The General Data Protection Regulation ('GDPR') provides the following rights for individuals:
- The right to be informed – Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement which is usually satisfied by the provision of a privacy notice (described in further detail below) at the point the personal data is collected by the University. A Notice should be given whether we receive personal data directly from an individual or indirectly from someone else.
The right of access – Individuals have a right to access their personal data which is commonly referred to as a Subject Access Request. Please click here for further information on how to submit a subject access request.
- The right to rectification – Individuals have a right to have inaccurate personal data rectified, or completed if it is incomplete. This right is closely linked to the accuracy principle.
- The right to erasure – Individuals have a right to have personal data erased which is also known as the right to be forgotten. This right is not absolute and only applies in certain circumstances. Please click here for further information about this right and how to submit a right to erasure request.
- The right to restrict processing – Individuals have the right to request the restriction or suppression of their personal data. This right is not absolute and only applies in certain circumstances.
- The right to data portability – Individuals have the right to obtain and reuse their personal data for their own purposes across different services. This right allows individuals to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without it affecting usability.
- The right to object – Individuals have the right to object to the processing of their personal data in certain circumstances, including an absolute right to stop their data being used for direct marketing.
- Rights in relation to automated decision making and profiling – Individuals have the right not to be subject to a decision based solely on automated decision-making using their personal data.
- The right to communication – individuals have the right to be told about personal data breaches that pose a high risk of harm to them. They will be told, at least, the consequences of the breach for them, what the University is doing/ has done to address the breach/ minimise harm and be provided with a contact point.
A response to all rights must be sent without undue delay and at the latest within one month. That period may be extended by two further months if a request is complicated or we receive a number of requests from the same individual. If the University proposes to extend the time beyond a month, we will tell the individual, within one month of receiving a request, why the extension is necessary and when it will be dealt with.
Where an individual makes a request by email we will generally respond by email unless the individual requests otherwise.
When providing information to an individual we will do so in a concise, transparent, intelligible and easily accessible form, using clear and plain language. This is especially the case if we are dealing with a child/ young person. We can provide information verbally to the individual if they request so and we are satisfied they are entitled to the information.
If, for whatever reason, we choose not to deal with the request then we will tell the individual why, without delay and at the latest within one month of receipt of their request. They will be advised that they may lodge a complaint with the Information Commissioner’s Office or seek a judicial remedy.
The following is provided free of charge:
- privacy notices and,
- any communication and any actions taken under rights 2 to 9 referred to above.
However where a request(s) is “manifestly unfounded or excessive” (this might be where the requests are, repetitive) we may:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request.
It is for the University to prove that a request is manifestly unfounded or excessive.
Where the University has reasonable doubts concerning the identity of the person making the request we may request the provision of additional information necessary to confirm their identity.
The rights above are not absolute. The GDPR sets out the circumstances in which they apply. In addition an exemption may be present in the Data Protection Act 2018 which means that we are able to depart from our usual obligations.
To help us faciliate any request regarding your Data Subject Rights, it would be helpful if you could complete a Data Subject Rights Form, providing as much information as possible, and submit this by email to infocompliance at warwick dot ac dot uk or sent it to:
Information and Data Compliance
University of Warwick
In addition you will need to send a copy of one form of ID (passport, driving licence, birth certificate or other internationally recognised ID card) for yourself.
Download a Data Subject Rights form here: