GDPR data subject rights

Similar documents
Rights of Individuals under the General Data Protection Regulation

Element Finance Solutions Ltd Data Protection Policy

Part B of this Policy sets out the rights that all individuals have in relation to the collection and use of your personal information

INFORMATIVE NOTICE ON PERSONAL DATA PROCESSING

Information leaflet about processing of personal data (

INFORMATION NOTE ON DATA PROCESSING

the processing of personal data relating to him or her.

Privacy Policy CARGOWAYS Logistik & Transport GmbH

Privacy Policy. In this data protection declaration, we use, inter alia, the following terms:

Creative Funding Solutions Limited Data Protection Policy

About Us. Privacy Policy v1.3 Released 11/08/2017

A. Sample Data Protection Statement in Accordance with the GDPR

I. Name and Address of the Controller

I. Name and Address of the Controller

Privacy Policy Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH Kühnreich & Meixner GmbH 1. Definitions

Rights of data subjects

GDPR Privacy Policy. The data protection policy of AlphaMed Press is based on the terms found in the GDPR.

Data Subject Access Request Form

Data Subject Requests Procedure

GDPR Privacy Policy & Cookie Policy DCHC May 2018

In this data protection declaration, we use, inter alia, the following terms:

NEWSLETTER DATA PROTECTION NOTICE. AImotive Ltd.

Contract Services Europe

In this data protection declaration, we use, inter alia, the following terms:

Privacy Policy November 30th, 2017

What You Need to Know About Addressing GDPR Data Subject Rights in Pivot

Privacy Policy. 1. Definitions

Haaga-Helia University of Applied Sciences Privacy Notice for Urkund Plagiarism Detection Software

Haaga-Helia University of Applied Sciences Privacy Notice for Student Welfare Services

RECRUITMENT DATA PROTECTION NOTICE. AImotive Ltd.

Data Privacy Policy. of Eisenmann Übersetzungsteam - Suzanne Eisenmann - translation team

Privacy Policy Hafliger Films SpA

Sketching for UX Designers Website & Newsletter Privacy Policy

PRIVACY POLICY FOR WEB AND ONLINE TRADING PLATFORM

Technical Requirements of the GDPR

Data Protection Declaration of ProCredit Holding AG & Co. KGaA

Data Protection Policy

Haaga-Helia University of Applied Sciences Privacy Notice for JUSTUS publication data storage service

In this data protection declaration, we use the following terms: a.) Personal data

This Privacy Statement applies to data processing carried out by:

Privacy Policy. Data Controller - the entity that determines the purposes, conditions and means of the processing of personal data

Data Protection Policy

Data subject ( Customer or Data subject ): individual to whom personal data relates.

ŠKODA IRELAND Privacy Statement

In compliance with the requirements of the EU General Data Protection Regulation (GDPR, Articles 13, 14 and 30)

GDPR effects on Gift Aid. Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder

GDPR Data Protection Policy

Cellular Solutions and Services Limited and Cellular Solutions and Network Services Privacy Policy

volcanic Better People Technology Setting up your website to help you achieve GDPR compliance

Requirements for a Managed System

Haaga-Helia University of Applied Sciences Privacy Notice for the Laura Recruitment Service

ACCOUNTING TECHNICIANS IRELAND DATA PROTECTION POLICY GENERAL DATA PROTECTION REGULATION

Data protection declaration

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

Name: Aho Terhi Title: ecommerce Manager. Phone: terhi.aho(at)finavia.fi Name: Närvänen Carita Title: Development Manager

Privacy Policy Section A Section B Section C Section D

1. Right of access. Last Approval Date: May 2018

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

PRIVACY POLICY PRIVACY POLICY

ŠKODA IRELAND Privacy Statement

Index Introduction... 3

General Data Protection Regulation (GDPR) Key Facts & FAQ s

Brasenose College ICT Systems Privacy Notice (v1.2)

More detailed information, including the information about your rights is available below.

GLOBAL DATA PROTECTION POLICY

RVC DATA PROTECTION POLICY

d) Restriction of processing Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

The following privacy policy applies to the use of the website (hereinafter "Website").

Toucan Telemarketing Ltd.

Data protection is important to us

Haaga-Helia University of Applied Sciences Privacy Notice for Student Administration

GLOBAL DATA PROTECTION POLICY

DATA PROTECTION POLICY

PRIVACY POLICY SECTION 1 CONTACTS

HOW TO EXERCISE YOUR DATA SUBJECT RIGHTS

PRIVACY STATEMENT FOR DATA COLLECTED FOR DATA COLLECTED VIA ON-LINE SURVEYS

Privacy Policy Identity Games

SCALA FUND ADVISORY PRIVACY POLICY

PRIVACY POLICY OF THE WEB SITE

Tampere University of Technology Privacy Policy 1 (5) 18/06/2018

Data Protection Policy

Privacy notice for the participation in the MOL Freshhh Program

Website Privacy Policy

PRIVACY POLICY CORPORATE CUSTOMER

Privacy Policy. As of May 7, 2018

CITY SECURITY MAGAZINE

It is the policy of DMNS Networks PTE LTD (the Company ) to protect the privacy of the users of our Website and Services.

S.C. FAST SUPPORT S.R.L Bucharest, 70 Jean Louis Calderon Street, 6 th Floor J40/8295/ , sole registration code no.

The legal basis for the data collection described above is user s consent in accordance with Article 6(1)(1)(a) of the GDPR.

Latest version, please translate and adapt accordingly!

Staff and Recruitment Privacy Notice Your personal information

DATA PROTECTION POLICY

RVS HOTEL MANAGEMENT

Privacy Policy of

Identity of the controller: CHARVAT CTS a.s., ID No.: , with the registered office at Okrinek 53, Podebrady, Czech Republic, Postcode

Personal Data Privacy Policy Updatedt: December 2018

Kidenza Community Interest Company PRIVACY POLICY

PRIVACY POLICY FOR THE LIDC 2018 INTERNATIONAL CONGRESS

POLICY. Art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016

PRIVACY POLICY. Introduction:

Transcription:

data subject rights Date: February 2018 Author: Information compliance team (EP) Version: 0.1 (draft, awaiting final version of Data Protection Bill) Classification: Open gives people certain rights in relation to our handling of their personal data. The following two tables set out these rights, and how and when they apply. General principles relating to the manner in which the University must communicate and uphold these rights can be found in 12 of the, summarised below: Communications with data subjects must be concise, transparent, intelligible and in an easily accessible format, using clear and plain language. Information should be provided in writing, including by electronic means. If we provide information orally, we must be able to verify the identity of the data subject. We can refuse to facilitate people s data protection rights if we cannot verify their identity. We can request additional information to allow us to confirm identity. We cannot usually charge for the provision of any information, communications or actions taken to facilitate the exercising of rights. Exceptions to this rule are explained in 12. For s 15-22, we must inform people of the action we ve taken on their request without delay, and usually within one month. Exceptions to this rule are explained in 12. Information should be provided by electronic means where possible, unless otherwise requested by the data subject. 1

Rights based on the lawful basis for data processing We must identify the correct lawful basis for all processing of personal data undertaken by the University. The lawful basis will in some cases affect the rights that apply. Use the following table if you already know the lawful basis for your processing activity. Note the lawful basis should be made clear to the data subject by way of a privacy notice. Art. 13 & 14 Art. 15 Art. 16 Art. 17 Art. 18 Art. 20 Art. 21 Art. 22 Lawful basis (non-special category data only) be informed Right of access rectification erasure restrict processing data portability object Rights in relation to automated decision making and profiling Consent * Contract Legal obligation Vital interests Public task ** Legitimate interests * But data subject can withdraw consent ** Unless data are processed for scientific or historical research purposes or statistical purposes 2

General information on rights Right (links to Information to be provided where personal data are collected from the data subject And Information to be provided where personal data have not been obtained from the data subject See also UEA s own guidance on writing a privacy notice. 13 And 14 If you plan to collect any information about identifiable living individuals, whether directly or indirectly, you must comply with their rights to be told how their personal data will be used. When the data subject already has the information. Additionally, we are not required to issue a privacy notice when data has been obtained from another source, and the requirement to collect data is expressly set out in law, or there is an obligation of professional secrecy, or Provision of the information would be impossible or would involve a disproportionate effort ( 14 and Recital 62). This may be particularly applicable where data is being used for research purposes. Provide data subjects with a range of information about how their information will be used usually by means of a written privacy notice. s 13 & 14 describe the information to be provided. Writing a Privacy Notice ; Privacy Notice Review Checklist ; Privacy Notice (for information compliance team, draft only) Right of access by the data subject 15 Rights can be exercised by anyone whose personal data is held by UEA. However, we must not retain personal data for the We are not required to provide information that would adversely affect the rights and freedoms of others, including On request, to provide access to, and a copy of, personal data held by UEA. Also, requesters are entitled to receive Subject Access Request guidance for staff (requires 3

sole purpose of being able to react to potential requests disclosure of trade secrets or intellectual property. information about the processing of their data, equivalent to that required by s 13 & 14. Where possible, UEA should provide remote access to a secure system which would provide the data subject with direct access to their data. updating for ); SAR Procedures (information compliance team only) rectification 16 Applies in all cases Individuals have the right to require UEA to correct, without undue delay, inaccurate personal data we hold about them. Taking into account the purposes of the processing, people also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. erasure ('right to be forgotten') 17 When: the personal data is no longer necessary in relation to the purposes for which it was collected /processed This right does not apply when there is a need to process the data: for exercising the right of freedom of expression and information Erase personal data to which this right applies without undue delay. Where this right applies and where we have made the data public, we must also take 4

the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing (relevant in particular where the data subject has given his or her consent as a child and later wants to remove such personal data, especially on the internet) the data subject objects to the processing (in line with Art.21 rights) and there are no overriding legitimate grounds for the processing the data has been unlawfully processed the data has to be erased for compliance with a legal obligation the data was collected in relation to the offer of information society services to a child to comply with a legal obligation for the performance of a task carried out in the public interest or in the exercise of official authority vested in UEA for reasons of public interest in the area of public health for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, where the right to be forgotten would be likely to render impossible or seriously impair the achievement of the objectives of that processing for the establishment, exercise or defence of legal claims reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested the erasure of any links to, or copy or replication of, those data (taking account of available technology and the cost of implementation). restriction of processing 18 When the data subject contests the accuracy of personal data held about No other restrictions stated. Where this right applies, UEA must restrict processing of an individual s personal data. 5

them by UEA (for a period enabling UEA to verify the accuracy of the personal data). When the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead. When UEA no longer needs the personal data for the purposes of the processing, but data is required by the data subject for the establishment, exercise or defence of legal claims. When the data subject has objected to processing (see 21), pending the verification whether the legitimate grounds of the controller override those of the data subject. E.g., by temporarily moving the selected data to another processing system, making the data unavailable to users, or temporarily removing published data from a website. In automated filing systems, the restriction of processing should in principle be ensured by technical means in such a manner that the personal data are not subject to further processing operations and cannot be changed. The fact that the processing of personal data is restricted should be clearly indicated in the system. Where processing has been restricted, with the exception of storage, it must only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of 6

another person or for reasons of important public interest. We need to inform the data subject before the restriction of processing is lifted. Notification obligation regarding rectification or erasure of personal data or restriction of processing 19 See s 16, 17 & 18. See s 16, 17 & 18. UEA must communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with s 16, 17(1), 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. We must inform the data subject about those recipients if the data subject requests it. data portability 20 When the processing of personal data that has been provided by the data subject is based on consent or contract, and is carried out by automated means. The right does not apply to processing necessary for the performance of a task carried out in the public interest, or in the exercise of any official authority vested in UEA. It does not apply where processing is based on a legal Where this right applies, the data subject has the right to receive their personal data, which they have provided to UEA, in a structured, commonly used and machine-readable format and have the right to transmit those data to another 7

ground other than consent or contract. Exercising of this right must not adversely affect the rights and freedoms of others. controller without hindrance from UEA. The data subject also has the right to have their personal data transmitted directly from one controller to another, where technically feasible. We are not required to adopt or maintain processing systems which are technically compatible with other controllers systems. object 21 Individuals have the right to object, on grounds relating to their particular situation, at any time to processing of their personal data which is based on point (e) or (f) of 6(1), including profiling based on those provisions. People have the right to object at any time to processing of their personal data for direct marketing, which includes profiling to the extent that it is related to direct marketing. No other restrictions stated. UEA must no longer process the affected personal data unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. If a person objects to processing of their data for direct marketing purposes, we must stop processing their data for these purposes. 8

At the latest at the time of UEA s first communication with the data subject, the above rights must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. Where personal data are processed for scientific or historical research purposes or statistical purposes, the data subject, on grounds relating to their particular situation, has the right to object to processing of their personal data, unless the processing is necessary for the performance of a task carried out for reasons of public interest. Automated individual decisionmaking, including profiling 22 No restrictions, other than those described under When does it not apply? The right does not apply when the processing is necessary for: entering into, or performance of, a contract between the data subject and a data controller compliance with UK law, which also safeguards the data subject's rights and Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. 9

freedoms and legitimate interests Or is with the data subject's explicit consent. Nonetheless, UEA must still implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of UEA, to express their point of view and to contest any decision made in this way. The decisions made in the above ways should not involve special category data unless a lawful basis applies and safeguarding measures are in place. 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback