Privacy Policy
HERTS ENERGY LTD
DATA SUBJECT RIGHTS POLICY
The GDPR provides data subjects with certain rights, many of which are similar to the original principles set out by the data protection act but under the GDPR these rights will be more in-depth and further reaching. These rights include: the right to be informed; the right to access; the right to restrict processing; and the right to object. We have detailed each of these rights below whilst detailing the measures we will take to ensure compliant satisfaction of these rights.
THE RIGHT TO BE INFORMED
The right to be informed encompasses our obligation to provide ‘fair processing information’, typically through a privacy notice. It emphasizes the need for transparency over our uses of personal data.
The information we will supply relating to the processing of personal data must be:
• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and • Free of charge.
The use of data, including how we protect and store data, will be made readily available to individuals through our privacy notice on our website.
What information must be supplied?
The below summarises the information we should supply to individuals and at what stage:
• We need to provide full contact details of our firm (and where applicable, the controller’s representative) and the data protection officer;
• We need to detail the purpose of the processing and the legal basis for the processing;
• We need to include the legitimate interests of the controller or third party, where applicable;
• List the categories of personal data;
• We need to detail any recipient or categories of recipients of the personal data;
• We need to include details of transfers to third country and safeguards;
• We need to include our retention period or criteria used to determine the retention period;
• We need to include the existence of each of data subject’s rights;
• We need to inform the customer of their right to withdraw consent at any time, where relevant;
• We need to inform the customer of their right to lodge a complaint with a supervisory authority;
• We are to inform the customer of the source the personal data originates from and whether it came from publicly accessible sources;
• Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data; and
• We are to include the existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
THE RIGHT TO ACCESS
The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
(a) the purposes of the processing;
(b) the categories of personal data concerned;
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(f) the right to lodge a complaint with a supervisory authority;
(g) where the personal data are not collected from the data subject, any available information as to their source.
(h) Information on the existence of automated decision making, including profiling, and providing meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
- Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer. Such safeguards include:
o A legally binding and enforceable instrument between public authorities or bodies; and o Binding corporate rules in accordance with Article 47.
- When requested, the controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs.
- Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form. The right to obtain a copy shall not adversely affect the rights and freedoms of others.
THE RIGHT TO RESTRICT PROCESSING
Under the DPA, individuals have a right to ‘block’ or suppress processing of personal data. The restriction of processing under the GDPR is similar detailed in Articles 18 (Right to restriction of processing) and 19 (Notification obligation regarding rectification or erasure of personal data or restriction of processing) respectively.
When processing is restricted, we are permitted to store the personal data, but not process it further. We can retain just enough information about the individual to ensure that the restriction is respected in future. This needs to be applied and communicated to each data processor where applicable and documented where appropriate.
When does the right to restrict processing apply?
We are required to restrict the processing of personal data in the following circumstances:
• Where an individual contest the accuracy of the personal data, we should restrict the processing until we have verified the accuracy of the personal data. We would do this by asking the individual to confirm the information is correct and where required update accordingly.
• Where an individual has objected to the processing (where it was necessary for the performance of a public interest task or purpose of legitimate interests), and we are considering whether our organisation’s legitimate grounds override those of the individual. This can only be confirmed by way of evidenced consent from the individual or for the purpose of criminal proceedings.
• When processing is unlawful and the individual opposes erasure and requests restriction instead, we are obliged to ensure this request is documented and the data collected is only used for the intent on which it was originally collected for, and not process it further.
• If we no longer need the personal data but the individual requires the data to establish, exercise or defend a legal claim. We would ask the individual to submit a DSAR and release the data upon receipt and in accordance with the DSAR procedure.
• We may need to review procedures to ensure we are able to determine where you may be required to restrict the processing of personal data.
• If we have disclosed the personal data in question to third parties, we must inform them about the restriction on the processing of the personal data, unless it is impossible or involves disproportionate effort to do so. We must inform individuals when we decide to lift a restriction on processing.
THE RIGHT TO OBJECT
Individuals have the right to object to:
• Processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); • Direct marketing (including profiling); and
• Processing for purposes of scientific/historical research and statistics.
How to comply with the right to object?
If we process personal data for the performance of a legal task or our organisation’s legitimate interests Individuals must have an objection on “grounds relating to his or her particular situation”.
We must stop processing the personal data unless:
• We can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or • the processing is for the establishment, exercise or defence of legal claims.
We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If we process personal data for direct marketing purposes
We must stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.
We must deal with an objection to processing for direct marketing at any time and free of charge.
We must inform individuals of their right to object “at the point of first communication” and in your privacy notice.
This must be “explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information”.
If we process personal data for research purposes
Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.
If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.
If our processing activities fall into any of the above categories and are carried out online:
We must offer a way for individuals to object online.