Data Subject Requests Procedure

Similar documents
Contract Services Europe

Privacy Policy Hafliger Films SpA

the processing of personal data relating to him or her.

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

GDPR data subject rights

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

Rights of Individuals under the General Data Protection Regulation

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Element Finance Solutions Ltd Data Protection Policy

Data Subject Access Request Form

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Privacy Policy. 1. Definitions

Index Introduction... 3

Creative Funding Solutions Limited Data Protection Policy

Technical Requirements of the GDPR

In this data protection declaration, we use, inter alia, the following terms:

GDPR Privacy Policy & Cookie Policy DCHC May 2018

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

Islam21c.com Data Protection and Privacy Policy

Privacy Policy Identity Games

Privacy Policy November 30th, 2017

Data Protection Policy

Information leaflet about processing of personal data (

Arkadin Data protection & privacy white paper. Version May 2018

CITY SECURITY MAGAZINE

Data Privacy Notice. Madsen Advisory Limited ("Madsen") is committed to protecting and respecting your privacy.

GDPR Data Protection Policy

In this data protection declaration, we use, inter alia, the following terms:

Data Privacy Policy. of Eisenmann Übersetzungsteam - Suzanne Eisenmann - translation team

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

In this data protection declaration, we use the following terms: a.) Personal data

COMPUTAMATRIX LIMITED T/A MATRICA Data Protection Policy September Table of Contents. 1. Scope, Purpose and Application to Employees 2

ŠKODA IRELAND Privacy Statement

Data Protection Policy

SOUTHFIELD SCHOOL PROCEDURE FOR RECEIVING AND RESPONDING TO SUBJECT ACCESS REQUESTS

About Mark Bullock & Company Chartered Surveyors

- GDPR (General Data Protection Regulation) is the new Data Protection Regulation of the European Union;

HOW TO EXERCISE YOUR DATA SUBJECT RIGHTS

About Us. Privacy Policy v1.3 Released 11/08/2017

ŠKODA IRELAND Privacy Statement

1. Right of access. Last Approval Date: May 2018

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

GLOBAL DATA PROTECTION POLICY

Website Privacy Policy

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Cellular Solutions and Services Limited and Cellular Solutions and Network Services Privacy Policy

Data Subject Access Request (SAR) Policy, Guidance and Template

Sketching for UX Designers Website & Newsletter Privacy Policy

It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.

GLOBAL DATA PROTECTION POLICY

d) Restriction of processing Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING

DATA PROTECTION POLICY THE HOLST GROUP

PRIVACY POLICY PRIVACY POLICY

Mayplace Primary School Subject Access Request Procedure

Data subject ( Customer or Data subject ): individual to whom personal data relates.

Privacy Policy. As of May 7, 2018

1.7 The Policy sets out the manner by which the University will respond to Subject Access Requests.

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

Data protection is important to us

DATA PROTECTION POLICY

RVS HOTEL MANAGEMENT

Data Protection Policy

Rights of data subjects

RVC DATA PROTECTION POLICY

PRIVACY STATEMENT FOR DATA COLLECTED FOR DATA COLLECTED VIA ON-LINE SURVEYS

DATA PROTECTION A GUIDE FOR USERS

Made In Hackney Data Protection Policy Last Updated:

Link Exhibitions Privacy Policy

BELLISSIMA BEAUTY SALON PRIVACY NOTICE

Data Protection and Privacy Policy PORTOBAY GROUP Version I

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

Wonde may collect personal information directly from You when You:

Data Protection Privacy Notice

INFORMATION NOTE ON DATA PROCESSING

PRIVACY POLICY BACKGROUND:

PRIVACY NOTICE (TIER 4)

Act CXII of 2011 on the right to information self-determination and freedom of information. Act ;

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

Staff and Recruitment Privacy Notice Your personal information

Smile IT Ltd Privacy Policy. Hello, we re Smile IT Ltd. We offer computer and network support to businesses and home computer users.

