diyLAW are grateful to Ishika Patel, one of our brilliant volunteers, for her article on the impending changes in Data Privacy and Data Handling. This is for general information purposes and should not be relied upon as legal advice because it does not consider or take into account your own personal circumstances. If in doubt, seek legal advice.
Your Rights - Your Personal Data
The General Data Protection Regulation (GDPR) will replace the current Data Protection Act 1998 from 25 May 2018, which governs the processing of personal data.
What is personal data? Personal data is any information relating to you, where you can be directly or indirectly identified, including your name, identification number, address or bank account details.
What is a data controller? A data controller is a person (individual or company) that determines the purposes and means of processing your personal data.
What is meant by “processing”? Anything that is done to, or with your personal data e.g. collecting it, or storing it.
I’m still confused – give me an example. Say you want to open a bank account with X BANK. You will normally be asked to fill in an application form. Filling that form with your name and address, means you are providing them with your personal data. X BANK is, therefore, the data controller. Your name and address are your personal data. X BANK collecting that information means they are processing it.
So how does the GDPR affect me? Why should I care?
The GDPR gives you more say over what these companies/individuals can do with your personal data. It also introduces bigger fines for data controllers that do not comply. This article discusses the different rights you have under the GDPR, including the right:
- to be informed
- of access to your own personal data
- to correct your personal data
- to erase your personal data/right to be forgotten
- to restrict processing
- to data portability
- to object
- not to be subject to automated decision making and profiling
- to be notified of a data security breach.
Right to be informed
You have the right to receive certain information from about the processing activities of your personal data. This information is usually provided in a Privacy Notice – check the data controller’s website, or just ask them if it isn’t clear to you. Information can include the purpose of using your data, your rights as described in this article and your right to make a complaint to the Information Commissioner’s Office.
When should information be provided?
If the data is obtained directly from you, then the information should be provided to you at the time the data is obtained.
If the data is obtained indirectly, say from a third party, then the information should be provided either:
- within a reasonable period after obtaining the personal data (within one month at the latest);
- if the personal data will be used to communicate with you, at the latest at the time of the first communication; or
- if the data controller intends to disclose the personal data to another recipient, at the latest at the time of the first disclosure.
Right to Access your personal data
You have the right to:
- obtain confirmation that your data is being processed; and
- access to your processed personal data.
The information should be provided to you within one month of the request.
Are there any fees?
Access to your personal data should normally be provided to you free of charge but if your request is unfounded or excessive, the data controller may either:
- charge a reasonable fee to provide the information or take the requested action; or
- refuse to act on the request.
Additional copies may also attract a further charge.
What do I need to do to get my information?
Write to the data controller including the following information:
- full name, address and contact telephone number;
- any information that the data controller can use to identify you from others, for example, a bank account number;
- details of the information you require including dates where relevant.
It will also help if you say that you are making a “Subject Access Request”.
Also have a look on the data controller’s website, as they may have a form available for you to fill in which you may find easier.
Right to correct your personal data:
You have the right to:
- correct inaccurate personal data; and
- complete incomplete personal data.
What should I do?
Write to the data controller and be clear about exactly what the issue is. Your request must be responded to within a month. This can be extended by two months if the request is complex. If no action is being taken, this should be explained to you including your right to complain to the Information Commissioner’s Office and to a legal remedy.
Right to be Forgotten/erase your personal data
You can request the deletion or removal of your personal data where, for example:
- it is no longer necessary for the purpose the data was originally collected/processed;
- you withdrew your consent and no other legal justification for processing applies;
- you object to processing for direct marketing purposes (e.g. to be contacted through advertisement);
- it was unlawfully processed; or
- it should be erased in order to comply with a legal obligation.
Your data should then be erased without delay unless the data controller has to keep it, for example, for legal reasons.
You have the right to restrict the processing of your personal data when, for example:
- you are disputing the accuracy of the personal data;
- the processing is unlawful;
- the data controller no longer needs to process the personal data but you need the personal data for a legal claim;
- you object to the processing and the data controller is considering whether its legitimate interests override yours.
Data Processing Objection Right
You can object to data processing under certain circumstances, including for example:
- direct marketing purposes (i.e. advertising through, for example, email); or
- scientific, historical research or statistical purposes.
If you object, a data controller must stop processing the personal data unless the data controller either:
- demonstrates a compelling legitimate ground for processing the personal data that overrides your interests.
- needs to process the personal data in relation to a legal claim.
Data Portability Right
This allows you to, for example,
- obtain and reuse your personal data across different services; and
- transfer your personal data to another data controller.
Data controllers must comply with such a request within one month. This can be extended by two months if the request is complex but data controllers must inform you of this and explain why the extension is necessary. If no action is being taken, they must tell you this and why including your right to complain to the Information Commissioner’s Office and to a legal remedy.
Automated Decision Making Objection Right
You have the right to not be subject to automated decision-making, including profiling, i.e. making a decision solely by automated means without any human involvement. Profiling is a form of automated decision-making intended to evaluate certain aspects of you, such as predicting your performance at work, health or reliability.
Automated-decision making is allowed in certain circumstances, for example, if you consent to it or the data controller is allowed by reason of law.
Notification of a breach:
If a breach of your personal data is likely to result in a high risk to your rights and freedoms, you should be notified directly without undue delay. The notification should:
- describe the nature of the breach
- name and contact details of the data protection officer or other contact person;
- the likely consequences; and
- the measures taken to address and mitigate the breach.
There are some exceptions to the notification, including when the data controller has taken steps to ensure your personal data is no longer subject to a high risk.
The above is a summary of your rights under the GDPR. There is also additional helpful guidance on the Information Commissioner’s website.
This blogpost is for information purposes and should not be relied upon as legal advice because it does not consider or take into account your own personal circumstances. If in doubt, seek legal advice.