This page is set up to help us to comply with The EU General Data Protection Regulation.
EU data protection law – The EU General Data Protection Regulation – provides data subjects (defined as: an identified or identifiable natural person) with a wide array of rights that can be enforced against organisations that process personal data.(defined as: any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person).
This includes the right to obtain:
- confirmation that their data is being processed
- access to their personal data
- other supplementary information (mostly the information provided in privacy notices)
We must provide data subjects with a copy of the information they request free of charge. However, we are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive. The fee must be based on the administrative cost of providing the information. An alternative solution for excessive, unfounded or repetitive requests is for us to refuse to comply. If we refuse to comply, we must explain to the data subject why we are refusing to comply, and let the data subject know of their right to appeal to the organisation’s supervisory authority.
Information must be provided without delay and within at least one month of receiving the request.
Where requests are complex or numerous, we can extend the deadline for providing the information to three months. However, we must still respond to the request within a month, explaining why the extension is necessary.
We must provide data subjects with the option of making requests electronically (e.g. by email) as well as physically. Where a request is made electronically, the information must be provided in a commonly used file format.