.
A Data controller can refuse to erase your personal data where it is processed:
- to comply with a legal obligation or for the performance of a task of public interest;
- for the exercise or defence of legal claims; or
- for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.
If your data has been disclosed to a third party, the Data controller will ask them to erase that data, unless this proves impossible or involves disproportionate effort. You may ask who those third parties are, and the Data controller should inform you accordingly.
The right to restrict processing
You have the right to restrict the processing of personal data held by the Data controller or one of its processors where:
- you contest its accuracy;
- you have objected to the processing and the Data controller is considering whether they have a legitimate ground which overrides this;
- processing is unlawful; or
- the Data controller no longer needs the data, but you require it to establish, exercise or defend a legal claim.
The right to data portability
This right allows individuals the way of moving, copying or transferring personal data from one processing environment to another in a safe and secure way, and in a structured, commonly used and machine-readable format. This enables you to obtain and reuse your personal data across different services.
The right to data portability only applies:
- to personal data that an individual has personally provided to the Data controller;
- where the lawful basis of the processing is based on “consent” or “the performance of a contract” (only consent for special category data); and
- where processing is carried by automated means.
The right to object
You have the right to object to processing of your personal data in certain circumstances and have an absolute right to stop your data being used for direct marketing.
You can also object if the processing is for:
- a task carried out in the public interest;
- the exercise of official authority vested in the Data controller; or
- the Legitimate Interests of the Data controller or that of a third party.
However, in these circumstances the right to object is not absolute and you must give specific reasons why you are objecting to the processing of your data.
Please note that a Data controller would be able to continue processing your personal data if:
- It can demonstrate compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the individual; or
- where the processing is for the establishment, exercise, or defence of legal claims.
Rights relating to automated decision making and profiling
Automated decision making and profiling takes place when an electronic system uses personal information to make decisions. This may be with or without human intervention. You have the right to request not to be subject to a decision made solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. However, this right does not apply where the decision is:
- necessary for entering into, or the performance of a contract between you and the Data controller, such as entering into a contract of insurance;
- is authorised by domestic or EU law;
- is based on your explicit consent; or
Please note that whilst you can request exercising of these rights, some may not be exercisable as they can depend on why we are processing that data or what other purposes we may have to process it. In some circumstances, another law or regulation may override the UK or EU GDPR. More information can be found [HERE].
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, a reasonable fee may be charged if your request is clearly unfounded, repetitive, or excessive, or may be refused in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several consecutive requests. In this case, we will notify you of this before the one-month period.
If you wish to request exercise any of the rights set out above, and where we are the data controller for your data, please email us at firstname.lastname@example.org.
If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (https://ico.org.uk/). We would be grateful if you Contact Us first if you do have a complaint as we would welcome the opportunity to try and resolve this for you.