Aerospace Wales Forum Limited Subject Access Policy
The GDPR (General Data Protection Regulation) creates some new Rights for Data Subjects as well as strengthening existing Rights. As a Data Controller, Aerospace Wales must be able to comply with these Rights. The GDPR provides the following Rights for individuals:
- Right of Access (Also known as a Subject Access Request)
- Right to Rectification
- Right to Erasure
- Right to Restrict Processing
- Right to Data Portability
- Right to Object
- Rights in Relation to Automatic Decision Making and Profiling
Further information about each of the above Rights can be found in Appendix 1 of this procedure. It is important that should you receive and identify such a request against any of the above Rights that this procedure is followed.
It should be noted that Data Subjects can make such requests verbally (for example over the telephone), as well as in an email or postal letter.
The purpose is to provide a procedure to follow when a Data Subject Request in relation to the above Rights is received by Aerospace Wales.
All Staff have a responsibility to recognise a request and to comply with the procedure as follows.
Where a request is received by staff covering any of the GDPR Data Subject Rights the request must be passed to the Aerospace Wales Data Protection Team immediately.
The request must be forwarded to email@example.com If the request was made over the phone then as much information as possible regarding what was requested must be typed into an email and sent to the Data Protection Team immediately. If the request is received in a postal letter, this can either be scanned and sent to the Data Protection Team by email, or the hardcopy sent to our offices at Waterton Centre, Waterton Industrial Estate, Bridgend, Cardiff CF31 3WT
The Data Protection Team will process the request accordingly and respond to the Data Subject in line with the legislation. They may ask for input and/or provision of data from the team across Aerospace Wales in order to ensure they have fully complied with the request. Due to the time limits for complying, teams requested to assist should treat such requests as a priority.
If there is uncertainty around whether it is a request please refer to the Data Protection Manager for further advice.
Appendix 1 – Rights of Data Subjects:
Right of Access (Also known as a Subject Access Request)
Data Subjects have the Right to obtain:
- Confirmation that their data is being processed
- Access to their personal data and
- Other supplementary information
Right of access requests must be responded to within one month.
Right to Rectification
Data Subjects are entitled to have their personal data rectified if it is inaccurate or incomplete. If the information in question has been disclosed to a third party the Data Controller must inform them of the request for rectification where possible. The Data Subject is also entitled to be informed of the third parties to whom the data has been disclosed, where appropriate.
Rights to rectification must be responded to within one month.
Right to Erasure
This Right is also known as the ‘Right to be Forgotten’. It enables Data Subjects to request the deletion or removal of personal data where there is no compelling reason for its continued processing by the Data Controller.
The Right to Erasure applies in the following circumstances:
- The personal data is no longer necessary in relation to the purpose for which it was originally collected
- The processing was based on consent, and the Data Subject has now withdrawn their consent
- The Data Subject objects to processing and there is no overriding legitimate interest of the Data Controller
- The data was being unlawfully processed
- The data must be erased to comply with a legal obligation
Right to Restrict Processing
When this Right is exercised you are permitted to store the personal data but not further process it. Restricted information about the individual may be retained to ensure that the restriction is respected in the future.
The Right to Restrict Processing applies in the following circumstances:
- When a Data Subject contests the accuracy of their personal data, then processing should be restricted to storage only until accuracy is verified
- When a Data Subject objects to processing which is being carried out for the reason of performance of a task in the public interest, or for the legitimate interests of the Data Controller, then the Data Controller must restrict processing to storage only whilst they consider whether their legitimate grounds override the Rights and freedoms of the individual.
- When processing is unlawful and a Data Subject opposes erase and requests restriction to storage instead.
- When the Data Controller no longer needs the personal data but the Data Subject requires it for the purpose of a legal claim.
Right to Data Portability
This Right allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows the individual to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way in a common data format, for example, Excel or CSV file.
The Right to Data Portability applies in the following circumstances:
- When the personal data was provided to the controller directly by the Data Subject
- Where the processing is based on consent or performance of a contract
- When processing is carried out by automated means Right to Object Individuals have the
Right to object to:
- Processing based on legitimate interest or performance of a task in the public interest/exercise of official authority (including profiling)
- Direct marketing (including profiling)
- Processing for the purposes of scientific/historical research and statistics
Rights in Relation to Automatic Decision Making and Profiling
This Right provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention.
The Right not to be subject to a decision applies when:
- It is based on automated processing
- It produces legal/significant effects on the individual It does not apply if the decision:
- Is necessary for entering into or performance of a contract
- Is authorised by law
- Is based on explicit consent
- Does not have a legal/significant effect on the data subject