Using My Personal Data

Beam Suntory Privacy Policy WEBSITE PRIVACY NOTICE

This guide is for informational purposes only. Please do not treat it as a substitute of a professional legal

I. Name and Address of the Controller

Our Privacy Statement

PRIVACY POLICY. Introduction:

volcanic Better People Technology Setting up your website to help you achieve GDPR compliance

PRIVACY POLICY. What personal data we collect and why we collect it IN ORDER TO: (Date of last update: 1 st January 2019)

MBNL Landlord Privacy Notice. This notice sets out how we handle landlord personal data as part of our General Data Protection policies (GDPR).

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

PS Mailing Services Ltd Data Protection Policy May 2018

Privacy and Data Protection Policy

I. Name and Address of the Controller

British Handball Association: Privacy Policy

General Data Protection Regulation BT s amendments to the proposed Regulation on the protection of individuals with regard to the processing of

Transcription:

Subject Requests Procedure Subject Requests Procedures Issued By: Legal Effective Date: Review Date:.0

Contents 1. Introduction... 3 2. Purpose... 3 3. Responsibilities... 3 3.1 All Staff and Volunteers... 3 4. Procedure... 4 5. Associated documents and policies... 4 6. Definitions... 5 Appendix 1 - Rights of Subjects Appendix 2 - Subject Rights Flowchart Subjects Requests Procedure 2

Subject Requests Procedure 1. Introduction The GDPR (General Protection Regulation) creates some new Rights for Subjects as well as strengthening existing Rights. As a Controller, the RNLI must be able to comply with these Rights. The GDPR provides the following Rights for individuals: 1.1. Right of Access (Also known as a Subject Access Request) (Such requests must be dealt with within 1 calendar month) 1.2. Right to Rectification (Under GDPR must be dealt with without undue delay) 1.3. Right to Erasure (Under GDPR must be dealt with without undue delay) 1.4. Right to Restrict Processing 1.5. Right to Portability 1.6. Right to Object 1.7. Rights in Relation to Automatic Decision Making and Profiling Further information about each of the above Rights can be found in Appendix 1 of this procedure. It is important that should you receive and identify such a request against any of the above Rights that this procedure is followed. It is important to recognise that such requests may be made by current or past RNLI Volunteers, Staff or Supporters, and may not follow a clear and standard format where the Subject clearly sets out which Right they are requesting to be exercised. For example they may simply say I want to know what the RNLI is using my data for or I want to see all emails about me in the RNLI system. When a request is recognised it is important that you obtain some basic details about the request, such as the time frame, whether it is in relation to a particular event or time / activity as this can help to provide the correct information required in a timely manner before forwarding the request to the Protection Team for action. It should be noted that Subjects can make such requests verbally (for example over the telephone), as well as in an email or postal letter. 2. Purpose The purpose is to provide a procedure to follow when a Subject Request in relation to the above Rights is received by the RNLI. 3. Responsibilities 3.1 All Staff and Volunteers All staff and volunteers have a responsibility to recognise a request and to comply with the procedure as follows. Subjects Requests Procedure 3

4. Procedure 4.1 Appendix 2 presents the procedure in a visual way. 4.2 Where a request is received by staff or volunteers covering any of the GDPR Subject Rights (See Section 1 of this document) the request must be passed to the RNLI s Protection Team immediately. 4.3 The request must be forwarded to data_protection@rnli.org.uk. If the request was made over the phone then as much information as possible regarding what was requested must be typed into an email and sent to the Protection Team immediately. If the request is received in a postal letter, this can either be scanned and sent to the Protection Team by email, or the hardcopy taken to the Protection office immediately if you are Poole based. 4.4 The Protection Team will process the request accordingly and respond to the Subject in line with the legislation. They may ask for input and/or provision of data from teams across the RNLI in order to ensure they have fully complied with the request. Due to the time limits for complying, teams requested to assist should treat such requests as a priority. 4.5 If there is uncertaintity around whether it is a request please refer to the Protection Team for further advice. 5. Associated documents and policies This policy is to be read in conjunction with the related policies; Protection Policy Subjects Requests Procedure 4

