VERSION: 1
DATE OF IMPLEMENTATION/REVIEW: 01/09/2021
IMPLEMENTED AND AUDITED BY: James McAlpine
STATUS: Approved
COMMENTS: To be reviewed 01/09/2022
Purpose
This policy sets out the rights of Data Subjects and the processes which should be followed in the event that the Data Subject wishes to exercise any such right.
Statement
The Company processes many types of data for various reasons concerning job applicants, employees, former employees, workers, contractors and Clients. It is fully aware of its obligations under the General Data Protection Regulation (GDPR) to process data lawfully and to ensure that the rights of Data Subjects, (the majority of whom will be Clients and employees of the Company) as set out in GDPR, are observed correctly.
Procedure and Guidance
Data Subject Rights
Under GDPR, Clients and employees (from now on referred to as Data Subjects) have the following rights in relation to their data:
The right to be informed
Data Subjects have the right to be told how the Company processes their data and the reasons for the processing. In order to provide this information, the Company has a privacy notice to explain what data we collect, how we collect and process it, what we process it for and the lawful basis which permits us to process it. Data Subjects can obtain a copy of the privacy notice, at no cost, from the Company.
The Company also has a separate privacy notice applicable to job applicants.
If the Company intends to use data already collected from Data Subjects for a different reason than that already communicated, they will be informed of the new reason in advance.
The right of access
Data Subjects have the right to access their personal data which is held by the Company. More information on this is available in the Company’s Subject Access Request policy.
The right for data to be corrected
One of the fundamental principles underpinning data protection is that the data the Company processes about Data Subjects will be accurate and up to date. Data Subjects have the right to have their data corrected if it is inaccurate or incomplete.
If Data Subjects wish to have their data rectified, they should do so by completing the Data Rectification Form.
The Company will respond to a data rectification request within one month. Where the data rectification request is complex, the Company may extend the timescale for response from one month to three months. If this is the case, the Company will respond within one month of receipt of the request explaining the reason for the extension.
If the response to a request is that the Company will take no action, the Data Subject will be informed of the reasons for this and of their right to complain to the Information Commissioner and to a judicial remedy.
Where any data which has been rectified was disclosed to third parties in its unrectified form, the Company will inform the third party of the rectification where possible. The Company will also inform the Data Subject of the third parties to whom the data was disclosed.
The right to have information deleted
Data Subjects have the right to have their data deleted and removed from the Company’s systems where there is no compelling business reason for the Company to continue to process it.
Data Subjects have a right to have their data deleted in the following circumstances:
Anyone requesting data deletion should complete the Data Deletion Request form.
Upon receipt of a request, the Company will delete the data unless it is processed for one of the following reasons:
Where a deletion request is not complied with because of the one of the above reasons, the Data Subject will be informed of the reason. Where the request is to be complied with, the Data Subject will be informed when the data has been deleted.
Where the data which is to be deleted has been shared with third parties, the Company will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on the Company, this notification may not be carried out.
The right to restrict the processing of data
Data Subjects have the right to restrict the processing of their data in certain circumstances. Restricting the Company from processing data means that the Company will continue to hold the data but will stop processing it.
The Company will be required to restrict the processing of a Data Subject’s personal data in the following circumstances:
If a Data Subject wishes to make a request for data restriction, they should complete the Data Restriction Request form. Where data processing is restricted, the Company will continue to hold the data but will not process it unless:
Where the data to be restricted has been shared with third parties, the Company will inform those third parties where this is possible. However, where this notification will cause a disproportionate effect on the Company, this notification may not be carried out.
Where the Company is to lift any restriction on processing, Data Subjects will be informed in advance.
The right to data portability
Data Subjects have the right to obtain the data that the Company processes on them and use it for their own purposes. This means they have the right to receive their personal data that they have provided to the Company in a structured machine-readable format and to transmit the data to a different data controller.
This right applies in the following circumstances:
Where a request for data portability is received, the Company will respond without undue delay, and within one month at the latest. Where the request is complex or the Company receives a number of requests, the Company may extend the timescale for response from one month to three months. If this is the case, the Company will write to the Data Subject within one month of receipt of the request explaining the reason for the extension.
Where the Company is to comply with a request, the Data Subject will receive the data in a structured and readable form. Data Subjects will not be charged for the provision of this data. Upon request, the Company will transmit the data directly to another organisation in applicable and appropriate circumstances.
If the response to a request is that the Company will take no action, Data Subjects will be informed of the reasons for this and of their right to complain to the Information Commissioner and to a judicial remedy. The right to portability is different from the right to access. Although both involve a right to access personal data, the personal data to be accessed is not the same. The right to access data under the right to portability includes only personal data as described above. Access to data under the right of access includes all personal data relating to the Data Subject, including that which has not been provided to the Company.
The right to object to the inclusion of data
Data Subjects have a right to object to the processing of their data in certain circumstances. This means that they have the right to require the Company to stop processing their data. Data Subjects may object to processing where it is carried out:
Data Subjects who wish to object should do so by completing the Data Processing Objection form. Where Data Subjects object to processing, the Company will stop the processing activity objected to unless:
If the response to a request is that the Company will take no action, Data Subjects will be informed of the reasons.
Rights in relation to automated decision making
Data Subjects have the right not to have decisions made about them solely on the basis of automated decision-making processes where there is no human intervention, where such decisions will have a significant effect on them. However, the Company does not make any decisions based on such processes.
The Company may carry out automated decision making with no human intervention in the following circumstances:
In circumstances where we use special category data, for example, data about a Data Subject’s health, sex life, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership the Company will ensure that one of the following applies to the processing:
OR
KLOE Reference for this Policy: Safe | Well-Led
Regulations directly linked to this Policy: Regulation 9: Person-centred care | Regulation 10: Dignity and respect | Regulation 11: Need for consent
Regulation(s) relevant to this Policy:
Next Review