ÐÓ°ÉappÏÂÔØ

About the university

Data subject rights

If you are a data subject, then you have rights under Data Protection legislation.

The right of access

Individuals are entitled to make a subject access request for a copy of their personal data, including what data is being held, where, and for what purpose. These will be free, although if further copies are requested, a charge can be made. Organisations can refuse to respond to a request if it is manifestly unfounded or excessive, or can choose to charge an administrative fee in these cases. Where large volumes of personal data are processed, the individual should specify exactly what information or processing their request relates to. Requests should be responded to within one month. This can be extended by a further two months if the request is complex or a large number of requests are received. Data can be withheld if disclosure would adversely affect the rights and freedoms of others. This includes rights affecting the organisation / business of the organisation.

The right to be informed

The right to be informed encompasses the obligation on organisations to provide "fair processing information", typically through a privacy notice. This should be concise, transparent, intelligible and easily accessible; written in clear and plain language, particularly if addressed to a child.

The right to rectification

The individual has the right to have personal data rectified. This is if it is inaccurate or incomplete.

The right to erasure ("right to be forgotten")

This is the right to be able to request the deletion or removal of data where there is no compelling reason for its continued processing, or overriding legitimate grounds to justify processing. Data will not be erased if it is: necessary for rights of freedom of expression or information; compliance with a legal obligation; in the public interest; for archiving or research; for legal claims.

The right to restrict processing

Processing may be restricted where the organisation is considering whether continued processing is justified; where it is no longer necessary but when it is needed for legal claims; when an individual wants it restricted but not erased; where the accuracy of data is being verified.

The right to object to processing

This applies where the organisation's processing is based on the following conditions: public task; or legitimate interests. It does not apply if the processing is for legal claims, or if the compelling legitimate interest overrides the interests of the individual.

The right to object to direct marketing

This requires organisations who are marketing to individuals to obtain unambiguous consent, resting on a "clear affirmative action" by consumers.

The right to withdraw consent

If processing is based on consent, the individual has the right to withdraw consent, at any time, where relevant.

The right to data portability

This right exists to allow individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily, in a machine readable format, from one IT environment to another in a safe and secure way, without hindrance to usability. This right only applies to personal data which has been provided to the organisation by the individual.

Automated decision making and profiling

Individuals have the right not to be subject to decisions made automatically that produce legal effects or significantly affect them. This does not apply where the decision is based on explicit consent from the individual; necessary for a contract with the individual; subject to suitable safeguards, including a right to a human review of the decision; authorised by law. Additional restrictions apply to automated decision making or profiling using sensitive personal data or carried out on children.

List of automated decision making at the University of ÐÓ°ÉappÏÂÔØ.

Exercising these rights

Individuals may exercise these rights if the University of ÐÓ°ÉappÏÂÔØ is processing personal data pertaining to them, by: emailing compliance@gre.ac.uk, or writing to: Peter Garrod, Data Protection Officer, University of ÐÓ°ÉappÏÂÔØ, Queen Anne Court, Park Row, London SE10 9LS.

The right to lodge a complaint

The individual has the right to lodge a complaint with the supervisory authority, the Information Commissioner's Office (ICO), at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.