The key aim of data protection legislation is to protect the rights of individuals (i.e. data subjects) in respect of their personal data. That being the case the UK GDPR creates various data subject rights which all charities should be familiar with.
Key Data Protection rights individuals have
- The right to be informed – individuals have the right to be told that their personal data is being collected and, amongst other things, what it is being used for. Usually this information is set out in a privacy notice which is made available to the individual at the time their personal data is collected by the charity.
- The right of access – this is the right for an individual to make a subject access request to ask for a copy of the personal data the charity holds about them and for certain information about how their personal data is handled by the charity.
- The right to rectification – this is the right for an individual to request that a charity which is holding their personal data either corrects that data if it is incorrect or completes incomplete personal data that it holds.
- The right to erasure (also known as the right to be forgotten) – this is the right for an individual to request that a charity permanently deletes personal data it holds about them.
- The right to restrict processing – this is the right for an individual to ask a controller to stop or pause processing of their personal data, for example, whilst inaccuracies in the personal data are investigated.
- The right to data portability – this is the right for an individual to request that the personal data they provided to a charity is transferred from that charity to another in a suitable format so that it can be used by the recipient.
- The right to object – this is the right for an individual to object to a charity processing their personal data, for example, for marketing purposes.
- Rights in relation to automated decision making and profiling – this is the right for an individual not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning the individual or similarly significantly affects them. It is a right which may not be relevant to a lot of charities, as many do not make decisions about a data subject or profile a data subject by purely automated means without any human involvement. An example of automated decision making is recruitment agencies using IT software to read and filter out applicants for a job where the employer has certain pre-set requirements, for example, by filtering out all applicants without a certain qualification.
Can a charity refuse a request?
Whilst all individuals have the above rights, these rights are not as straightforward as they may seem (and certainly not as straightforward as data subjects may think). There are various circumstances in which a charity can decline to fulfil certain requests by an individual to exercise their rights. For example, there are only certain circumstances in which a charity has to comply with a data subject’s request for the charity to restrict processing of their personal data.
Key takeaways for charities
The takeaway therefore is that just because a data subject asks to exercise certain UK GDPR rights, it doesn’t mean they must be complied with and each request needs to be carefully considered, especially if the processing and continued use of that personal data is important for the charity.
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
