Home »
Data protection laws are designed to make sure that an individual’s personal data is protected and used legally. Individuals will inevitably provide organisations with their personal data, such as name and address, when they interact and transact with organisations.
It is important that individuals understand their personal data rights so they can enforce those rights if need be.
An organisation is required to inform an individual if it is using their personal data at the time it collects the data. This includes why it is using an individual’s personal data, the type of data being collected, how long the data will be kept and whether the data will be shared with third parties.
Organisations commonly provide privacy information in a privacy notice, such as a website privacy policy.
Other information that should be provided includes an individual’s information rights (including its right to complain to the Information Commissioner’s Officer (ICO)) and details of how to contact the organisation.
An individual has the right to ask an organisation whether or not they are using or storing their personal information. This is commonly known as making a subject access request.
Such a request can be made verbally or in writing and can include asking for copies of the personal data.
A subject access request can be used by an individual to not only find out about what personal information an organisation holds about them, but how the organisation use the data, who they share it with and where they got the data from.
If the accuracy of personal data held by an organisation is inaccurate, an individual can ask for their data to be corrected or deleted. This is known as the ‘right to rectification’. An individual can also ask an organisation to complete any incomplete data by adding more details.
The right to rectification links to the principle that personal data should be accurate. Organisations are required to take reasonable steps to ensure the accuracy of personal data and carefully consider any challenges to the accuracy of data.
Individuals have a right to ask organisations that hold their personal data to delete it. This is sometimes referred to as the ‘right to be forgotten’.
However, organisations are only required to delete such personal data in the following circumstances:
Individuals can limit the way an organisation uses their personal data if they are concerned about the accuracy of the data or how it is being used. For instance, an individual may wish to ask an organisation to temporarily limit the use of their data whilst the organisation is considering a challenge made to the accuracy of the data.
In such circumstances, the organisation must take appropriate steps to restrict the use of the personal data.
In certain circumstances, an individual has the right to object to an organisation processing (using) their personal data at any time. This effectively means stopping or preventing the organisation from using the data.
An individual can only object to processing when the organisation is using data:
If an objection is successful, the organisation must stop or not begin processing personal data for that use. However, an organisation may still be able to legitimately continue using data for other purposes.
For direct marketing purposes, if an objection is raised then the organisation must stop using the data for these purposes and an organisation cannot refuse such an objection.
For purposes other than direct marketing, an organisation may refuse to comply with an objection but only if they can provide strong and legitimate reasons to continue using the data.
Data protection law also contains exemptions. If an exemption applies, the organisation can either fully or partly refuse to comply with a request.
An individual has the right to get their personal data from an organisation in a way that is accessible and machine-readable, for example as a csv file.
An individual may also request that their personal data be transferred to another organisation. Organisations are only required to do this if the transfer is “technically feasible”.
If an organisation believes that a request by an individual is “manifestly unfounded or excessive”, it can:
In reaching this decision, the organisation can take into account whether the request is repetitive. However, the organisation must inform the individual of its decision and be able to justify it.
Also, some rights are subject to specific exemptions, which if applicable, may mean that an organisation can either fully or partly refuse to comply with a request.
An organisation has one month to respond to an individual’s request to exercise one of its data protection rights. In certain circumstances, an organisation may need extra time to consider a request and can take up to an extra two months. If an organisation requires more time, it should let the individual know within one month and explain the reasons why.
If you need any advice on data subject rights, please contact a member of our team in confidence here or on 02920 829 100 for a free initial call to see how they can help.
To speak to one of our experts today, please contact us on 02920 829 100 or by using our Contact Us form for a free initial chat to see how we can help.
I have worked with Darwin Gray for a number of years and the level of service, professionalism and timely response is second to none. I would highly recommend Darwin Gray to any business.”
Darwin Gray have provided us with a first-class service for many years now. They really take the time to understand our business and develop relationships which results in advice and support that is contextualised and effective.”
We have worked with Darwin Gray for several years and have always found their services and advice to be first class.”
An extremely professional and sincere firm who make time for your queries and understand the need to break down certain facts and information to ensure everything is understood perfectly. I would highly recommend the firm to anyone looking for any type of legal advice”
PSS has worked with Darwin Gray for many years. We have always received an excellent service. Prompt and professional advice and support.”
Darwin Gray have acted for myself and my company over a number of years and at all times we have been treated with a professional manner yet maintain a common-sense approach at all levels. We couldn’t recommend them more highly.”
We have been clients of Darwin Gray for many years; they’ve always dealt with all of our legal matters with such professionalism. They work around us, even during awkward hours, and we feel confident we can always rely on them.”
Darwin Gray has been acting for Siltbuster for more than ten years. We would have no hesitation in recommending Darwin Gray to other organisations small or large.”
From the very first conversation, I had no doubt that Darwin Gray should be the firm to receive our instructions on this matter. I would have no hesitation in recommending Darwin Gray.”
We regularly instruct Darwin Gray. Their service in dealing with our transactional matters and disputes is always professional, prompt and efficient.”
Darwin Gray guided me through a long and extended process that would have been much more difficult had it not been for their patience and constant support.”
Excellent and efficient service. Great result achieved, highly professional and transparent on pricing. Would recommend.”
Superb legal service provided. Exceeded expectations. They went above and beyond in order to provide the best service possible.”
Very professional and understanding. They were a calming influence in a very troubling situation and they brought it to a very successful conclusion”
We have used Darwin Gray and have been seriously impressed. The personal approach is what Darwin Gray are excelling on and is the reason why we will continue to work with them in the future.”
