Guide 12 - Individual Rights
Guide 12 - Individual rights
The General Data Protection Regulation has introduced and expanded upon several data subject rights to ensure data subjects have suitable control over their data.
If you have received or would like to make a request/query please contact the Data Protection Officer via DataProtection@Imperial.ac.uk or see below for more information.
Right to be informed – Article 13 / Article 14
Provided either at the time of data collection or within a set period of time (one month) when provided by a third party, individuals have the right to be informed about the collection and use of their personal data.
We must provide you/they with information including: the purposes for processing personal data, our retention periods for that personal data, and who it will be shared with. This is often set out in a privacy notice(s) which should be highlighted to the data subjects and explained in a clear and concise manner.
Should you believe that we have not provided you with sufficient information about how we are going to process your data then you can ask us to expand upon the information already provided, explain the legal basis we have used to process your data and/or provide you a copy of the relevant privacy notice, if not already known.
For more information see the following page
Right of Access – Article 15
Commonly referred to as Subject Access, individuals have a right to access to be informed/confirmed that the College is processing their data, be provided a copy of the personal data held and provided other supplementary information which is likely to be provided via relevant privacy notices (see previous Right to be informed).
For more information see the following page.
Right to rectification – Article 16
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete.
Should you believe that the personal data we are processing about you is inaccurate you can submit a request for rectification whereby the College will review and update the data it holds accordingly though there are certain circumstances when we can refuse a request for rectification though this will be explained.
Right to erasure – Article 17
The GDPR has introduced the right to erasure otherwise known as the ‘the right to be forgotten’.
This is not an absolute right and it will only apply in certain circumstances where the College relies upon certain legal bases of processing or the data is no longer necessary to be held though all requests will be considered in accordance with the legislation.
Right to restrict processing – Article 18
You will also have a right to request the restriction or suppression of your personal data. As with the right to be forgotten, this is not an absolute right and will only apply in certain circumstances. You should refer to the Information Commissioner’s Office guidance on right to restrict processing for further information on this.
Should we restrict processing for an individual the College will still be able to store the information but will not be able to use it unless for certain specific activities.
Right to data portability – Article 20
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.
It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
The right of portability only applies to information an individual has provided to the College.
Right to object – Article 21
The GDPR gives you a right to object to the following whereby specific reasons need to be provided:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics.