General Data Protection Regulation EU Regulation 2018 Data protection in the UK England and Wales
Under the GDPR, customers have the following rights
How do You Use Personal Data:
When to provide it
We provide individuals with privacy information at the time we collect their personal data from them.
• If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
• within a reasonable of period of obtaining the personal data and no later than one month;
• if we plan to communicate with the individual, at the latest, when the first communication takes place; or • if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
Electronic communications: No consent is required when cookies are either:
• Used for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network.
• Strictly necessary for the provision of an information society service requested by the subscriber or user. How to provide it
• We provide the information in a way that is: • concise; • transparent; • intelligible; • easily accessible; and • uses clear and plain language.
Changes to the information
• We regularly review and, where necessary, update our privacy information. • If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
How long will you keep my personal Data:
The storage limitation principle is broadly similar to the fifth principle (retention) of the 1998 Act. The key point remains that you must not keep data for longer than you need it.
Although there is no underlying change, the GDPR principle does highlight that you can keep anonymised data for as long as you want. In other words, you can either delete or anonymise the personal data once you no longer need it.
Instead of an exemption for research purposes, the GDPR principle specifically says that you can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes (and you have appropriate safeguards).
New documentation provisions mean that you must now have a policy setting standard retention periods where possible.
There are also clear links to the new right to erasure (right to be forgotten). In practice, this means you must now review whether you still need to keep personal data if an individual asks you to delete it.
Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
• You must not keep personal data for longer than you need it.
• You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
• You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
• You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
• You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
• We know what personal data we hold and why we need it.
• We carefully consider and can justify how long we keep personal data. • We have a policy with standard retention periods where possible, in line with documentation obligations. • We regularly review our information and erase or anonymise personal data when we no longer need it. • We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’. • We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
Why is storage limitation important?
Ensuring that you erase or anonymise personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimisation and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.
Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention.
From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security.
Remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need.
Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
What is documentation?
• Most organisations are required to maintain a record of their processing activities, covering areas such as processing purposes, data sharing and retention; we call this documentation.
• Documenting your processing activities is important, not only because it is itself a legal requirement, but also because it can support good data governance and help you demonstrate your compliance with other aspects of the GDPR.
How can I access my personal data:
The right of access personal data.
• Confirmation that their data is being processed; • Access to their personal data; and • Other supplementary information. You must comply with any Subject Access Request (SAR) within one month of receipt. Full details on how to handle these are provided in a separate DIN, reference: Time limit
As stated above, for most of these rights the Data Protection legislation introduces a deadline of one month from the date the request is received. Therefore, it is important that the request reaches the relevant person as soon as possible.
Do you share my personal Data: Personal data must not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. Implied consent is possible in certain limited circumstances where it is clear from the context that a person consents, for example, where the only purpose of filling in the form is to sign up.
Where the processing is necessary for the purposes of legitimate interests pursued by the data controlle, or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
Where the processing is necessary for the purposes of making a good faith disclosure under the Terrorism Act 2000 or the Proceeds of Crime Act 2002. In determining the risk, should consider/ The harm that might result from its improper use or from its accidental loss, damage or destruction.
How and where do you store or transfer my personal data..
Data protection rules
You must make sure the information is kept secure, accurate and up to date.
When you collect someone’s personal data you must tell them who you are and how you’ll use their information, including if it’s being shared with other organisations. Choose a data processor that can provide sufficient guarantees in relation to the technical and organisational security measures governing their processing.
You must also tell them that they have the right to:
• see any information you hold about them and correct it if it’s wrong
• request their data is deleted • request their data is not used for certain purposes • The right to access personal data and supplementary information. • The right to have inaccurate personal data rectified, or completed if it is incomplete. • The right to erasure (to be forgotten) in certain circumstances. • The right to restrict processing in certain circumstances. • The right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services. • The right to object to processing in certain circumstances. • Rights in relation to automated decision making and profiling. • The right to withdraw consent at any time (where relevant).