Sponsored by

Data Subject Rights and Requests Policy and Procedure

This document sets out the lawful requirements for access requests together with Awakening Expo Ltd’s (Awakening Expo Ltd) policy for responding and processing subject access requests under the General Data Protection Regulation (GDPR), as of May 25, 2018.

Under GDPR  data subjects are allowed to access their personal data so that they are aware of and can verify the lawfulness of the processing.

GDPR provides the following rights for data subjects:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Fee(s) and Objection

Awakening Expo Ltd is legally obliged to provide a copy of the requested information (or changes/ restrictions etc) free of charge. However, there can be a ‘reasonable fee’ charge when a request is manifestly unfounded or excessive, particularly if it is repetitive.

A reasonable fee may also be charged to comply with requests for further copies of the same information. This does not mean that Awakening Expo Ltd can charge for all subsequent access requests.

The fee must be based on the administrative cost of providing the information.

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, Awakening Expo Ltd reserves the right to:

  • Charge a reasonable fee considering the administrative costs of providing the information
  • Refuse to respond

When refusing a request, Awakening Expo Ltd acknowledges that the data subject must be informed of the reasons why action is not being taken and also made aware of their right to complain to the supervisory authority and for a judicial remedy.

This must be done so without undue delay, at the latest, within one month. This applies to all requests, as detailed above.

 

Supplying of Information

Awakening Expo Ltd reserves the right to request as much proof of identification, within ‘reasonable means’, that it feels necessary to ensure the applicant is who they say they are. It is imperative that identity is checked before any information is supplied.

If the person requesting the information is a relative/representative of the data subject, then the relative/representative is entitled to personal data about themselves but must obtain the data subject’s consent for the release of their personal data. If they have been appointed to act for or on behalf of the data subject under the Mental Capacity Act 2005, they must confirm their capacity to act on the data subject’s behalf and explain how they are entitled to access the information.

All requests/rectifications should be submitted to Awakening Expo Ltd ’s appointed Data Protection Officer (DPO), Jackie Heighway.

If the request is made electronically, Awakening Expo Ltd will provide the information in a commonly used electronic format.

Awakening Expo Ltd declares that all requests should be submitted via one of the following methods:

Email

Jackie Heighway – Data Protection Officer

Post

FAO Data Protection Officer

Awakening Expo Ltd

Suite 7 Miller House Business Centre

47-49 Market Street

Farnworth

Bolton

Greater Manchester

England

BL4 7FU

Requests should contain clear return contact details.

Right of Access

Data subjects have the right to access their personal data and supplementary information. The right of access allows data subjects to be aware of and verify the lawfulness of the processing.

Under GDPR data subjects have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information – this largely refers to the information that should be provided in a privacy notice

Information must be provided without delay and at the latest within one month of receipt of the request.

The period of compliance may be able to be extended by a further two months where requests are complex or numerous. If this is the case, the individual making the request must be informed within one month of the receipt of the request and the reason for the extension explained.

When producing data under a subject access request, the following information needs to be produced:

  • A description of the personal data, the purpose for which it is processed, recipients, retention period and rights of rectification, erasure, restriction and objection
  • A copy of the information comprising the data
  • Details of the source of the data.

Right of Rectification

Data subjects have the right to have inaccurate personal data rectified without undue delay. The GDPR dictates that this should occur within one month, or two months for complex requests. If no action is to be taken, Awakening Expo Ltd is required to explain why to the data subject, informing them of their right to complain and to a judicial remedy.

Data subjects may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

If Awakening Expo Ltd receives a request for rectification, the organisation will take reasonable steps to confirm that the data is accurate and to rectify the data if necessary.

Awakening Expo Ltd will take into account the arguments and evidence provided by the data subject, weighing up the nature of the data and its usage.

Following on from a rectification request Awakening Expo Ltd will consider and investigate how the error occurred, ensuring that it does not happen again.

Awakening Expo Ltd will inform the data subject where it is satisfied that the personal data is accurate, and will tell them that data will not be amended. Awakening Expo Ltd will explain the decision and inform the Data Subject of their right to make a complaint to the ICO or another supervisory authority, and their ability to seek to enforce their rights through a judicial remedy.

Right of Erasure

The right to erasure (‘the right to be forgotten’) gives data subjects the right to request that personal data be deleted or removed where there is no compelling reason for its continued processing.

