Introduction – our commitment
We are committed to ensuring that all personal data is handled, stored, processed and used (“processed”) responsibly, fairly and in compliance with all applicable personal data protection laws, including the General Data Protection Regulation (“GDPR”) (“Data Protection Laws”). We are also committed to ensure that your rights, as a ‘Data Subject’, are handled in accordance with Data Protection Laws and that we ensure that your rights are protected.
What is personal data?
Personal data means any information relating to an identifiable living person (“Data Subject”) who can be directly or indirectly identified in particular by reference to an identifier. See our Privacy Notice (separate document) for examples and further explanation.
This policy applies to you, as a Data Subject, in relation to any of your personal data which is processed by us where we are the ‘Controller’. It sets out your rights under GDPR, and provides details on how we handle your rights. We will provide you with any relevant information you request in relation to your rights as soon as practicable, but in no event longer than 1 month of request. In order to do so we may request additional information from you for the purpose of identity verification. If we are not able to verify your identity then we may be exempt from the application of certain rights. If the request(s) are complex or numerous we may take longer than 1 month (but no more than 2 months) to respond, but we will notify you within 1 month if we need such an extension.
Where we are the ‘Processor’ we will be subject to the instructions of the applicable ‘Controller’ and will assist you in referring your request to the relevant ‘Controller’. We will assist the controllers in responding to your request.
Rights to basic information and to be informed: See our Privacy Notice.
Right to access: To be aware of and verify the lawfulness of the processing.
We will provide you with all applicable details, including:
- whether we are processing your personal data
- the type of personal data we are processing
- where we process your personal data
- details of whom we are sharing your personal data with
- information relating to your rights
- the opportunity to make a complaint to the supervisory authority
- the purposes of our processing
- the source of your personal data (i.e. where we obtained your data from)
- the duration for holding your personal data
If requested, we will provide you with a copy of your personal data. Your request will be addressed in an electronic form unless otherwise stated. If your request is deemed by us to be repetitive, manifestly unfounded or excessive we may charge a reasonable fee to respond (although we will let you know beforehand if that is the case).
Right to rectification: To correct personal data if it is inaccurate or incomplete.
Your request will be processed if the data is proven to be inaccurate or incomplete. Where applicable and possible we will inform any third parties to whom we have provided the personal data of the rectification.
Right to erasure: To request the removal or deletion of personal data.
You may make a request if:
- the purpose for which the personal data was originally collected or processed no longer exists
- you withdraw your previously given consent
- you object to the processing
- your personal data has been unlawfully processed
- your personal data must be erased in order to comply with the law
Your request will be actioned unless we have a lawful basis or overriding legitimate interest to keep and to process your personal data, in which case we will inform you of the reason(s) for such. Where applicable and possible we will inform any third parties to whom we have provided the personal data of the erasure.
Right to restrict processing: To restrict the processing of personal data.
You can request this where:
- our processing of your personal data is unlawful
- you contest the accuracy of your personal data and we need to verify the accuracy
- you prefer restriction over erasure
- you object to the basis on which we are processing your personal data and we need to assess whether our legitimate interests override your interests, rights and freedoms.
Where we agree to such a request we will only hold the personal data and will only use it for agreed limited purposes. We reserve the right to refuse a request where we need to do so for the establishment, exercise or defence of legal claims, or where we have a valid lawful basis. Where applicable and possible we will inform any third parties to whom we have provided the personal data of the restriction and will inform you when the restriction is lifted.
Right to data portability: To obtain and reuse personal data.
You can request this where you have provided your personal data on the basis of consent or for the performance of a contract, and where our processing is carried out by automated means. Where we agree to your request we will provide you with a copy of your personal data in a machine-readable, commonly used and structured form.
Right to object: To object to processing of personal data where we do this in certain circumstances, for example for our legitimate interests or direct marketing.
Where your personal data is processed on legitimate interests basis: your request will be processed unless we have a compelling legitimate interest for processing your personal data or where your personal data is needed for the establishment, exercise or defence of legal claims. Where we consider the request in relation to legitimate interests we will assess whether those legitimate interest override your interests, rights and freedoms and we will notify you of the outcome.
Where your personal data is processed for direct marketing: your request will be processed immediately and we will cease processing your personal data for direct marketing purposes.
For additional information relating to your right to object, please see our Privacy Notice.
Rights related to automated decision making including profiling: To be aware of any automated decision making or profiling, and to request such is restricted.
We do not undertake automated decision making or profiling.
Right to complain and/or to seek judicial remedy: To make a complaint or to seek a judicial remedy on the basis that our processing infringes the GDPR.
Where you consider that our processing of your personal data infringes the GDPR or if we do not take action on your request to exercise any of your rights, we will inform you without delay and at the latest within one month of receipt of the request of (i) the reasons for not taking action and (ii) the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Where you exercise one or more of the above rights we will handle such in accordance with our applicable internal procedures and work instructions.