Call us now
0161 358 0800

GDPR – YOUR RIGHTS

Posted 6 months ago by

RIGHT OF INFORMATION AND ACCESS

Data subjects have the right to know if their data is being processed as well as its location. They should have access to their personal data and the following information:

(a) The purposes of processing;

(b) The categories of personal data concerned;

(c) The recipients, or categories of recipients, to whom the personal data have been, or will be disclosed, including recipients in third countries or international organisations;

(d) Where possible the length of time that the personal data will be stored, or the criteria used to determine that period;

(e) The existence of the right of the Data Subject to request rectification or erasure of personal data as

well as the right to restrict or object to processing of data;

(f) The right to lodge a complaint with the supervisory authority;

(g) Information about the source of any data which has not been supplied by the Data Subject;

(h) The existence of automated decision-making, including profiling the logic involved and any consequences for the data subject; and

(i) Where personal data is transferred to a third country or international organisation, are there details ofany safeguards in place.

The data controller must provide a copy of the personal data being processed free of charge reasonable charges can be made for any further copies requested.

RIGHT TO RECTIFICATION

Data subjects have the right to obtain, without undue delay, the rectification of inaccurate personal data concerning him or her from the Data Controller. Subject to the purposes for processing, the data subject has the right to have incomplete data completed, including by means of providing a supplementary statement.

RIGHT TO ERASURE (‘RIGHT TO BE

FORGOTTEN’)

Data Subjects have the right to request that the data controller erases personal data concerning him

or her without undue delay and the controller is obliged to erase that data where one of the following grounds applies:

(a) The personal data is no longer necessary in relation to the purposes for which it was collected or processed;

(b) The data subject withdraws the consent upon which the processing is based and there is no other

legal ground for processing;

(c) The data subject objects to the processing and there are no overriding legitimate grounds for processing;

(d) The personal data has been unlawfully processed;

(e) The personal data has to be erased for compliance with a legal obligation; or

(f) The personal data has been collected in relation to the offering of information society services, Article

8.1.Where the Data Controller has made the personal data public, and is obliged to erase it, the data controller taking account of available technology and the cost of implementation; must take reasonable steps to inform data controllers processing the personal data that the data subject has requested

erasure. Personal data does not have to be erased where processing is necessary:

(a) For exercising the right of freedom of expression and information;

(b) For compliance with a legal obligation;

(c) For reasons of public interest in the area of public health Article 9.2 (h) and (i) and Article 9.3;

(d) For archiving purposes in the public interest, scientific or historical research purposes or statistical

purposes, in accordance with Article 89.1; or

(e) For the establishment, exercise or defence of legal claims.

RIGHT TO RESTRICTION OF PROCESSING

Data subjects have the right to restrict a Data Controller’s processing of their personal data where:

(a) The accuracy of the personal data is contested by the data subject. Processing can be restricted until the Data Controller has verified the accuracy of the personal data;

(b) The processing is unlawful but the data subject opposes erasure and requests restriction instead;

(c) The Data Controller no longer needs to process the personal data but the data is required by the data subject for the establishment, exercise or defence of legal claims; or

(d) The data subject has objected to processing pursuant to Article 21.1, pending verification whether the legitimate grounds of the controller override those of the data subject.

RIGHT TO PORTABILITY

Data subjects have the right to receive their personal data (where they have provided it to the Data

Controller), in a structured, commonly used and machine-readable format and to have the data transmitted to another data controller without hindrance, where:

(a) Processing is based on consent; and

(b) Processing is carried out by automated means.

This right is dependent on the transfer between the Data Controllers being technically feasible. The right will not apply to processing necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller. This right cannot be exercised if it will adversely affect the rights and freedoms of others.

RIGHT TO OBJECT

Data subjects have the right to object (on grounds relating to his/her situation) at any time to processing of their personal data which is based on:

• Necessity for the performance of a task carried out in the public interest, or in exercise of official

authority vested in the Data Controller Article 6.1.e; or

• Necessity for the purposes of legitimate interests pursued by the data controller or other third party,

except where this overrides the interests and fundamental freedoms of the data subject Article 6.1.f.

The Data Controller will have to stop processing the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. If personal data is processed for direct marketing purposes, data subjects can object at any time to the processing which includes profiling that is related to the direct marketing. Where the data subject does object, the personal data can no longer be processed for these purposes. The right to object must be brought to the data subject’s attention at the first time of communication with the data subject and should be presented clearly and separately from any other information. For online services there should be an automated method to register objection.

AUTOMATED PROCESSING AND PROFILING

1. Data subjects have the right to not be subjected to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, or significantly affects him other.

2. This right will not apply if the decision:

(a) Is necessary for entering into, or performance of, a contract between the data subject and the Data Controller;

(b) Is authorised by Union or Member State law; or

(c) Is based on the data subject’s explicit consent.

3. The Data Controller must implement suitable measures to safeguard the data subject’s rights,

freedoms and legitimate interests, or at least the right to obtain human intervention and contest the decision.

4. Decisions referred to in paragraph 2, must not be based on special categories of data (unless the exceptions in Article 9.2 apply).

Request a call from one of our specialists

or call us now0161 358 0800

Specialistsin success

Prev icon Next icon

Our Stories

Before you sign on the dotted line…

At the heart of most business transactions is a contract. A necessary document to ensure the balance of protection against facilitating business. Whilst we all hope for a positive trading…

Read more

What does your Brand say about you?

In today’s competitive market, having strong branding is as important as having the tools to do the job and is so much more than a logo and graphics. With your…

Read more

Accreditations & Awards

National Entrepreneur Awards
APIL
Lexcel
Investors In People
The Law Society
Greater Manchester Chamber of Commerce