Security & Compliance
< Back to Article ListDP-02 Individual Rights Policy
Last updated: 21 November 2023 at 11:09:24 UTC by Russell Briggs
Individual Rights Request Procedure
Document Ref No |
DP-02 |
Version No |
1 |
Last review date |
02/10/2021 |
Approved by |
Dom Tyler |
Next review |
02/10/2022 |
1. Purpose, scope and users 3
2. Individual Rights Requests (IRRs) 3
3. Responsibilities 4
4. IRR Procedure 4
4.1. Request 4
4.2. Identity Verification 4
4.3. Review of Information 4
4.4. Response to Access Requests 4
4.5. Archiving 5
5. Exemptions 5
6. Subject Access Request Refusals 6
7. Document Management 6
8. Version Control 6
This procedure sets out how Recycly will handle and respond to individual rights requests made by data subjects, their representatives or other interested parties. This procedure will enable Recycly to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.
This procedure applies to all employees.
2. Individual Rights Requests (IRRs)
Individuals have certain rights in respect of their own personal data: -
● The right of access – Data Subjects have the right to obtain confirmation that their data is being processed and to request access to that Personal data.
● The right to rectification – Data Subjects are entitled to have their personal data rectified if it is inaccurate or incomplete.
● The right to erasure – The right to erasure is also known as ‘the right to be forgotten’. This enables a Data Subject to request that Recycly deletes or removes their personal data where there is no compelling reason for its continued processing.
● The right to restrict processing – Data Subjects have the right to block or supress processing of their Personal Data where there is no compelling reason for the processing. When processing is restricted, Recycly will be permitted to store the Personal Data, but not further process it, and will retain just enough data about the Data Subject to ensure that the restriction is respected in future.
● The right to data portability – Data Subjects have the right to obtain and reuse their Personal Data for their own purposes across different services. It allows them to move, copy or transfer Personal Data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
● The right to object – Data Subjects have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercises of official authority, direct marketing (including profiling) and processing for purposes of scientific/historical research and statistics.
● Rights in relation to automated decision making and profiling – Data Subjects have the right to review logic used by automated systems, contest automated decisions, request that a human review the automated decision and object to the automated decision making entirely.
An IRR can be made via any of the following methods: email, post, corporate website or any other method. IRRs made online must be treated like any other IRR when they are received, though Recycly will not provide personal information via social media channels.
In general, verbal requests will not be valid. If a verbal request is received the Data Subject should be advised to make their request in writing by any of the methods mentioned above. If a Data Subject is unable to submit a request in writing (i.e. due to medical reasons) then suitable adjustments should be made.
In the absence of a Data Protection Officer the overall responsibility for ensuring compliance with an IRR lies with Dom Tyler.
If Recycly acts as a data controller towards the data subject making the request, then the IRR will be addressed based on the provisions of this procedure and details of the information requested will be sent to the data subject.
If Recycly acts as a data processor the request must be forwarded to the Data Controller and the request processed under the instruction of the Data Controller.
Upon receipt of IRR, Recycly will acknowledge the request. The requestor will be asked to make a request in writing and may be asked to provide as much information as possible to help Recycly identify the requested data. If further information is not provided, then the request must still be completed in full.
Recycly must confirm the identity of anyone making an IRR to ensure information is only given to the person who is entitled to it. If the identity of a requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirming their address.
If the requestor is not the data subject, written confirmation that the requestor is authorised to act on behalf of the data subject is required.
Recycly must ensure that all information relating to the Data Subject is reviewed and provided to the Data Subject unless an exemption in section 5 applies.
4.4. Response to Access Requests
Recycly will provide the finalised response together with any applicable information and/or a statement that the Company does not hold the information requested, or that an exemption applies. A written response must be sent to the requestor within 1 calendar month.
A response must, as a minimum, contain the following information: -
● The request reference number
● A summary of their request
● All applicable information
● Their right to an internal review including how.
● Their right to complain to the relevant supervisory authority.
If a request cannot be completed within 1 calendar month, the Data Subject must be informed of: -
● An expected completion date.
● In brief, why the request could not be completed on time.
The response will be via email, unless the requestor has specified another method by which they wish to receive the response (e.g. post). The Company will only provide information via channels that are secure. When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.
After the response has been sent to the requestor, the IRR will be considered closed and archived in a dedicated folder titled with the relevant Request Reference No (IRR-***). Communications relating to each request should be filed in date and time order.
An individual does not have the right to access information recorded about someone else, unless they are an authorised representative, or have parental responsibility.
Recycly is not required to respond to requests for information unless it is provided with sufficient details to satisfy itself as to the identity of the data subject making the request.
In principle, Recycly will not normally disclose the following types of information in response to an IRR:
● Information about other people – A request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted unless the individuals involved consent to the disclosure of their data.
● Repeat requests – Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six-month period of the original request will be considered a repeat request, and Recycly will not normally provide a further copy of the same data
● Publicly available information – Recycly is not required to provide copies of documents which are already in the public domain.
● Opinions given in confidence or protected by copyright law – Recycly does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.
● Privileged documents – Any privileged information held by Recycly need not be disclosed. In general, privileged information includes any document which is confidential (e.g. a direct communication between a client and their lawyer) and is created for the purpose of obtaining or giving legal advice.
6. Subject Access Request Refusals
There are situations where individuals do not have a right to see information relating to them. For instance:
● If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
● Requests made for other, non-data protection purposes can be rejected.
If Recycly refuses an IRR, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of their request is entitled to have their request reviewed internally.
If, after the internal review, the requestor is still not satisfied with the response they are entitled to complain to the relevant supervisory authority.
The owner of this document is Dom Tyler, who must check and, if necessary, update the document at least once a year.
Summary of Change |
Date of Change |
Author |
Version No |
First Draft |
02/10/2021 |
Dom Tyler |
1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|