RESPONSE PROCEDURES FOR DATA SUBJECT REQUESTS UNDER GDPR
1.1 Data subjects have certain rights in respect of their personal data. When we process personal data, we shall respect those rights. These procedures provide a framework for responding to requests to exercise those rights and it is our policy to ensure that these procedures are handled in accordance with applicable law.
1.2 “Personal data” is information that relates to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data. “Processing” means any operation or set of operations that is performed on personal data, such as collection, use, storage, dissemination and destruction.
1.3 These procedures only apply to data subjects whose personal data we process.
2.1 Data subjects have the right to request access to their personal data processed by us. Such requests are called subject access requests (SARs). When an SAR is made we shall take the following steps:
2.2 If personal data of the data subject are being processed, we shall provide the data subject with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic) means:
2.3 We shall, unless there is an exemption (see Paragraph 9), provide the data subject with a copy of the personal data processed by us in electronic form within one month of receipt of the request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding we shall inform the data subject within one month of receipt of the request and explain the reason(s) for the delay.
2.4 Before providing the personal data to the data subject, we shall review the personal data requested to see if they contain the personal data of other data subjects. If they do, we may redact the personal data of those other data subjects prior to providing the personal data, unless those other data subjects have consented to the disclosure of their personal data.
2.5 If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the request.
2.6 If we are not going to respond to the SAR we shall inform the data subject of the reason(s) for not taking action and of the possibility of lodging a complaint with the ICO.
3.1 Data subjects have the right to have their inaccurate personal data rectified. Rectification can include having incomplete personal data completed. Where such a request is made, we shall, unless there is an exemption (see Paragraph 9), rectify the personal data without undue delay.
3.2 We shall also communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed (for example, our third party service providers who process the data on our behalf), unless this is impossible or involves disproportionate effort. We shall also inform the data subject about those recipients if the data subject requests it.
4.1 Data subjects have the right, in certain circumstances, to request that we erase their personal data. Where such a request is made, we shall, unless there is an exemption (see Paragraph 9), erase the personal data without undue delay if:
4.2 When a data subject makes a request for erasure in the circumstances set out above, we shall, unless there is an exemption (see Paragraph 4.5 and Paragraph 9), take the following steps:
4.3 If the request is manifestly unfounded or excessive, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of erasure, or refuse to act on the request.
4.4 If we are not going to respond to the request we shall inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.
4.5 In addition to the exemptions in Paragraph 9, we can also refuse to erase the personal data to the extent processing is necessary:
5.1 Data subjects have the right, unless there is an exemption (see Paragraph 9), to restrict the processing of their personal data if:
5.2 Where processing has been restricted, we shall only process the personal data (excluding storing them):
5.3 Prior to lifting the restriction, we shall inform the data subject of the lifting of the restriction.
5.4 We shall communicate the restriction of processing of the personal data to each recipient to whom the personal data have been disclosed, unless this is impossible or involves disproportionate effort. We shall also inform the data subject about those recipients if the data subject requests it.
6.1 Data subjects have the right, in certain circumstances, to receive their personal data that they have provided to us in a structured, commonly used and machine-readable format that they can then transmit to another company. Where such a request is made, we shall, unless there is an exemption (see Paragraph 9), provide the personal data without undue delay if:
6.2 When a data subject makes a request for portability in the circumstances set out above, we shall take the following steps:
6.3 If the request is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing or transmitting the personal data, or refuse to act on the request.
6.4 If we are not going to respond to the request we shall inform the data subject of the reasons for not taking action and of the possibility of lodging a complaint with the ICO.
7.1 Data subjects have the right to object to the processing of their personal data where such processing is on the basis of our legitimate interests which override the data subject’s interests or fundamental rights and freedoms, unless we either:
7.2 Data subjects also have the right to object to the processing of their personal data for scientific or historical research purposes, or statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
7.3 Where such an objection is made, we shall, unless there is an exemption (see Paragraph 9), no longer process a data subject’s personal data.
7.4 Where personal data are processed for direct marketing purposes, data subjects have the right to object at any time to the processing of their personal data for such marketing. If a data subject makes such a request, we shall stop processing the personal data for such purposes.
8.1 Data subjects have the right, in certain circumstances, not to be subject to a decision based solely on the automated processing of their personal data, if such decision produces legal effects concerning them or similarly significantly affects them. Where such a request is made, we shall, unless there is an exemption (see Paragraph 9), no longer make such a decision unless it:
8.2 If the decision falls within Paragraph 8.1(a) or Paragraph 8.1(c), we shall implement suitable measures to safeguard the data subject’s rights, freedoms and legitimate interests, including the right to obtain human intervention, to express their point of view and to contest the decision.
9.1 Before responding to any request we shall check whether there are any exemptions that apply to the personal data that are the subject of the request. Exemptions may apply where it is necessary and proportionate not to comply with the requests described above to safeguard: