The focus of this guide is concerned with the Rights of individuals. The full list of Rights for Individuals that GDPR provides are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Right to be Informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. To comply with GDPR, emPSN must:
- Provide individuals with information including: our purpose for processing their personal data, our retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’.
- Provide privacy information to individuals at the time we collect their personal data from them.
- Provide individuals with privacy information within a reasonable period of obtaining the data, and no later than one month, if we obtain personal data from other sources.
- Regularly review, and where necessary, update our privacy information and bring any new uses of an individual’s personal data to their attention before we start the processing.
Right of Access
GDPR provides individuals with the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing of their personal data.
Under GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed;
- Access to their personal data; and
- Other supplementary information.
For information to be Personal data, it must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the organisation’s possession).
A request for access does not need to be made in any particular format, it simply needs to be made in writing, setting out sufficient information to enable us to deal with the request. emPSN provide a form on our website that details the information that would help us to comply with the request but we cannot insist on its use.
Information must be provided free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive or asking for further copies of the same information. Any fee charged must be based upon the actual administrative cost of providing the information.
Information must be provided without delay and at the latest within one month of receipt.
We can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform the individual within one month of receipt of the request explaining why the extension is necessary.
Manifestly unfounded or excessive requests
Where requests are manifestly unfounded or excessive, particularly where they are repetitive, we can:
- Charge a reasonable as described in ‘Fees’ above.
- Refuse to respond
If we decide to refuse to respond to a request, we must explain to the individual why and inform them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the least within one month.
Providing the information
emPSN must verify the identity of the person making the request using ‘reasonable means’. If a third party is making the request on behalf of an individual we must be satisfied that they have the individual’s authority to do so.
If the request is made electronically, we should provide the information in a commonly used electronic format.
emPSN will explore with the individual the preferred format for provision of the requested information and will make efforts to comply with the individual’s request.
Requests for large amounts of personal data
Where the request is for a large amount of personal data, GDPR permits us to ask the individual to specify the information the request relates to. GDPR does not include an exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.
Right of Rectification
- Under GDPR individuals have the right to have inaccurate personal data rectified or completed if it is incomplete.
- An individual can make a request for rectification verbally or in writing.
- We have one month to respond to a request.
- In certain circumstances we can refuse a request for rectification.
We can extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual. We must let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
Right to Erasure
- The GDPR introduces a right for individuals to have personal data erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- Individuals can make a request for erasure verbally or in writing.
- We have one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which we originally collected or processed it for;
- we are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent;
- we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- we are processing the personal data for direct marketing purposes and the individual objects to that processing;
- we have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
- we have to do it to comply with a legal obligation; or
- we have processed the personal data to offer information society services to a child.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
For more information about special categories of data please see the ICO Guide to the GDPR.
Right to Restrict Processing
- Individuals have the right to request the restriction or suppression of their personal data.
- This is not an absolute right and only applies in certain circumstances.
- When processing is restricted, we are permitted to store the personal data, but not use it.
- An individual can make a request for restriction verbally or in writing.
- We have one calendar month to respond to a request.
When does the right to restrict processing apply?
Individuals have the right to request that we restrict the processing of their personal data in the following circumstances:
- the individual contests the accuracy of their personal data and we are verifying the accuracy of the data;
- the data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the individual opposes erasure and requests restriction instead;
- we no longer need the personal data but the individual needs us to keep it in order to establish, exercise or defend a legal claim; or
- the individual has objected to us processing their data under Article 21(1), and we are considering whether our legitimate grounds override those of the individual.
Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:
- if an individual has challenged the accuracy of their data and asked for us to rectify it (Article 16), they also have a right to request that we restrict processing while we consider their rectification request; or
- if an individual exercises their right to object under Article 21(1), they also have a right to request we restrict processing while we consider their objection request.
Therefore, as a matter of good practice we should automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Right to Data Portability
- The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
- It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- Some organisations in the UK already offer data portability through the midata and similar initiatives which allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
- It enables consumers to take advantage of applications and services which can use this data to find them a better deal or help them understand their spending habits.
When does the right to data portability apply?
The right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
Right to Object
Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Individuals can object online using our Contact Form.
Rights related to automated decision making including profiling
The GDPR has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement): and
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
The GDPR applies to all automated individual decision-making and profiling.
- provide meaningful information about the logic involved in the decision-making process, as well as the significance and the envisaged consequences for the individual;
- use appropriate mathematical or statistical procedures;
ensure that individuals can:
- obtain human intervention;
- express their point of view; and
- obtain an explanation of the decision and challenge it;
- put appropriate technical and organisational measures in place, so that we can correct inaccuracies and minimise the risk of errors;
- secure personal data in a way that is proportionate to the risk to the interests and rights of the individual, and that prevents discriminatory effects.