The focus of this guide is concerned with the Rights of individuals. The full list of Rights for Individuals that GDPR provides are:
Right to be Informed
Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR. To comply with GDPR, emPSN must:
Right of Access
GDPR provides individuals with the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing of their personal data.
Under GDPR, individuals will have the right to obtain:
For information to be Personal data, it must relate to a living individual and allow that individual to be identified from it (either on its own or along with other information likely to come into the organisation’s possession).
A request for access does not need to be made in any particular format, it simply needs to be made in writing, setting out sufficient information to enable us to deal with the request. emPSN provide a form on our website that details the information that would help us to comply with the request but we cannot insist on its use.
Information must be provided free of charge. However, a ‘reasonable fee’ can be charged when a request is manifestly unfounded or excessive, particularly if it is repetitive or asking for further copies of the same information. Any fee charged must be based upon the actual administrative cost of providing the information.
Information must be provided without delay and at the latest within one month of receipt.
We can extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform the individual within one month of receipt of the request explaining why the extension is necessary.
Manifestly unfounded or excessive requests
Where requests are manifestly unfounded or excessive, particularly where they are repetitive, we can:
If we decide to refuse to respond to a request, we must explain to the individual why and inform them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the least within one month.
Providing the information
emPSN must verify the identity of the person making the request using ‘reasonable means’. If a third party is making the request on behalf of an individual we must be satisfied that they have the individual’s authority to do so.
If the request is made electronically, we should provide the information in a commonly used electronic format.
emPSN will explore with the individual the preferred format for provision of the requested information and will make efforts to comply with the individual’s request.
Requests for large amounts of personal data
Where the request is for a large amount of personal data, GDPR permits us to ask the individual to specify the information the request relates to. GDPR does not include an exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.
Right of Rectification
We can extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual. We must let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
Right to Erasure
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
For more information about special categories of data please see the ICO Guide to the GDPR.
Right to Restrict Processing
When does the right to restrict processing apply?
Individuals have the right to request that we restrict the processing of their personal data in the following circumstances:
Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:
Therefore, as a matter of good practice we should automatically restrict the processing whilst we are considering its accuracy or the legitimate grounds for processing the personal data in question.
We can refuse to comply with a request for restriction if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Right to Data Portability
When does the right to data portability apply?
The right to data portability only applies:
Right to Object
Individuals have the right to object to:
Individuals can object online using our Contact Form.
Rights related to automated decision making including profiling
The GDPR has provisions on:
The GDPR applies to all automated individual decision-making and profiling.
ensure that individuals can:
We use your data in a number of ways.
If you request a quote for broadband connectivity or application services, we use your contact details to get the quote emailed or posted back to you. We pass your details to our trusted service provider(s) in order for them to process the information to get an accurate price. The data you provide may get passed on to third party organisations depending upon the services available in your area but will not be kept for longer than necessary. Quotations are valid for 30 days from the date of issue and for those where no order is forthcoming they will be closed after the validity period expires.
For contractual reasons
In order to fulfil the contract we have with your school or organisation, we require specific contact information to enable us to update you on any technical, administrative or financial matters relating to your contract. These details are stored securely on our CRM system. Your details are shared only with the supplier(s) who provide your services, so that they can access your site to carry out installation and checks. It is your responsibility to ensure that we have the most up to date contact information, so please contact us if anything changes.
For customer data relating to quotations and orders we have the lawful right to process where:-
We will ensure that personal data is collected and processed in accordance with Article 5 of the GDPR.
We issue a customer bulletin to contacts who have signed up to receive marketing communications. We will only email these to you if you have specifically opted in to receive the customer bulletin. You can unsubscribe at any time.
Data Processor Notification
The GDPR imposes specific obligations on Controllers and Processors of Personal Data. The GDPR requires Controllers and Processors to enter into contracts containing specific provisions relating to the protection of the Personal Data processed. A significant change introduced by the GDPR is the requirement to ensure that contracts with “data processors” include certain minimum terms.
You can read our data processor notification online.
As well as fulfilling our responsibilities as an organisation, it is also important to remember that you, as the Data Controller, are responsible for your own data and must inform us if it changes.
If you don’t, you could miss out on important information relating to your contract and services with us.
You can let us know of any changes to your contact details or organisational changes by contacting us.