Data Subject Access Request and your personal data rights
The Rotheras policy concerning data subject access requests (DSAR) is as detailed in this policy document.
This written request can be made to anyone at Rotheras but to avoid any potential delay it should be made to the Data Subject Access Team (DSAT) at 2 Kayes Walk, Stoney Street, The Lace Market, Nottingham, NG1 1PZ, or to the designated email address at email@example.com .
If you want to raise a query in advance of any possible request you can use the following contact details for Mr Charles George at 0115 9106287 or firstname.lastname@example.org, Richard Hammond at 0115 9106267 or email@example.com or Richard Bates at 0115 8525835 or firstname.lastname@example.org.
To ensure the request is effectively and promptly dealt with please state that this is a request to see your personal data.
Before we proceed with your request we will require identification documentation to verify that you are the person making the request. This will be one form of photo ID, such as a current driving licence or passport and a second document verifying your current address, which can be another form of photographic ID with address or a utility bill which is no more than 3 months old.
How we will deal with the request
- The data requested will be provided as soon as reasonably practicable and, in any event, within 30 days subject to provision of your ID verification as referred to above.
- The reply to your request will inform you whether we hold any personal data, a description of the data, copies of the data and the business reason why it has been retained by us.
- If the data is complex or numerous we can extend the initial period by a further 2 months. We will notify you about this within the initial 30 day period and explain the reason why.
- There will be no fee for the information requested. However, if we decide the request is manifestly unfounded or excessive, particularly if it is repetitive, we have the right to charge a reasonable fee about which you will be advised at the time. We will also charge a reasonable fee where we are asked for further copies of the said information. Again you will be advised as to that fee at the time.
- We hope this will not be necessary, but if we decide the DSAR is unfounded or excessive we can refuse to deal with the request.
- We will try to ensure the information provided can be readily understood, and where the request is made electronically, in an electronic format.
- Where we hold a lot of data we may ask you to specify the information the request relates to. If in the circumstances we decide the request is evidentially unfounded or excessive you will be informed accordingly.
- Redaction: if another individual and/or other entity’s data might be disclosed by a DSAR that information will be redacted from the relevant document/s before disclosure.
You have the following additional rights
- Right to rectification
You have the right to have your personal data rectified if it is inaccurate or incomplete. We will respond within 30 days but this can be extended by 2 months if the request is complex.
- Right to erasure (“right to be forgotten”)
You have the right to request deletion or removal of personal data where there is no compelling reason for its continued processing. This may arise in the following circumstances:
- Where your personal data was no longer required for the purpose for which requested.
- You are withdrawing consent and there is no other legal basis for processing.
- Your personal data was unlawfully processed.
- Your personal data has to be erased to comply with a legal obligation.
- Your personal data is processed in relation to the offer of “information society services” to a child.
We can refuse the right to erasure in the following circumstances:
- To exercise the right of freedom of expression and information to comply with the legal obligation for the performance of a public interest task or exercise of official authority.
- For public health purposes and in the public interest. For archiving purposes and public interest, scientific research, historical research or for statistical purposes.
- The exercise or defence of legal claims.
- Erasing children’s personal data
We are required to pay special attention to existing situations where a child has given consent to processing and then later request erasure of the data (regardless of their age at the time of the request) especially on social networking sites and internet forums. We recognise that a child may not have been fully aware of the risks involved in the processing at the time of the consent.
- Right to restrict processing
You may block or supress the processing of personal data. When processing is restricted, we are permitted to store the personal data but not to process it further. We can retain enough information about you to show that the restriction is respected in the future.
More particularly we are required to restrict the processing of personal data in the following circumstances:
- Where you contest the accuracy of the personal data, the processing should be restricted until we have verified the accuracy of the personal data.
- Where you object to the processing and we are considering whether our firm has legitimate grounds to override your individual rights.
- The processing is unlawful and you oppose erasure and request a restriction instead.
- We no longer need your personal data but you want the data to establish, exercise or defend a claim.
- Right to portability
You have the right to obtain and reuse your personal data for your own purposes across different services. The right of portability is limited to the following:
- To personal data you have provided.
- Where the processing is based on your consent or the performance of a contract and
- When processing is carried out by automated means.
The personal data requested will be provided in a structure commonly used and in a machine readable form. This information will be provided free of charge and without delay and in any event within 30 days. We can extend this period by 2 months where the request is complex or we receive a number of requests. You will be informed within the initial one month period and why the extension is necessary.
If you ask for the data to be transmitted directly to another organisation, this will be carried out if it is technically feasible. However, we are not required to adopt or maintain processing systems that are compatible with other organisations.
- Right to object to processing
There are 2 situations where you have the right to object. In both circumstances we must respond to the request within 30 days. We can extend this period for 2 months on grounds of complexity or numerous requests and you will be informed within 30 days of the receipt of the request and an explanation will be given.
(a) Processing data for the performance of a legal task or our firm’s legitimate interests
You can object on grounds relating to your particular situation. We must stop processing your personal data unless we can show compelling legitimate reasons for the processing which overrides your interests, rights and freedoms; or the processing is for the establishment, exercise or defence of legal claims.
We must inform you of your right to object when you first instructed us and in our Privacy Notice. This will be brought expressly to your attention and will be separate from our Terms of Business letter.
(b) Processing personal data for direct marketing purposes
We will stop processing personal data as soon as we receive your objection. There are no exemptions or grounds to refuse. This must be done at any time and free of charge.
You will be informed as to your rights when you first communicate with us and in our Privacy Notice.
(c) Communicating with the information Commissioner’s Office (ICO)
If your DSR or other requests have not been dealt with to your satisfaction you can contact the Information Commissioner’s Office on:
Via email: htpps://ico.org.uk/global/contact-us/email
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
21 May 2018