The GDPR aims to give individuals more control over the ways in which organisations process their personal data, and this has led to the granting of new rights for these individuals, as well as enhancing and improving rights that existed under the Data Protection Act 1998. See separate tabs for information on each right.
- The Council must provide individuals with various pieces of information about the data processing activities they carry out.
- This information is usually provided in a Privacy Notice or Privacy Statement, For information on how we do this please see the Privacy Statements.
The Council must provide individuals with:
- confirmation their data is being processed;
- access to their personal data and
- other supplementary information.
- The Council must comply with any subject access request within one month of receipt.
- Complete the online Subject Access Request form.
- Individuals can have their personal data rectified if it is inaccurate or incomplete.
- The Council must comply with any request to rectify within one month of receipt. This can be extended by a further two months when the request is complex.
- For information on how to make a request see the Privacy Statements.
Individuals have the right for their data to be erased where:
- the personal data is no longer necessary in relation to the purpose for which it was collected/processed;
- the individual withdraws their consent or objects to the processing and there are no overriding legitimate interest to continue processing;
- the personal data was unlawfully processed or has to be erased in order to comply with a legal obligation; or
- the personal data is processed in relation to the offer of information society services to a child.
- The Council can refuse to erase a data subject’s personal data where it is processed:
- to exercise a right of freedom of expression and information;
- to comply with a legal obligation or for the performance of a task of public interest;
- for the exercise or defence of legal claims; or
- for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.
If the Council has disclosed the personal data to third parties then they must inform those third parties about the erasure of the personal data.
Individuals have the right to restrict the processing of personal data where:
- they have contested its accuracy;
- they have objected to the processing and the Council is considering whether they have a legitimate ground which overrides this;
- processing is unlawful and the individual opposes erasure and requests restriction instead;
- the Council no longer needs the data but the individual requires it to establish, exercise or defend a legal claim.
If the Council has disclosed the personal data to third parties then they must inform those third parties about the restriction on the processing of the personal data unless it is impossible or involves disproportionate effort to do so.
- The right to data portability allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
- It enables consumers to take advantage of applications and services which can use this data to find them a better deal, or help them understand their spending habits.
- The right to data portability only applies:
- to personal data an individual has provided to the Council or;
- where the processing is based on consent or the performance of a contract; and
- where processing is carried on by automated means.
- The Council must provide the personal data in a structured, commonly used and machine readable form (such as CSV files).
- If the individual requests it, the Council may be required to transmit the data directly to another organisation if this is technically feasible.
- The Council must comply with the data subject’s request free of charge and within one month. This can be extended by a further two months when the request is complex or if the Council receive a number of requests
- Individuals have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.
- Individuals must have an objection on “grounds relating to his or her particular situation”.
- The Council must stop processing the personal data unless:
- we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defence of legal claims.
- The Council must stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.
- We must deal with an objection to processing for direct marketing at any time and free of charge. We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.
- Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.