Security & Compliance

< Back to Article List

GDPR > Data Erasure or Correction Request Policy and Procedure

Last updated: 21 November 2023 at 11:11:26 UTC by Russell Briggs

  1. Purpose
  2. This policy sets out the Company’s policy for responding to subject access request under the GDPR. This policy explains the rights of the data subject in relation to a data erasure or correction request and Recycly Ltd’s (Company number 05683385) responsibilities when dealing with that request.

  3. Scope

  4. This policy and procedure apply across all entities or subsidiaries owned, controlled, or operated by Recycly Ltd and to all employees, including part-time, temporary, or contract employees.

  5. Policy Statement

  6. 3.1 What is the right to rectification?

     

    Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

     

    3.2 What is the right to erasure?

     

    Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

     

    3.3 When does the right to erasure apply?

     

    Individuals have the right to have their personal data erased if:

     

  7. the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  8. you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  9. you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  10. you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  11. you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
  12. you have to do it to comply with a legal obligation; or
  13. you have processed the personal data to offer information society services to a child.
  14.  

    1. Recycly Ltd is committed to meeting all reasonable requests for access in accordance with GDPR whilst protecting Recycly Ltd’s intellectual property and respecting the ethos of honest confidential feedback.
  15.  

     

  16. Procedure
  17.  

    1. How should a rectification or erasure be processed after receiving?
  18.  

    When a rectification or erasure request is received from a data subject it should immediately be reported to the Information Controller Officer who will log and track each request. If you are asked to provide information, you will need to consider the following before deciding how to respond:

     

    • Under GDPR Articles 7(3), 12, 13, 15-22 data subjects have the following rights:
            • to be informed;
            • to access their own data;
            • to rectification;
            • to erasure (Right to be Forgotten);
            • to the restriction of processing;
            • to be notified;
            • to data portability;
            • to object;
            • to object to automated decision making.
  19.  

    • Requests must be made in writing (template form is attached but is not mandatory). All requests received by email, mail, fax, social media, etc. must be processed.
    • If a request has already been complied with and an identical or similar request is received from the same individual, a fee can be charged for the second request unless a reasonable interval has elapsed.
    • The statutory response time is one month.
    • Requests should include the full name, date of birth and address of the person seeking access to their information. To comply with the GDPR, information relating to the individual must only be disclosed to them or someone with their written consent to receive it.
    • Before processing a request, the requestor’s identity must be verified. Examples of suitable documentation include:
            • Valid Passport
            • Valid Identity Card
            • Valid Driving Licence
            • Birth Certificate along with some other proof of address, e.g. a named utility bill (no longer than 3 months old)
  20.  

     

    1. Individual rights
  21.  

    An individual has the right to know what information is held about them. GDPR in the UK provides a framework to ensure that personal information is handled properly.

    This information must be:

     

    • Processed fairly, lawfully and in a transparent manner
    • Processed for specific, legitimate and lawful purposes
    • Adequate, relevant and not excessive
    • Accurate and kept up to date
    • Not kept longer than necessary
    • Processed in line with an individual’s rights
    • Secure
    • Not transferred other than in accordance with agreed terms and conditions
  22.  

    1. Rectification or erasure requests made by a representative or third party
  23.  

    Anyone with full mental capacity can authorise a representative/third party to help them make a data rectification or erasure request. Before disclosing any information, Recycly Ltd must be satisfied that the third party has the authority to make the request on behalf of the requestor and that the appropriate authorisation to act on their behalf is included (see Data Request Form).

     

    1. Complaints
  24.  

    If an individual is dissatisfied with the way Recycly Ltd have dealt with their subject access request, they should be advised to invoke the Recycly Ltd’s complaints process. If they are still dissatisfied, they can complain to the Data Protection Regulator.

     

     

     

  25. Responsibilities
  26.  

     

    1. Compliance, monitoring and review
  27.  

  28. The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing subject access rights at Recycly Ltd rests with the Information Controller Officer.
  29. All of Recycly Ltd’s employees that deal with personal data are responsible for processing this data in full compliance with the relevant Recycly Ltd’s policies and procedures.
  30.  

    1. Records management
  31.  

    Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised Recycly Ltd recordkeeping system.

     

    All records relevant to administering this policy and procedure will be maintained for a period of 5 years.

     

     

     

  32. Terms and Definitions
  33.  

    General Data Protection Regulation (GDPR): The General Data Protection Act 2018 (DPA 2018) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

     

    Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data

     

    Data Processor: the entity that processes data on behalf of the Data Controller

     

    Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

     

    Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

     

    Data Subject: a natural person whose personal data is processed by a controller or processor

     

    Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

     

    Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data

     

    Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

     

    Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour

     

    Regulation: a binding legislative act that must be applied in its entirety across the Union

     

    Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

     

     

     

  34. Related Legislation and Documents
  35.  

    1. Right to rectification
  36.  

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/

     

    1. Right to erasure
  37.  

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

  38. Feedback and Suggestions
  39.  

      Recycly Ltd’s employees may provide feedback and suggestions about this document by emailing dominic.tyler@Recycly.com

     

     

  40. Approval and Review Details
  41.  

    This policy must be reviewed and updated annually.

    The following matters must be considered as pan of each review of this policy:

    1. changes to the legal and regulatory environment;
  42.  

    1. changes to any codes of conduct to which the company subscribes;
  43.  

    1. developments in industry best practice;
  44.  

    1. any new data collected by the company;
  45.  

    1. any new data processing activities are undertaken by the company, and
  46.  

    1. any security incidents affecting the company.
  47.  

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

  48. Appendix
  49.  

    1. Data Rectification Form:
  50.  

    Letter template for rectification

    To Whom It May Concern:

    I am hereby requesting rectification of inaccurate personal data concerning me according to Article 16 GDPR.

    Please make the following changes:
    Specify the data to be corrected.

    In case you have disclosed the affected personal data to third parties, you have to communicate my request for rectification of the affected personal data to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.

    My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

    As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.

    I am including the following information necessary to identify me:
    Enter your identification data here. This often includes information like your name, your date of birth, your address, your email address and so on.

    If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

    If you do not normally deal with these requests, please pass this letter to your Information Controller Officer dominic.tyler@Recycly.com, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.

    Yours faithfully


    [Signature]

     

     

     

    1. Data Rectification Form:
  51.  

    Letter template for erasure


    To Whom It May Concern:

    I am hereby requesting immediate erasure of personal data concerning me according to Article 15 GDPR.

    [Please erase all personal data concerning me as defined by Article 4(1) GDPR.]
    [Please delete the following personal data concerning me: Specify the data to be deleted.]

    I am of the opinion that the requirements set forth in Article 17(1) GDPR are fulfilled.

    If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR), I am hereby withdrawing said consent.
    In addition, I am objecting to the processing of personal data concerning me (which includes profiling), according to Article 21 GDPR.

    In case you have disclosed the affected personal data to third parties, you have to communicate my request for erasure of the affected personal data, as well as any references to it, to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.

    If you object to the requested erasure, you have to justify that to me.

    My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

    As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.

    I am including the following information necessary to identify me:
    Enter your identification data here. This often includes information like your name, your date of birth, your address, your email address and so on.

    If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

    If you do not normally deal with these requests, please pass this letter to your Information Controller Officer dominic.tyler@Recycly.com, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.

    Yours faithfully


    [Signature]