G8 Digital Media

 

 

G8 European and Data Protection advice

What is personal data?

The GDPR applies to the processing of personal data that is:

  • wholly or partly by automated means; or
  • the processing other than by automated means of personal data which forms part of, or is intended to form part of, a filing system.
  • Personal data only includes information relating to natural persons who:
  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information.
  • Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and you may only process them in more limited circumstances.
  • Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.
  • If personal data can be truly anonymised then the anonymised data is not subject to the GDPR. It is important to understand what personal data is in order to understand if the data has been anonymised.
  • Information about a deceased person does not constitute personal data and therefore is not subject to the GDPR.
  • Information about companies or public authorities is not personal data.

However, information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual 

When we asking you to consent to your information being collected

  • We have checked that consent is the most appropriate lawful basis for processing.
  • We have made the request for consent prominent and separate from our terms and conditions.
  • We ask people to positively opt in.
  • We don’t use pre-ticked boxes or any other type of default consent.
  • We use clear, plain language that is easy to understand.
  • We specify why we want the data and what we’re going to do with it.
  • We give separate distinct (‘granular’) options to consent separately to different purposes and types of processing.
  • We name our organisation and any third party controllers who will be relying on the consent.
  • We tell individuals they can withdraw their consent.
  • We ensure that individuals can refuse to consent without detriment.
  • We avoid making consent a precondition of a service.
  • If we offer online services directly to children, we only seek consent if we have age-verification measures (and parental-consent measures for younger children) in place.
  • Recording consent
  • We keep a record of when and how we got consent from the individual.
  • We keep a record of exactly what they were told at the time.

Managing consent

  • We regularly review consents to check that the relationship, the processing and the purposes have not changed.
  • We have processes in place to refresh consent at appropriate intervals, including any parental consent.
  • We consider using privacy dashboards or other preference-management tools as a matter of good practice.
  • We make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
  • We act on withdrawals of consent as soon as we can.
  • We don’t penalise individuals who wish to withdraw consent.
  • may constitute personal data.

What is the right to be informed and why is it important?

The right to be informed covers some of the key transparency requirements of the GDPR. It is about providing individuals with clear and concise information about what we do with their personal data.

We provide individuals with all the following privacy information:

  • The name and contact details of our organisation.
  • The name and contact details of our representative (if applicable).
  • The contact details of our data protection officer (if applicable).
  • The purposes of the processing.
  • The lawful basis for the processing.
  • The legitimate interests for the processing (if applicable).
  • The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
  • The recipients or categories of recipients of the personal data.
  • The details of transfers of the personal data to any third countries or international organisations (if applicable).
  • The retention periods for the personal data.
  • The rights available to individuals in respect of the processing.
  • The right to withdraw consent (if applicable).
  • The right to lodge a complaint with a supervisory authority.
  • The source of the personal data (if the personal data is not obtained from the individual it relates to).
  • The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
  • The details of the existence of automated decision-making, including profiling (if applicable).


When to provide it

  • We provide individuals with privacy information at the time we collect their personal data from them.
  • If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information (see our website privacy policy)
  • within a reasonable of period of obtaining the personal data and no later than one month;
  • if we plan to communicate with the individual, at the latest, when the first communication takes place; or
  • if we plan to disclose the data to someone else, at the latest, when the data is disclosed.


How to provide it

  • We provide the information in a way that is: 
  • concise;
  • transparent;
  • intelligible;
  • easily accessible; and
  • uses clear and plain language.


Changes to the information

  • We regularly review and, where necessary, update our privacy information.
  • If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.


Best practice – drafting the information

  • We undertake an information audit to find out what personal data we hold and what we do with it.
  • We put ourselves in the position of the people we’re collecting information about.
  • We carry out user testing to evaluate how effective our privacy information is.

Best practice – delivering the information

  • When providing our privacy information to individuals, we use a combination of appropriate techniques, such as:
  • a layered approach;
  • dashboards;
  • just-in-time notices;
  • icons; and
  • mobile and smart device functionalities

What is the right of access?

The right of access, commonly referred to as subject access, giving individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why we are using their data, and to check if we are doing it lawfully.

What is an individual entitled to?                    

Individuals have the right to obtain the following from us:

  • confirmation that we are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information – this largely corresponds to the information that we provide in our privacy notice (see our website privacy policy)

 

Personal data of the individual

An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone)

How do we preparing for a subject access requests

  • We know how to recognise a subject access request and we understand when the right of access applies.
  • We have a policy for how to record requests we receive verbally.
  • We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
  • We understand the nature of the supplementary information we need to provide in response to a subject access request.

Complying with subject access requests

  • We have processes in place to ensure that we respond to a subject access request without undue delay and within one month of receipt.
  • We are aware of the circumstances when we can extend the time limit to respond to a request.
  • We understand that there is a particular emphasis on using clear and plain language if we are disclosing information to a child.
  • We understand what we need to consider if a request includes information about others.

What is the right to rectification?

Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified. An individual may also be able to have incomplete personal data completed – although this will depend on the purposes for the processing. This may involve providing a supplementary statement to the incomplete data.

How do we preparing for requests for rectification

  • We know how to recognise a request for rectification and we understand when this right applies.
  • We have a policy for how to record requests we receive verbally.
  • We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for rectification

  • We have processes in place to ensure that we respond to a request for rectification without undue delay and within one month of receipt.
  • We are aware of the circumstances when we can extend the time limit to respond to a request.
  • We have appropriate systems to rectify or complete information, or provide a supplementary statement.
  • We have procedures in place to inform any recipients if we rectify any data we have shared with them. 

What is the right to erasure?

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

When does the right to erasure apply?

Individuals have the right to have their personal data erased if:

  • the personal data is no longer necessary for the purpose which we originally collected or processed it for;
  • If are relying on consent as our lawful basis for holding the data, and the individual withdraws their consent;
  • If we are relying on legitimate interests as our basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • If we are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • If we have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
  • If we have to do it to comply with a legal obligation; or
  • If we have processed the personal data to offer information society services to a child.

Preparing for requests for erasure

  • We know how to recognise a request for erasure and we understand when the right applies.
  • We have a policy for how to record requests we receive verbally.
  • We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.

Complying with requests for erasure

  • We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.
  • We are aware of the circumstances when we can extend the time limit to respond to a request.
  • We understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children.
  • We have procedures in place to inform any recipients if we erase any data we have shared with them.
  • We have appropriate methods in place to erase information.



If you need further information regarding GDPR and its regulation please see their website for Europe https://eugdpr.org/ or data protection laws across the world visit each country respected government website