Search Jobs Contact Us Register

Data Protection – Data Subject Rights

Data Protection – Data Subject Rights

VERSION: 1
DATE OF IMPLEMENTATION/REVIEW: 01/09/2021
IMPLEMENTED AND AUDITED BY: James McAlpine
STATUS: Approved
COMMENTS: To be reviewed 01/09/2022

 

Purpose

This policy sets out the rights of Data Subjects and the processes which should be followed in the event that the Data Subject wishes to exercise any such right.

 

Statement

The Company processes many types of data for various reasons concerning job applicants, employees, former employees, workers, contractors and Clients. It is fully aware of its obligations under the General Data Protection Regulation (GDPR) to process data lawfully and to ensure that the rights of Data Subjects, (the majority of whom will be Clients and employees of the Company) as set out in GDPR, are observed correctly.

 

Procedure and Guidance

Data Subject Rights

Under GDPR, Clients and employees (from now on referred to as Data Subjects) have the following rights in relation to their data:

  • the right to be informed
  • the right of access
  • the right for any inaccuracies to be corrected
  • the right to have information deleted
  • the right to restrict the processing of the data
  • the right to portability
  • the right to object to the inclusion of any information
  • the right to regulate any automated decision-making and profiling of personal data

 

The right to be informed

Data Subjects have the right to be told how the Company processes their data and the reasons for the processing. In order to provide this information, the Company has a privacy notice to explain what data we collect, how we collect and process it, what we process it for and the lawful basis which permits us to process it. Data Subjects can obtain a copy of the privacy notice, at no cost, from the Company.

The Company also has a separate privacy notice applicable to job applicants.

If the Company intends to use data already collected from Data Subjects for a different reason than that already communicated, they will be informed of the new reason in advance.

 

The right of access

Data Subjects have the right to access their personal data which is held by the Company. More information on this is available in the Company’s Subject Access Request policy.

 

The right for data to be corrected

One of the fundamental principles underpinning data protection is that the data the Company processes about Data Subjects will be accurate and up to date. Data Subjects have the right to have their data corrected if it is inaccurate or incomplete.

If Data Subjects wish to have their data rectified, they should do so by completing the Data Rectification Form.

The Company will respond to a data rectification request within one month. Where the data rectification request is complex, the Company may extend the timescale for response from one month to three months. If this is the case, the Company will respond within one month of receipt of the request explaining the reason for the extension.

If the response to a request is that the Company will take no action, the Data Subject will be informed of the reasons for this and of their right to complain to the Information Commissioner and to a judicial remedy.

Where any data which has been rectified was disclosed to third parties in its unrectified form, the Company will inform the third party of the rectification where possible. The Company will also inform the Data Subject of the third parties to whom the data was disclosed.

 

The right to have information deleted

Data Subjects have the right to have their data deleted and removed from the Company’s systems where there is no compelling business reason for the Company to continue to process it.

Data Subjects have a right to have their data deleted in the following circumstances:

  • where the personal data is no longer necessary in relation to the purpose for which the Company originally collected or processed it
  • where Data Subjects have withdrawn their consent to the continued processing of the data and there is no other lawful basis for the Company to continue processing the data
  • where Data Subjects object to the processing and the Company has no overriding legitimate interest to continue the processing
  • the personal data has been unlawfully processed
  • the personal data has to be deleted due to a legal obligation.

Anyone requesting data deletion should complete the Data Deletion Request form.

Upon receipt of a request, the Company will delete the data unless it is processed for one of the following reasons:

  • to exercise the rights of freedom of expression and information
  • for the Company to comply with a legal requirement
  • the performance of a task carried out in the public interest or exercise of official authority
  • for public health purposes in the public interest
  • archiving purposes in the public interest, scientific historical research or statistical purposes
  • the defence of legal claims

Where a deletion request is not complied with because of the one of the above reasons, the Data Subject will be informed of the reason. Where the request is to be complied with, the Data Subject will be informed when the data has been deleted.

Where the data which is to be deleted has been shared with third parties, the Company will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on the Company, this notification may not be carried out.

 

The right to restrict the processing of data

Data Subjects have the right to restrict the processing of their data in certain circumstances. Restricting the Company from processing data means that the Company will continue to hold the data but will stop processing it.

