The right to be informed
- You have the right to be informed about the collection and use of your personal data. This is a key transparency required under the GDPR.
- We must provide you with information including our purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.
- We must provide privacy information to you at the time you collect their personal data from them.
- If we obtain personal data from other sources, we must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.
- There are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you.
- The information we provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.
- We must regularly review, and where necessary, update our privacy information. We must bring any new uses of an individual’s personal data to their attention before we start the processing.
The right of access
- You have the right to access your personal data and supplementary information.
- The right of access allows you to be aware of and verify the lawfulness of the processing.
What information are you entitled to under the GDPR?
Under the GDPR, you will have the right to obtain:
- confirmation that your data is being processed;
- access to your personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
What is the purpose of the right of access under GDPR?
The GDPR clarifies that the reason for allowing you to access your personal data is so that you are aware of and can verify the lawfulness of the processing.
Can I be charged a fee for submitting a subject access request?
We must provide a copy of the information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that we can charge for all subsequent access requests.
The fee must be based on the administrative cost of providing the information.
How long do we have to comply?
Information must be provided without delay and at the latest within one month of receipt.
We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we must inform you within one month of the receipt of the request and explain why the extension is necessary.
What if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded or excessive, in particular, because they are repetitive, we can:
- charge a reasonable fee taking into account the administrative costs of providing the information; or
- refuse to respond.
Where we refuse to respond to a request, we must explain to you why, informing you of your right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
How should the information be provided?
We must verify the identity of the person making the request, using ‘reasonable means’.
If the request is made electronically, we should provide the information in a commonly used electronic format.
The right to obtain a copy of information or to access personal data through a remotely accessed secure system should not adversely affect the rights and freedoms of others.
What about requests for large amounts of personal data?
Where we process a large quantity of information about an individual, the GDPR permits us to ask you to specify the information the request relates to.
The GDPR does not include an exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.
The right to rectification
- The GDPR includes a right for you to have inaccurate personal data rectified, or completed if it is incomplete.
- You can make a request for rectification verbally or in writing.
- We have one calendar month to respond to a request.
- In certain circumstances, we can refuse a request for rectification.
- This right is closely linked to the controller’s obligations under the accuracy principle of the GDPR (Article (5)(1)(d)).
The right to erasure
- The GDPR introduces a right for you to have personal data erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- You can make a request for erasure verbally or in writing.
- We have one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
The right to restrict processing
- You have the right to request the restriction or suppression of your personal data.
- This is not an absolute right and only applies in certain circumstances.
- When processing is restricted, we are permitted to store the personal data, but not use it.
- You can make a request for restriction verbally or in writing.
- We have one calendar month to respond to a request.
- This right has close links to the right to rectification (Article 16) and the right to object (Article 21).
The right to data portability
- The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
- It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
- Doing this enables you to take advantage of applications and services that can use this data to find a better deal or help you understand your spending habits.
- The right only applies to information you have provided to a controller.
The right to object
You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
Rights in relation to automated decision making and profiling.
- The GDPR has provisions on:
- automated individual decision-making (making a decision solely by automated means without any human involvement); and
- profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
- The GDPR applies to all automated individual decision-making and profiling.
- Article 22 of the GDPR has additional rules to protect you if we are carrying out solely automated decision-making that has legal or similarly significant effects on you.
- We can only carry out this type of decision-making where the decision is:
- necessary for the entry into or performance of a contract; or
- authorised by Union or Member state law applicable to the controller; or
- based on your explicit consent.
- We must identify whether any of our processing falls under Article 22 and if so, make sure that we:
- Give you information about the processing;
- introduce simple ways for you to request human intervention or challenge a decision;
- carry out regular checks to make sure that our systems are working as intended.