Articles 13 to 22 of the United Kingdom General Data Protection Regulation (UKGDPR) affords data subjects rights over the data being processed by organisations. Catch22 will ensure that the rights of the data subjects whose data is processed by us are upheld appropriately and in accordance with the regulation and any associated legislation including the Data Protection Act 2018.
Data subject rights
The GDPR provides the following rights for individuals:
The right to be informed:
Data subjects should be issued with a privacy notice that details what information is held about them.
The right of access (subject access):
Data subjects have the right to make a subject access request to see and have a copy of the information that is held about them by an organisation.
We have one calendar month to respond to a request.
The right to rectification:
Data subjects have the right to have inaccurate dated corrected. If the data was correct previously and there is a requirement to retain it, then the record can be updated rather than over-written.
The right to erasure:
Also known as the ‘right to be forgotten’, data subjects can ask for their data to be deleted. This only applies in specific circumstances.
The right to restrict processing:
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances e.g. direct marketing.
When processing is restricted, we are permitted to store the personal data, but not use it and an individual can make a request for restriction verbally or in writing.
We have one calendar month to respond to a request.
The right to data portability:
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right only applies to information an individual has provided to a controller.
The right to object:
The UKGDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies we may be able to continue processing if we can show that we have a compelling reason for doing so.
We must tell individuals about their right to object. An individual can make an objection verbally or in writing. We have one calendar month to respond to an objection.
Rights in relation to automated decision making and profiling:
Automated individual decision-making is making a decision solely by automated means without any human involvement.
Profiling is automated processing of personal data to evaluate certain things about an individual. Profiling can be part of an automated decision-making process.
The UKGDPR applies to all automated individual decisionmaking and profiling (e.g. an online mortgage application) and can only be carried out where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on the individual’s explicit consent.
Any automated processing must give data subjects:
- information about the processing;
- simple ways for them to request human intervention or challenge a decision
Scope
In order to determine how and when these rights can and should be applied, it is essential that all services processing personal data have established the legal basis for doing so and what condition for processing applies.
The first principle of UKGDPR requires that we process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if we have a lawful basis under Article 6. We must be able to demonstrate that a lawful basis applies otherwise our processing will be unlawful and in breach of the first principle.
Individuals also have the right to erase personal data which has been processed unlawfully.
The individual’s right to be informed under Articles 13 and 14 requires us to provide people with information about our lawful basis for processing. This information is provided to people in our privacy notices. The lawful basis for our processing can also affect which rights are available to individuals. For example, some rights will not apply:
Condition for processing
|
Right to erasure
|
Right to portability
|
Right to object
|
| Consent |
Applicable |
Applicable |
Not applicable |
| Contract |
Applicable |
Applicable |
Not applicable |
| Legal obligation |
Not applicable |
Not applicable |
Not applicable |
| Vital interests |
Applicable |
Not applicable |
Not applicable |
| Public tasks |
Not applicable |
Not applicable |
Applicable |
| Legitimate interests |
Applicable |
Not applicable |
Applicable |
However, irrespective of the condition for processing, everyone has the right to object to their information being used for direct marketing.
Guidance on the rights of data subjects is available for the Information Commissioners website www.ico.org.uk or you can contact Catch22’s data protection officers at dpo@catch-22.org.uk.
Definitions
For definitions please see the Data Protection: Over-arching Policy.
Related policies
- Data Protection Policy Suite
- ISO 27001 Policy Suite
