Personal Information Rights
The below details ENS requirements to comply to GDPR. The General Data Protection Regulation (GDPR) gives the individuals the right to request personal data, which is processed from a controller.
Requests are referred to as Data subject access requests or access requests.
Right of access, correction, erasure
An individual has the right to obtain the following information from a controller:
- Confirmation if personal data concerning the individua is being processed.
- In the instance personal data is being processed, can request a copy of the personal data
- The purpose of the processing
- Categories of personal data
- Recipients of personal data, who it has or will be disclosed to – identifying recipients in third countries or international organizations and appropriate safeguards
- The retention period or criteria used to determine the retention period.
- Existence of the following rights;
- right to rectify
- right to erasure
- right to restrict processing
- right to object
- Right to raise a concern with supervisory authority
- Where personal data is not collected from the data subject, any available information as to its source
- Existence of automated decision making, how decisions are made, significance and consequence of processing
Requests in writing, specific as possible in relation to personal data you wish to access. Provide evidence of your identity
Controller will provide information in writing
Controller can refuse where access request is manifestly unfounded or excessive – need to provide proof.
Controller needs to consider the rights of third parties when reviewing a request – rights such as data protection, trade secrets or intellectual property of others.
A balance of rights, the controller should endeavor to comply with the request insofar as possible, whilst protecting the rights and freedoms of others.
Process
Client to put in writing to info.ens@negotiate.org
The request will be assessed by the Data Protection Officer.
The assessment will factor in the GDPR controller requirements – ensuring proof of identity. If not provided in the first instance, the Data Protection Officer will request prior to the assessment.
A response will be issued to the client in writing either providing the requested information or action taken; or in the event the request is deemed to be unfounded or excessive, provide justification for declining the request.
The PII will be reviewed in all listed business systems.
Request to modify can be actioned such as change of name, contact information.
Request to erase information will need to be considered and the client informed of potential implications of engaging with ENS.
Example the client is booked for a course in two months time and requests ENS to remove their email address from our system. Booking management processes in the lead up to training, include email communication.
Staff request
Staff can source PII retained via Employment Hero and can actively manage their own information.