Data Subjects Requests Policy

1. Introduction

1.1.        The GDPR (General Data Protection Regulation) creates some new Rights for Data Subjects as well as strengthening existing Rights.  As a Data Controller, the Company must be in a position to  comply with these Rights.  This document provides guidance to follow when a Data Subject Request  is received by the Company.  Appendix 1 to this document, provides pertinent information on the following GDPR Rights for individuals:

  1. ‘Right of Access’, or ‘Subject Access Request’.  Actioned within one calendar month.
  2. ‘Right to Rectification’ (Under GDPR must be dealt with without undue delay).
  3. ‘Right to Erasure’ (Under GDPR must be dealt with without undue delay).
  4. ‘Right to Restrict Processing’.
  5. ‘Right to Data Portability’.
  6. ‘Right to Object’.
  7. ‘Rights in Relation to Automatic Decision Making and Profiling’.

1.2.        It is important that should a member of the Company receive and identify a request meeting any of the above criteria that the procedure outlined in this document is carried out.

1.3.        It is important to recognise that such requests may be made by current or past Clients or Employees, and may not follow a clear and standard format where the Data Subject clearly sets out which Right they are requesting to be exercised.  For example they may simply say ‘I want to know what the Company is using my data for’ or ‘I want to see all emails about me in the Company system’.

1.4.        When a request is recognised, it is important that the Company staff obtain some basic details about the request, such as the time frame, and whether the request is in relation to a particular property or time/activity.  This will help the Company to provide timely and concise information prior to forwarding the request to the Data Protection Team for action.

1.5.        It should be noted that Data Subjects can make such requests verbally (for example over the telephone), as well as by email or a posted request.

Compliance and Procedure

2.1.        Company compliance.  This policy is to be read in conjunction with the Company ‘Data Protection Policy’.

2.2.        Company Procedures.    All staff have a responsibility to recognise a Data Subject Request, and to comply with the following:

  1. Where a request is received by staff covering any of the GDPR Data Subject Rights (See Section 1 of this document) the request must be passed to the Company’s Data Protection Team immediately.
  2. The request must be forwarded to: DPO@thepmp.co.uk.  If the request was made by telephone, as much information as possible regarding what was requested must be typed into an email and sent to the Data Protection Team immediately.  If the request is received in a postal letter, It must be scanned and sent to the Data Protection Team by email, or the original must be taken by hand to the Data Protection officer immediately.
  3. The Data Protection Team will process the request accordingly and respond to the Data Subject in line with the legislation. They may ask for input and/or provision of data from any department(s) throughout the Company in order to fulfil the request.  Time is of the essence, and so, all requests to staff/teams for assistance, is to be honoured as a priority.
  4. If there is uncertainty around whether it is a request please refer to the Data Protection Team for further advice..

Definitions

Data Subject

An individual who is the subject of personal data and whom particular personal data is about.

Personal
Data

‘Personal data’ means any information relating to an identified or identifiable person (‘data subject’).

An identifiable person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

Legal Basis
for
Processing

Processing will only be lawful if at least one of the following applies:

a.   The data subject has given consent to the processing of their personal data for one or more specific purposes.
b.   Processing is necessary for the performance of a contract with the data subject or in order to take steps to enter a contract.
c.   Processing is necessary to comply with a legal obligation.
d.   Processing is necessary to protect the vital interests of the data subject.
e.   Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f.   Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the of the data subject.

Appendix 1 – Rights of Data Subjects

Right of Access (Also known as a Subject Access Request)

Data Subjects have the Right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data and
  • Other supplementary information

Timelines.  Right of access requests must be responded to within one calendar month.

Right to Rectification

Data Subjects are entitled to have their personal data rectified if it is inaccurate or incomplete.  If the information in question has been disclosed to a third party, the Data Controller must inform them of the request for rectification where possible. Where appropriate, the Data Subject is also entitled to be informed of the third parties to whom the data has been disclosed.

Timelines.  Rights to rectification must be responded to within one month.

Right to Erasure

This Right is also known as the ‘Right to be Forgotten’.  It enables Data Subjects to request the deletion or removal of personal data where there is no compelling reason for its continued processing by the Data Controller.

The Right to Erasure applies in the following circumstances:

  • The personal data no longer necessary in relation to the purpose for which it was collected
  • The processing was based on consent, and Data Subject has now withdrawn their Consent
  • The Data Subject objects to processing and there is no overriding legitimate interest
  • The data was being unlawfully processed
  • The data must be erased to comply with a legal obligation

Right to Restrict Processing

When this Right is exercised you are permitted to store the personal data but not further process it. Restricted information about the individual may be retained to ensure that the restriction is expected in the future.

The Right to Restrict Processing applies in the following circumstances:

  • When a Data Subject contests the accuracy of their personal data, then processing should be restricted to storage only until accuracy is verified
  • When a Data Subject objects to processing which is being carried out for the reason of performance of a task in the public interest, or for the legitimate interests of the Data Controller, then the Data Controller must restrict processing to storage only whilst they consider whether their legitimate grounds override the Rights and freedoms of the individual.
  • When processing is unlawful, and a Data Subject opposes erasure and requests restriction to storage instead.
  • When the Data Controller no longer needs the personal data but the Data Subject requires it for the purpose of a legal claim.

Right to Data Portability

This Right allows individuals to obtain and re-use their personal data for their own purposes across different services.  This Right allows the individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way in a common data format, for example, Excel or CSV file.

The Right to Data Portability applies in the following circumstances:

  • When the personal data was provided to the controller directly by the Data Subject
  • Where the processing is based on consent or performance of a contract
  • When processing is carried out by automated means

Right to Object

Individuals have the Right to object to:

  • Processing based on legitimate interest or performance of a task in the public interest/exercise of official authority (including profiling)
  • Direct marketing (including profiling)
  • Processing for the purposes of scientific/historical research and statistics

Rights in Relation to Automatic Decision Making and Profiling

This Right provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.

The Right not to be subject to a decision applies when:

  • It is based on automated processing
  • It produces legal/significant effects on the individual

It does not apply if the decision:

  • Is necessary for entering into or performance of a contract
  • Is authorised by law
  • Is based on explicit consent
  • Does not have a legal and/or significant effect on the data subject