Data Subject's Rights Policy

Date of Issue: 16 June 2020

1.

Background

1.1

Gleeds understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our employees and customers and will only collect and use personal data in a lawful and transparent manner, as set out in our Privacy Policy, available from our website. Employees can also access our Privacy Policy via our intranet (yogi).

1.2

As a ‘data subject’ you have a number of rights under the law with respect to our use of your personal data. This policy explains those rights and how to exercise them.

2.

What does this Policy cover?

2.1

Under data protection law in the UK, including key legislation such as the Data Protection Act 2018, EU Regulation 2016/769 General Data Protection Regulation (the “GDPR”), and any successor legislation, (collectively, “the Data Protection Legislation”) individuals have important rights designed to protect them and their personal data.

2.1

This Policy sets out those rights, explains them in clear terms, and provides guidelines on how to exercise them.

3.

References

 

4.

What is personal data?

4.1

Personal data is defined by the Data Protection Legislation as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.

4.2

In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that we use is set out in our Privacy Policy.

5.

What are my rights?

5.1

The GDPR sets out your key rights as a ‘data subject’ as follows:

 

  • The right to be informed;

  • The right of access;

  • The right to rectification;

  • The right to erasure;

  • The right to restrict processing;

  • The right to data portability;

  • The right to object;

  • Rights in relation to automated decision-making and profiling.

5.2

The following sections of this Policy explain each right in more detail. If you have any questions about any of your rights under the Data Protection Legislation, or require more detailed information, please contact our Data Protection Officer (see Part 14), the Information Commissioner’s Office or your local Citizens Advice Bureau in the UK (or the equivalent bodies in your country).

6.

The right to be informed

6.1

You have the right to be informed about our collection and use of your personal data. The information we provide must include details of the purpose or purposes for which your data is used, how long we keep it, and who (if anyone) it will be shared with.

6.2

This important privacy information is provided in our Privacy Policy. Additional information about your rights is also provided here, in this Policy.

6.3

If we collect data directly from you, this privacy information will be provided at the time it is collected. For example, we will ask you to read our Privacy Policy and indicate that you have read it and accepted it when visiting our website.

6.4

If we collect data about you from a third party, this privacy information will be provided to you as soon as possible and in any event no later than one month after we have obtained that data.

7.

The right of access

7.1

This right, also known as ‘subject access’ gives you the right to obtain a copy of any personal data that we hold about you as well as other supporting information.

7.2

This right is designed to help you understand how and why we use your data, and to check that we are using it lawfully.

7.3

You can exercise this right by making a ‘subject access request’. A subject access request can be made orally or in writing and although the more detail you can provide, the easier it will be for us to respond quickly, there is no prescribed format for such requests. However, a Subject Access Request Form is available for you to use when making a request.

7.4

We are required by law to respond to a subject access request within one calendar month of receipt (or, where we request proof of identification or a fee (see below), within one calendar month of receipt of that). We may also need to ask you for further information to understand the scope and nature of your request, but this in itself will not affect the time limit. In certain limited cases, however, such as where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

7.5

There is not normally a fee payable for a subject access request. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs.

8.

The right to rectification

8.1

Under the Data Protection Legislation, you have the right to have inaccurate personal data corrected, or incomplete personal data completed.

8.2

As a ‘data controller’ we are required to take all reasonable steps to ensure that personal data we hold is accurate and, where necessary, kept up-to-date. Your right to rectification is closely tied to this obligation.

8.3

You can exercise this right by contacting us and asking for your data to be rectified if you believe it is incorrect, out-of-date, or incomplete. Requests for rectification can be made orally or in writing. As If an employee of Gleeds you can also update your personal data held by us via MyGleeds.

8.4

We are required by law to respond to a request for your personal data to be rectified within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

8.5

There is not normally a fee payable for having your personal data rectified. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

9.

The right to erasure

9.1

This right is also known as the ‘right to be forgotten’ and gives you the right to have your personal data deleted (or ‘otherwise disposed of’ if, for example, it is kept in paper records rather than electronically).

9.2

You can exercise this right by contacting us and asking for your data to be erased. Requests for erasure can be made orally or in writing.

9.3

We are required by law to respond to a request for your personal data to be erased within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

9.4

There is not normally a fee payable for having your personal data erased. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

9.5

Please note that the right to erasure is not an absolute right and there are certain circumstances set out in the Data Protection Legislation in which the right does not apply. For example, we may not have to erase your personal data if we need it to comply with a legal obligation. If any of these circumstances apply, we will explain why your personal data cannot be erased when responding to your request for erasure.

10.

The right to restrict processing

10.1

You have the right to request the restriction or suppression of your personal data. In practice, this is an alternative to having your personal data erased. This means that you can limit the way in which we use your personal data, while still allowing us to retain it.

10.2

Please note that the right to restrict processing is not an absolute right and only applies in certain circumstances as follows:

 

(1)

You have contested the accuracy of your personal data and we are verifying the accuracy of it;

(2)

Your personal data has been processed unlawfully and you want us to restrict processing rather than erasing your personal data;

(3)

We do not need the personal data anymore but you need us to keep it in order to establish, exercise, or defend a legal claim; or

(4)

You have exercised your right to object (see Part 10, below), and we are considering whether our legitimate grounds for processing your personal data override your right to object to us using it.

10.3

When processing is restricted, cannot do anything with your personal data other than store it unless we have your consent to do so or unless one of the following applies:

 

(1)

We need to use your personal data in the establishment, exercise, or defence of legal claims;

(2)

We need to use your personal data in order to protect the rights of another person; or

(3)

Important public interest reasons justify using it.