6. Definitions Subject Personal GDPR Processing Legal Basis for Processing An individual who is the subject of personal data and whom particular personal data is about. Personal data means any information relating to an identified or identifiable person ( data subject ). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person; General Protection Regulation is a regulation by the European Parliament intended to strengthen and unify data protection for individuals. Obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including a. organisation, adaptation or alteration of the information or data, b. retrieval, consultation or use of the information or data, c. disclosure of the information or data by transmission, dissemination or otherwise making available, or d. alignment, combination, blocking, erasure or destruction of the information or data. Processing will only be lawful if at least one of the following applies: a. the data subject has given consent to the processing of their personal data for one or more specific purposes b. processing is necessary for the performance of a contract with the data subject or in order to take steps to enter a contract c. processing is necessary to comply with a legal obligation d. processing is necessary to protect the vital interests of the data subject e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller f. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the of the data subject Subjects Requests Procedure 5

Appendix 1 Rights of Subjects: Right of Access (Also known as a Subject Access Request) Subjects have the Right to obtain: Confirmation that their data is being processed Access to their personal data and Other supplementary information Right of access requests must be responded to within one month. Right to Rectification Subjects are entitled to have their personal data rectified if it is inaccurate or incomplete. If the information in question has been disclosed to a third party the Controller must inform them of the request for rectification where possible. The Subject is also entitled to be informed of the third parties to whom the data has been disclosed, where appropriate. Rights to rectification must be responded to within one month. Right to Erasure This Right is also known as the Right to be Forgotten. It enables Subjects to request the deletion or removal of personal data where there is no compelling reason for its continued processing by the Controller. The Right to Erasure applies in the following circumstances: The personal data is no longer necessary in relation to the purpose for which it was originally collected The processing was based on consent, and the Subject has now withdrawn their consent The Subject objects to processing and there is no overriding legitimate interest of the Controller The data was being unlawfully processed The data must be erased to comply with a legal obligation Right to Restrict Processing When this Right is exercised you are permitted to store the personal data but not further process it. Restricted information about the individual may be retained to ensure that the restriction is respected in the future. The Right to Restrict Processing applies in the following circumstances: When a Subject contests the accuracy of their personal data, then processing should be restricted to storage only until accuracy is verified When a Subject objects to processing which is being carried out for the reason of performance of a task in the public interest, or for the legitimate interests of the Controller, then the Controller must restrict processing to storage only whilst they consider whether their legitimate grounds override the Rights and freedoms of the individual. When processing is unlawful and a Subject opposes erause and requests restriction to storage insteas. When the Controller no longer needs the personal data but the Subject requires it for the purpose of a legal claim. Subjects Requests Procedure 6

Right to Portability This Right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows the individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way in a common data format, for example, Excel or CSV file. The Right to Portability applies in the following circumstances: When the personal data was provided to the controller directly by the Subject Where the processing is based on consent or performance of a contract When processing is carried out by automated means Right to Object Individuals have the Right to object to: Processing based on legitimate interest or performance of a task in the public interest/exercise of official authority (including profiling) Direct marketing (including profiling) Processing for the purposes of scientific/historical research and statistics Rights in Relation to Automatic Decision Making and Profiling This Right provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. The Right not to be subject to a decision applies when: It is based on automated processing It produces legal/significant effects on the individual It does not apply if the decision: Is necessary for entering into or performance of a contract Is authorised by law Is based on explicit consent Does not have a legal/significant effect on the data subject Subjects Requests Procedure 7

Appendix 2: GDPR Subject Rights Flowchart Protection Team Internal Teams Protection Team Request received by anyone in the organisation Protection Team Work Instruction for Protection Team Consult Map Manager Steward IS Request DP Team for review Any action to take? Take action (Erase, Redact, Cease processing etc) NO Subject Response Recourse to Regulatory Authority Subjects Requests Procedure 8 Appeal to DPO if not happy with response

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback