The General Data Protection Regulation (GDPR) is European legislation effective from 25 May 2018. In accordance with the requirements outlined in the GDPR Capital Resolve Ltd will ensure that personal data will be processed lawfully, fairly and in a transparent manner. GDPR allows individuals a range of specific data subject rights that they can exercise under certain conditions.
Consent from a customer to process their personal data will fall under two categories.
Subject Access Requests (SARs) are written requests from an individual or their representative for access to the personal information that a company holds about them. We can accept SARs in writing either by post or email to: firstname.lastname@example.org
Requests can be made on behalf of others with consent, power of attorney or where the data subject is a minor and the requester has parental responsibility. If a legal representative makes a request we will require a letter of authority and we will still need to confirm their identity.
We can refuse to comply to a request if we have previously complied with an ‘identical or similar request’ and, in certain circumstances, we may be able to impose a reasonable fee or refuse to act upon the request if we are able to demonstrate that the request warrants such a response.
To help establish the identity of the data subject we require a copy of one document from each of the following categories with a SAR application:
Once we have received a request and validated it we have 30 days to respond.
Under Article 16 of the GDPR individuals have the right to have inaccurate personal data rectified.
If we are holding incorrect personal data regarding a data subject we will correct these upon verbal or written notification. In most circumstances it may be appropriate for a data subject to make a rectification request directly to our client.
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. In most circumstances it may be appropriate for a data subject to make an erasure request directly to our client.
Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organisation uses their data. This is an alternative to requesting the erasure of their data. In most circumstances it may be appropriate for a data subject to make a restrict processing request directly to our client.
The legislation gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have the right to object to the following: 1) Processing based on legitimate interests or the performance of a task in the public interest, 2) Direct marketing, 3) Processing for purposes of scientific or historical research and statistics.
In most circumstances it may be appropriate for a data subject to make an objection request directly to our client.
Under the General Data Protection Regulation (GDPR), sensitive data is referred to as being special category data. This is defined in Article 9 of the regulation.
From time to time we may need to process information about the mental or physical health of a customers, this is to ensure we meet our obligations in respect of the sensitive treatment of potentially vulnerable consumers. Data subjects have no statutory or contractual obligation to provide us with any special categories of personal data, such as details of bad health. But, refusing to do so could mean that we would not be able to manage their account according to their needs.
If we are holding any special categories of personal data on a data subject this can be removed at any time on request.
You have the right to lodge a complaint with our supervisory body. If you wish to do so, please contact the Information Commissioner’s Office (ICO), Tel: 0303 123 1113, website: https://ico.org.uk/