The Company will be required to restrict the processing of a Data Subject’s personal data in the following circumstances:

  • where Data Subjects tell the Company that the data it holds on them is not accurate. Where this is the case, the Company will stop processing the data until it has taken steps to ensure that the data is accurate
  • where the data is processed for the performance of a public interest task or because of the Company’s legitimate interests and Data Subjects have objected to the processing of data. In these circumstances, the processing may be restricted whilst the Company considers whether its legitimate interests mean it is appropriate to continue to process it
  • when the data has been processed unlawfully
  • where the Company no longer needs to process the data, but Data Subjects need the data in relation to a legal claim

If a Data Subject wishes to make a request for data restriction, they should complete the Data Restriction Request form. Where data processing is restricted, the Company will continue to hold the data but will not process it unless:

  • Data Subjects consent to the processing
  • Processing is required in relation to a legal claim

Where the data to be restricted has been shared with third parties, the Company will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on the Company, this notification may not be carried out.

Where the Company is to lift any restriction on processing, Data Subjects will be informed in advance.

 

The right to data portability

Data Subjects have the right to obtain the data that the Company processes on them and use it for their own purposes. This means they have the right to receive their personal data that they have provided to the Company in a structured machine-readable format and to transmit the data to a different data controller.

This right applies in the following circumstances:

  • where Data Subjects have provided the data to the Company
  • where the processing is carried out because they have given the Company their consent to do so
  • where the processing is carried out in order to perform the employment contract or the contract for the provision of services between the Data Subjects and the Company
  • where processing is carried out by automated means

Where a request for data portability is received, the Company will respond without undue delay, and within one month at the latest. Where the request is complex or the Company receives a number of requests, the Company may extend the timescale for response from one month to three months. If this is the case, the Company will write to the Data Subject within one month of receipt of the request explaining the reason for the extension.

Where the Company is to comply with a request, the Data Subject will receive the data in a structured and readable form. Data Subjects will not be charged for the provision of this data. Upon request, the Company will transmit the data directly to another organisation in applicable and appropriate circumstances.

If the response to a request is that the Company will take no action, Data Subjects will be informed of the reasons for this and of their right to complain to the Information Commissioner and to a judicial remedy. The right to portability is different from the right to access. Although both involve a right to access personal data, the personal data to be accessed is not the same. The right to access data under the right to portability includes only personal data as described above. Access to data under the right of access includes all personal data relating to the Data Subject, including that which has not been provided to the Company.

 

The right to object to the inclusion of data

Data Subjects have a right to object to the processing of their data in certain circumstances. This means that they have the right to require the Company to stop processing their data. Data Subjects may object to processing where it is carried out:

  • in relation to the Company’s legitimate interests
  • for the performance of a task in the public interest
  • in the exercise of official authority
  • for profiling purposes

Data Subjects who wish to object should do so by completing the Data Processing Objection form. Where Data Subjects object to processing, the Company will stop the processing activity objected to unless:

  • the Company can demonstrate compelling legitimate reasons for the processing which are believed to be more important than the Data Subject’s rights; or
  • the processing is required in relation to legal claims made by, or against, the Company.

If the response to a request is that the Company will take no action, Data Subjects will be informed of the reasons.

 

Rights in relation to automated decision making

Data Subjects have the right not to have decisions made about them solely on the basis of automated decision-making processes where there is no human intervention, where such decisions will have a significant effect on them.  However, the Company does not make any decisions based on such processes.

The Company may carry out automated decision making with no human intervention in the following circumstances:

  • when it is needed for entering into or the carrying out of a contract with the Data Subject
  • when the process is permitted by law
  • when a Data Subject has given explicit consent

In circumstances where we use special category data, for example, data about a Data Subject’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership the Company will ensure that one of the following applies to the processing:

  • The Data Subject has given explicit consent to the processing

OR

  • the processing is necessary for reasons of substantial public interest

 

KLOE Reference for this Policy: Safe | Well-Led

Regulations directly linked to this Policy: Regulation 9: Person-centred care | Regulation 10: Dignity and respect | Regulation 11: Need for consent

Regulation(s) relevant to this Policy:

 

Next Review

Approval