Information Governance and Security
Individual Rights Under the GDPR
You have the following rights with respect to the personal data the University hold and process obout you:
1. The right to be informed
You have the right to be given information about how and why your data is being processed.
When you provide your information directly to the University you will be informed at that time how it will be used via a privacy notice. This will include the purpose of processing, how long it will be held, your right to object and details of any recipients of your data.
Where the University does not directly receive your personal data from you but by a third party, you will be informed within one month of the date of receipt.
Check out the following pages for our main privacy notices covering students, staff, and research participants.
2. The right of access
You have the right to receive confirmation that your data is being processed and to access it by request.
You can access your personal data by submitting a Subject Access Request to the University and, after your identity has been verified, you will receive a response within one month.
To make a request please click here.
3. The right to rectification
You have the right to correct your personal data if it is inaccurate or incomplete.
The University will respond to requests for rectification within one month or, in the case of a complex request, up to three months. If your data has been shared with a third party the University will inform them of the rectification where possible.
To make a request for rectification, please email details to firstname.lastname@example.org
4. The right to erasure
You have the right to request that your personal data is removed, so long as there is no compelling reason for it to continue to be processed.
This does not mean that you have an absolute right ‘to be forgotten’, but that you can have personal data erased or prevent its processing in the following circumstances:
- Where your personal data is no longer necessary for the purpose for which it was originally collected/processed.
- When you withdraw consent.
- When you object to the processing and there is no ‘legitimate interest’ for the University to continue the processing.
- Where your personal data was unlawfully processed.
- When your personal data has to be erased in order to comply with a legal obligation.
- Where your personal data is processed in relation to the offer of information society services to a child.
The University can refuse a request for erasure for the following reasons:
- To exercise the right of freedom of expression and information.
- To comply with a legal obligation or for the performance of a public interest task or exercise of official authority.
- For public health purposes in the public interest
- For archiving purposes in the public interest, scientific research, historical research, or statistical purposes.
- The exercise or defence of legal claims.
If your data has been shared with a third party, the University will inform them of the erasure where possible.
5. The right to restrict processing
You have the right to restrict the processing of your personal data so that it may continue to be held but no longer processed.
The University will restrict processing in the following circumstances:
- If you contest the accuracy of the data.
- Where you have objected to the processing of personal data where the University has a legitimate interest.
- When processing is unlawful but you oppose erasure and request restriction instead.
- Where the University no longer needs the personal data but you require it to establish, exercise or defend a legal claim.
If your data has been shared with a third party, the University will inform them of the restriction of processing where possible.
You will be informed when the University decides to lift a restriction on processing.
To make a request to restrict the processing of your personal data, please contact email@example.com
6. The right to data portability
You have the right to obtain your personal data in an easily transferable format to reuse for your own purposes.
This right only applies:
- To personal data you provided to the University;
- Where processing is based on your consent or for the performance of a contract; and
- When processing is carried out by automated means.
You can request that this data be provided to you in an open format, such as a CSV file, or that it be transferred directly to another organisation if this is technically feasible. The University will respond to requests within one month or, in the case of a complex request, up to three months.
To make a request, please email details to firstname.lastname@example.org
7. The right to object
You have the right to object at any time to the processing of your personal data for the purposes of direct marketing; processing based on ‘legitimate interests’ or; processing for research or statistical purposes.
This right relates only to the three specific purposes for processing detailed below, there is no right to object to processing in general.
- Processing for the purposes of direct marketing – this is an absolute right and the University must cease processing your personal data for direct marketing following receipt of your objection.
- Processing based on legitimate interests – you must have grounds relating to your particular situation in order to object to your personal data being processed for this purpose. The University must stop processing your data unless it can demonstrate compelling legitimate grounds which override your interests, rights and freedoms as an individual.
- Processing for research or statistical purposes - you must have grounds relating to your particular situation in order to object to your personal data being processed for this purpose. If the research being conducted requires the processing of your personal data for the performance of a public interest task, the University is not required to comply with an objection.
To make an objection, please contact email@example.com
8. Rights in relation to automated decision making and profiling
You have the right not to be subjected to a decision that is based on automated processing which results in a legal impact upon you.
In such a circumstance the University must ensure that you are able to have human intervention in the decision, express your views and receive an explanation of the decision so that you may challenge it.
This right does not apply if a decision does not have a legal effect on you, or if a decision:
- Is necessary for entering into, or performance of, a contract between you and the University.
- Is authorised by law, for example for the purpose of fraud prevention.
- Is based on your explicit consent.
If the University at any point uses automated processing for the purposes of profiling it must ensure that this process is fair and transparent, use appropriate mathematical procedures, take steps to minimise the risk of errors and secure the personal data to prevent any discriminatory effects.
Some rights apply at all times, such as the right of access, while the availability of other rights depends on the basis of processing used by the University, as shown below:
Queries and Complaints
If you have any queries about how your data is processed you can of course contact your normal contact for the service in question. Otherwise you can contact the University's Data Protection Officer, to whom you can also address complaints. You are also able to complain directly to the Information Commissioner's Office (ICO)