10.4

You can exercise this right by contacting us and asking for the processing of your data to be restricted. Requests for the restriction of processing can be made orally or in writing.

10.5

We are required by law to respond to a request to restrict the processing of your personal data within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

10.6

There is not normally a fee payable for having the processing of your personal data restricted. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

11.

The right to data portability

11.1

Where we are processing your personal data either with your consent or for the performance of a contract between us, and we are using automated means of processing (i.e. not using paper files), you have the right to obtain a copy of your personal data in a commonly-used format for use with another organisation. You can also request that we send your personal data directly to another organisation.

11.2

This right is designed to enable you to easily move, copy, or transfer your personal data from one organisation’s IT system to another organisation’s IT system in a safe and secure way, without affecting its usability.

11.3

Please note that this right only applies to personal data that you have provided to us. It does not include additional data that we may create based upon the data you have provided or to data that has been anonymised. In some cases, more personal data relating to you may be available under your right of access (see Part 7, above).

11.4

You can exercise this right by contacting us and asking either for a copy of your personal data for use with another organisation, or for your personal data to be transferred to that organisation. Requests can be made orally or in writing.

11.5

We are required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

11.6

There is not normally a fee payable for exercising your right to data portability. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

12.

The right to object

12.1

Where we are processing your personal data either on the basis of our ‘legitimate interests’ or in the performance of a task carried out in the public interest, you have the right to object to us processing your personal data.

12.2

You also have the absolute right to object to us using your personal data for direct marketing purposes.

12.3

If you object to us using your personal data for direct marketing purposes, your right to do so is absolute and we have no grounds on which to refuse.

12.4

If you object to us using your personal data either on the basis of our ‘legitimate interests’ or in the performance of a task carried out in the public interest, please note that your right to do so is not absolute. When making your request to exercise this right, you must give specific reasons for your objection based upon your particular situation. We can continue using your personal data if we can demonstrate ‘compelling legitimate grounds’ which override your interests, rights, and freedoms; or if the processing is necessary for the establishment, exercise, or defence of legal claims. Additional limitations apply if your personal data is being processed for research purposes.

12.5

You can exercise this right by contacting us and stating your objection to the processing of your personal data for the relevant purpose or purposes, providing an explanation if required (see previous paragraph). Objections to processing can be made orally or in writing.

12.6

We are required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.

12.7

There is not normally a fee payable for exercising your right to object. For ‘manifestly unfounded or excessive’ requests, however, we are permitted to charge a ‘reasonable fee’ that covers our costs. Alternatively, in some limited circumstances, we may be permitted to refuse your request.

13.

Automated decision-making (including profiling)

 

We do not carry out automated decision-making (i.e. making a decision using automated means only, without any human involvement) using your personal data.

14.

Exercising your rights

14.1

To exercise any of your rights as a data subject, please contact our Data Protection Officer (“DPO”), David Benge, via:

 

Name David Benge
Email address david.benge@gleeds.co.uk
Postal address Mr D P Benge
  Data Protection Officer
  Gleeds Corporate Services Ltd.
  Trinity House
  Tunbridge WellsKent
  TN1 1AG
Telephone number 01892 501 300

14.2

When contacting us to exercise your right of access, please use the Subject Access Request Form available by clicking here.

14.3

When contacting us to exercise your right to rectification, please provide:

 

  • Your full name;

  • Your address;

  • Your telephone number;

  • Your email address;

  • Details of the information you wish to have rectified; and

  • (Where relevant) any information that supports your request or otherwise provides evidence of the need for rectification.

14.4

When contacting us to exercise your right of erasure, please provide:

 

  • Your full name;

  • Your address;

  • Your telephone number;

  • Your email address;

  • Details of the information you wish to have erased; and

  • (Where relevant) any information that supports your request or otherwise justifies the need to have the data erased.

14.5

When contacting us to exercise your rights to restrict processing or to object to processing, please provide:

 

  • Your full name;

  • Your address;

  • Your telephone number;

  • Your email address;

  • Details of the processing you wish to restrict or object to;

  • Details of why you want the processing to be restricted or why you object to it; and

  • (Where relevant) any information that supports your request or otherwise provides evidence of the need for processing to be restricted or stopped.

14.6

When contacting to exercise your right to data portability, please provide:

 

  • Your full name;

  • Your address;

  • Your telephone number;

  • Your email address; and

  • Details of the personal data you wish to use with another service or organisation, also stating whether you require a copy of that data for yourself or whether you would like.

15.

Our acknowledgement and response

14.6

We will always respond quickly to your request to exercise any of your rights in relation to your personal data. We will acknowledge receipt without undue delay and will provide a complete response to your request as quickly as possible. Normally, as stated above, this will be within one calendar month of receipt of your request. If additional time is required, we will contact you within the first calendar month to explain why the delay is necessary.

16.

Your right to complain

16.1

If you have any cause for complaint about our use of your personal data, or about our handling of your request to exercise your rights under this Policy, you have the right to lodge a complaint with the Information Commissioner’s Office.

16.2

We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first using the details set out above in Part 14.

17.

Implementation of Policy

 

This Policy shall be deemed effective as of 16 June 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

18.

Changes to this Policy

18.1

We may change this Policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection. This Policy will also be reviewed regularly (at least every two years) for suitability by the Gleeds’ Data Protection Officer.

18.2

Any changes will be made available externally on Gleeds’ website and internally on Gleeds’ intranet (yogi). This Policy was last reviewed on 13 May 2020 and last updated on 14 May 2020.