GDPR data subject rights

Transcription

1 data subject rights Date: February 2018 Author: Information compliance team (EP) Version: 0.1 (draft, awaiting final version of Data Protection Bill) Classification: Open gives people certain rights in relation to our handling of their personal data. The following two tables set out these rights, and how and when they apply. General principles relating to the manner in which the University must communicate and uphold these rights can be found in 12 of the, summarised below: Communications with data subjects must be concise, transparent, intelligible and in an easily accessible format, using clear and plain language. Information should be provided in writing, including by electronic means. If we provide information orally, we must be able to verify the identity of the data subject. We can refuse to facilitate people s data protection rights if we cannot verify their identity. We can request additional information to allow us to confirm identity. We cannot usually charge for the provision of any information, communications or actions taken to facilitate the exercising of rights. Exceptions to this rule are explained in 12. For s 15-22, we must inform people of the action we ve taken on their request without delay, and usually within one month. Exceptions to this rule are explained in 12. Information should be provided by electronic means where possible, unless otherwise requested by the data subject. 1

2 Rights based on the lawful basis for data processing We must identify the correct lawful basis for all processing of personal data undertaken by the University. The lawful basis will in some cases affect the rights that apply. Use the following table if you already know the lawful basis for your processing activity. Note the lawful basis should be made clear to the data subject by way of a privacy notice. Art. 13 & 14 Art. 15 Art. 16 Art. 17 Art. 18 Art. 20 Art. 21 Art. 22 Lawful basis (non-special category data only) be informed Right of access rectification erasure restrict processing data portability object Rights in relation to automated decision making and profiling Consent * Contract Legal obligation Vital interests Public task ** Legitimate interests * But data subject can withdraw consent ** Unless data are processed for scientific or historical research purposes or statistical purposes 2

3 General information on rights Right (links to Information to be provided where personal data are collected from the data subject And Information to be provided where personal data have not been obtained from the data subject See also UEA s own guidance on writing a privacy notice. 13 And 14 If you plan to collect any information about identifiable living individuals, whether directly or indirectly, you must comply with their rights to be told how their personal data will be used. When the data subject already has the information. Additionally, we are not required to issue a privacy notice when data has been obtained from another source, and the requirement to collect data is expressly set out in law, or there is an obligation of professional secrecy, or Provision of the information would be impossible or would involve a disproportionate effort ( 14 and Recital 62). This may be particularly applicable where data is being used for research purposes. Provide data subjects with a range of information about how their information will be used usually by means of a written privacy notice. s 13 & 14 describe the information to be provided. Writing a Privacy Notice ; Privacy Notice Review Checklist ; Privacy Notice (for information compliance team, draft only) Right of access by the data subject 15 Rights can be exercised by anyone whose personal data is held by UEA. However, we must not retain personal data for the We are not required to provide information that would adversely affect the rights and freedoms of others, including On request, to provide access to, and a copy of, personal data held by UEA. Also, requesters are entitled to receive Subject Access Request guidance for staff (requires 3

4 sole purpose of being able to react to potential requests disclosure of trade secrets or intellectual property. information about the processing of their data, equivalent to that required by s 13 & 14. Where possible, UEA should provide remote access to a secure system which would provide the data subject with direct access to their data. updating for ); SAR Procedures (information compliance team only) rectification 16 Applies in all cases Individuals have the right to require UEA to correct, without undue delay, inaccurate personal data we hold about them. Taking into account the purposes of the processing, people also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. erasure ('right to be forgotten') 17 When: the personal data is no longer necessary in relation to the purposes for which it was collected /processed This right does not apply when there is a need to process the data: for exercising the right of freedom of expression and information Erase personal data to which this right applies without undue delay. Where this right applies and where we have made the data public, we must also take 4

5 the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing (relevant in particular where the data subject has given his or her consent as a child and later wants to remove such personal data, especially on the internet) the data subject objects to the processing (in line with Art.21 rights) and there are no overriding legitimate grounds for the processing the data has been unlawfully processed the data has to be erased for compliance with a legal obligation the data was collected in relation to the offer of information society services to a child to comply with a legal obligation for the performance of a task carried out in the public interest or in the exercise of official authority vested in UEA for reasons of public interest in the area of public health for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right to be forgotten would be likely to render impossible or seriously impair the achievement of the objectives of that processing for the establishment, exercise or defence of legal claims reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested the erasure of any links to, or copy or replication of, those data (taking account of available technology and the cost of implementation). restriction of processing 18 When the data subject contests the accuracy of personal data held about No other restrictions stated. Where this right applies, UEA must restrict processing of an individual s personal data. 5

6 them by UEA (for a period enabling UEA to verify the accuracy of the personal data). When the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead. When UEA no longer needs the personal data for the purposes of the processing, but data is required by the data subject for the establishment, exercise or defence of legal claims. When the data subject has objected to processing (see 21), pending the verification whether the legitimate grounds of the controller override those of the data subject. E.g., by temporarily moving the selected data to another processing system, making the data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system. Where processing has been restricted, with the exception of storage, it must only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of 6

7 another person or for reasons of important public interest. We need to inform the data subject before the restriction of processing is lifted. Notification obligation regarding rectification or erasure of personal data or restriction of processing 19 See s 16, 17 & 18. See s 16, 17 & 18. UEA must communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with s 16, 17(1), 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We must inform the data subject about those recipients if the data subject requests it. data portability 20 When the processing of personal data that has been provided by the data subject is based on consent or contract, and is carried out by automated means. The right does not apply to processing necessary for the performance of a task carried out in the public interest, or in the exercise of any official authority vested in UEA. It does not apply where processing is based on a legal Where this right applies, the data subject has the right to receive their personal data, which they have provided to UEA, in a structured, commonly used and machine-readable format and have the right to transmit those data to another 7

8 ground other than consent or contract. Exercising of this right must not adversely affect the rights and freedoms of others. controller without hindrance from UEA. The data subject also has the right to have their personal data transmitted directly from one controller to another, where technically feasible. We are not required to adopt or maintain processing systems which are technically compatible with other controllers systems. object 21 Individuals have the right to object, on grounds relating to their particular situation, at any time to processing of their personal data which is based on point (e) or (f) of 6(1), including profiling based on those provisions. People have the right to object at any time to processing of their personal data for direct marketing, which includes profiling to the extent that it is related to direct marketing. No other restrictions stated. UEA must no longer process the affected personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. If a person objects to processing of their data for direct marketing purposes, we must stop processing their data for these purposes. 8

9 At the latest at the time of UEA s first communication with the data subject, the above rights must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to their particular situation, has the right to object to processing of their personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Automated individual decisionmaking, including profiling 22 No restrictions, other than those described under When does it not apply? The right does not apply when the processing is necessary for: entering into, or performance of, a contract between the data subject and a data controller compliance with UK law, which also safeguards the data subject's rights and Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. 9

10 freedoms and legitimate interests Or is with the data subject's explicit consent. Nonetheless, UEA must still implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of UEA, to express their point of view and to contest any decision made in this way. The decisions made in the above ways should not involve special category data unless a lawful basis applies and safeguarding measures are in place. 10