The right to erasure does not provide an absolute ‘right to be forgotten’ and can occur where, for example:

  • The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • The data subject withdraws consent

The majority of data collected by Awakening Expo Ltd is for legal and monitoring purposes. Collecting and processing the data ensures that Awakening Expo Ltd can legally support customers, employees and stakeholders.

Awakening Expo Ltd acknowledges that any request for erasure must be acted upon without undue delay and at the latest within one month of receipt.

The time limit to deal with a request should be calculated from the day after receiving the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Awakening Expo Ltd will have until the next working day to respond.

This means that the exact number of days Awakening Expo Ltd has to comply with a request varies, depending on the month in which the request is made.

Right to Restrict Processing

Article 18 of the GDPR gives data subjects the right to restrict the processing of their personal data in certain circumstances. This means that a data subject can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data.

Data subjects have the right to restrict the processing of their personal data where they have a particular reason for wanting that restriction. This may be because they have issues with the content of the information being held or how the data has been processed.

In most cases Awakening Expo Ltd will not be required to restrict a data subject’s personal data indefinitely but will need to have the restriction in place for a certain period of time.

The majority of data collected by Awakening Expo Ltd is for legal and monitoring purposes. Collecting and processing the data ensures that Awakening Expo Ltd can legally support customers, employees and stakeholders. Therefore, any requests for the restriction of processing would need to be carefully considered as they could have a serious impact on the delivery of an accredited qualification.

Data subjects have the right to request restrictions on the processing of their personal data in the following circumstances:

  • The data subject contests the accuracy of their personal data and Awakening Expo Ltd is verifying the accuracy of the data
  • The data has been unlawfully processed (i.e. in breach of the lawfulness requirement of the first principle of the GDPR) and the data subject opposes erasure and requests restriction instead
  • Awakening Expo Ltd no longer needs the personal data but the data subject requires it to be kept in order to establish, exercise or defend a legal claim
  • The data subject has objected to Awakening Expo Ltd processing their data under Article 21(1), and Awakening Expo Ltd is considering whether there are legitimate grounds to override those of the data subject.

Although this is distinct from the right to rectification and the right to object, there are close links between those rights and the right to restrict processing:

  • If a data subject has challenged the accuracy of their data and asked for Awakening Expo Ltd to rectify it (Article 16), they also have a right to request that Awakening Expo Ltd restrict processing whilst considering the rectification request
  • If a data subject exercises their right to object under Article 21(1), they also have a right to request that Awakening Expo Ltd restrict processing whilst considering the objection request.

Therefore, as a matter of good practice Awakening Expo Ltd acknowledges that processing should be restricted whilst the accuracy or the legitimate grounds for processing the personal data is in question. However the requester should be aware that by restricting processing they are limiting the service provision that Awakening Expo Ltd can provide.

The GDPR suggests a number of different methods that could be used to restrict data, such as:

  • Temporarily moving the data to another processing system
  • Making the data unavailable to users
  • Temporarily removing published data from a website.

It would not be financially viable for Awakening Expo Ltd  to move data to another processing system and would not usually publish personal data on the company website. Awakening Expo Ltd will therefore restrict processing by locking data and making it unavailable to users. This would be effected through a combination of internal IT/management systems.

Awakening Expo Ltd is aware that it must not process the restricted data in any way except to store it unless:

  • Consent is obtained from the data subject
  • It is for the establishment, exercise or defence of legal claims
  • It is for the protection of the rights of another data subject (natural or legal)
  • It is for reasons of important public interest.

If the restricted data has previously been disclosed to others, Awakening Expo Ltd will contact each recipient and inform them of the restriction of the personal data – unless this proves impossible or involves disproportionate effort. If asked to, Awakening Expo Ltd will inform the data subject about these recipients.

The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which personal data is disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

In many cases the restriction of processing is only temporary, specifically when the restriction is on the grounds that:

  • The data subject has disputed the accuracy of the personal data and Awakening Expo Ltd is investigating this
  • The data subject has objected to Awakening Expo Ltd  processing their data on the basis that it is necessary for the performance of a task carried out in the public interest or the purposes of legitimate interests, and Awakening Expo Ltd  is considering whether the organisation has legitimate grounds to override those of the individual.

Once Awakening Expo Ltd has made a decision on the accuracy of the data, or whether the organisation’s legitimate grounds override those of the data subject, Awakening Expo Ltd may decide to lift the restriction. For the restriction to be lifted, Awakening Expo Ltd acknowledges that the data subject must be informed beforehand.

