GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. 

GDPR strengthens individuals' rights and brings corresponding new requirements on organisations to demonstrate accountability, matched by new penalties for non-compliance. The UK Government will bring the GDPR into UK law as part of a Data Protection Bill. 

 

What are the GDPR principles?

The GDPR introduces six principles to replace the eight in the Data Protection Act. These are that personal data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

What are your rights under GDPR?

Right of access

Individuals have a right to request a copy of any personal data that the University holds on them, and to request details regarding that data’s use, retention and any relevant sharing of the data.

The right of access is generally applicable, with exemptions in specific, limited circumstances.

Right to rectification

If personal data is inaccurate, out of date, or incomplete, individuals have the right to correction, update or completion of that data.

This right does not apply if the use or storage of the data is necessary for:

  • compliance with a legal obligation, or for performance of a task carried out the in the public interest or in the exercise of official authorit
  • public health reasons
  • for archiving in the public interest, scientific or historical research purposes or statistical purposes and erasure would seriously impair these objectives
  • for the establishment, exercise or defence of legal claims
  • exercising the right of freedom of expression and information 

Right to erasure

Individuals can request that their personal data is erased or destroyed. Also known as the “right to be forgotten”.

This right is applicable if:

  • the data are no longer needed for the purposes for which they were collected
  • consent was given to obtain the data and consent has been withdrawn
  • the data subject objects to the processing and the University has no overriding legitimate grounds to keep the data
  • the data has been unlawfully processed, e.g. the University cannot meet an appropriate processing condition for using/holding it
  • the data must be erased to ensure compliance with a legal obligation

This right does not apply if the use or storage of the data is necessary for:

  • compliance with a legal obligation, or for performance of a task carried out the in the public interest or in the exercise of official authority
  • public health reasons
  • for archiving in the public interest, scientific or historical research purposes or statistical purposes and erasure would seriously impair these objectives
  • for the establishment, exercise or defence of legal claims
  • exercising the right of freedom of expression and information 

Right to restriction

Individuals can request that the use or storage of their data is restricted in a manner of the individuals’ choosing. 

This right is applicable if:

  • the accuracy of personal data is contested by the data subject
  • the use or storage of the data is unlawful and the data subject opposes erasure
  • the University no longer needs the data but the individual needs the data for the establishment, exercise or defence of legal claims
  • the individual has objected to the processing and verification of the legitimate grounds of the University to override the objection is pending 

Right to data portability

Individuals have the right to both receive their personal data in a structured, commonly used and machine-readable format and to transmit those data to another organisation. 

This right is applicable if:

  • the data subject has provided the personal data to the controller
  • the use or storage of the data is based on consent or on a contract
  • the use of the data is carried out by automated means   

Right to object

Individuals have the right to object at any time to the use or storage of their personal data. 

This right is applicable if:

  • the use or storage of the data is based on public interest tasks or legitimate interests
  • the data are being used or stored for direct marketing purposes

This right does not apply if the University has compelling legitimate grounds for the use or storage of the data which either override the interests, rights and freedoms of the

individual, or are necessary for the establishment, exercise or defence of legal claims. 

Automated individual decision-making, including profiling

Individuals have the right not to be subject to automated processing, including profiling.

This right is applicable if: 

  • the automated processing results in a decision with a legal or similarly significant effect on the individual

This right does not apply if the decisions resulting from the automated processing: 

  • are necessary for entering into or the performance of a contract between the individual and the University
  • are authorised by UK or EU law
  • are based on the individual’s explicit consent