This means that if Awakening Expo Ltd  is informing the individual that the organisation is lifting the restriction (on the grounds that Awakening Expo Ltd  is satisfied that the data is accurate, or that there are legitimate grounds which override theirs) Awakening Expo Ltd  are legally obliged to inform them of the reasons for the refusal to act upon their rights under Articles 16 or 21.

Awakening Expo Ltd will also need to inform them of their right to make a complaint to the ICO or another supervisory authority, and their ability to seek a judicial remedy.

Awakening Expo Ltd acknowledges that any request to restrict processing must be acted upon without undue delay and at the latest within one month of receipt.

The time limit to deal with a request should be calculated from the day after receiving the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.

If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month. If the corresponding date falls on a weekend or a public holiday, Awakening Expo Ltd will have until the next working day to respond.

This means that the exact number of days you have to comply with a request varies, depending on the month in which the request is made.

The right to data portability

The right to data portability allows data subjects to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

The right to data portability only applies:

  • To personal data a data subject has provided to a controller
  • Where the processing is based on the data subject’s consent or for the performance of a contract
  • When processing is carried out by automated means.

Awakening Expo Ltd is aware that personal data must be provided in a commonly used and machine-readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

If the data subject requests so, Awakening Expo Ltd understands that it may be required to transmit the data directly to another organisation, if this is technically feasible. However, Awakening Expo Ltd reserves the right not to adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one data subject, Awakening Expo Ltd will consider whether providing the information would prejudice the rights of any other data subject.

Awakening Expo Ltd will respond without undue delay, and within one month. This can be extended by two months where the request is complex or Awakening Expo Ltd receives a number of requests. Awakening Expo Ltd will inform the requester within one month of the receipt of the request and explain why the extension is necessary.

Where Awakening Expo Ltd  will not be taking action in response to a request, Awakening Expo Ltd  will explain why to the data subject, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

 

The right to object

Individuals have the right to object to:

  • Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • Direct marketing (including profiling)
  • Processing for purposes of scientific/historical research and statistics.

Data subjects must have an objection on “grounds relating to their particular situation”.

Awakening Expo Ltd will stop processing the personal data unless:

  • The organisation can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual
  • The processing is for the establishment, exercise or defence of legal claims

Awakening Expo Ltd informs individuals of their right to object “at the point of first communication” and in the privacy notice.

In the event an objection is made in regard to personal data for direct marketing purposes, Awakening Expo Ltd will action right away, and free of charge.

Rights in relation to automated decision making and profiling

The GDPR restricts Awakening Expo Ltd from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on individuals.

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Article 22(1)

The GDPR has provisions on:

  • Automated individual decision-making (making a decision solely by automated means without any human involvement)
  • Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

The GDPR applies to all automated individual decision-making and profiling.

Awakening Expo Ltd can only carry out this type of decision-making with legal or similarly significant effects if the decision is:

  • Necessary for the entry into or performance of a contract
  • Authorised by any laws applicable to the controller
  • Based on the individual’s explicit consent.

Awakening Expo Ltd must identify whether any of the processing falls under Article 22 and, if so, make sure that the organisation:

  • Gives individuals information about the processing
  • Introduces simple ways for them to request human intervention or challenge a decision
  • Carries out regular checks to make sure that the systems are working as intended.

For something to be solely automated there must be no human involvement in the decision-making process. The restriction only covers solely automated individual decision-making that produces legal or similarly significant effects. These types of effect are not defined in the GDPR, but the decision must have a serious negative impact on an individual to be caught by this provision.

A legal effect is something that adversely affects someone’s legal rights. Similarly, significant effects are more difficult to define but would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention.

Solely automated individual decision-making – including profiling – with legal or similarly significant effects is restricted, although this restriction can be lifted in certain circumstances.

If special category personal data is being used, Awakening Expo Ltd can only carry out processing described in Article 22(1) if:

  • The individual has given explicit consent
  • The processing is necessary for reasons of substantial public interest

Article 22 applies to solely automated individual decision-making, including profiling, with legal or similarly significant effects.

If processing does not match this definition, then Awakening Expo Ltd can continue to carry out profiling and automated decision-making. But must still comply with the GDPR principles.

Awakening Expo Ltd must identify and record the lawful basis for the processing and have processes in place so people can exercise their rights. Individuals have a right to object to profiling in certain circumstances. Awakening Expo Ltd has a duty bring details of this right specifically to their attention.

If you have any questions relating to our GDPR and privacy notices or any concerns please contact our designated Data Protection Officer.