EPCP will action a data request within one month of receiving it.
Right to be informed
Right to access
Individuals have the right to access their personal data. This is commonly referred to as subject access. Individuals can make a subject access request verbally or in writing.
Right to rectification
The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. An individual can make a request for rectification verbally or in writing. In certain circumstances we can refuse a request for rectification.
Right to erasure
The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. The right is not absolute and only applies in certain circumstances. This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.
Right to restriction of processing
Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances. When processing is restricted, ECPT are permitted to store the personal data, but not use it. An individual can make a request for restriction verbally or in writing.
Right to data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. The right only applies to information an individual has provided to a controller. An individual can make a request for portability verbally or in writing.
Right to object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. In other cases where the right to object applies we may be able to continue processing if we can show that we have a compelling reason for doing so. An individual can make an objection verbally or in writing.
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.
If ECPT experience a personal data breach we will consider the likelihood and severity of any risk to people’s rights and freedoms, following the breach. Once we have made this assessment, if it’s likely there will be a risk then we will notify the ICO; if it’s unlikely then we do not have to report to ICO but will document any breach and detail any remedial actions taken to ensure the breach does not happen again.
If a breach has occurred we will contact the ICO on 03031231113 for further advice or record the breach on the ICO website within 72 hours of becoming aware. We will also notify the person/people this may affect with information regarding the breach and possible advice to minimise the effects.
A record of all data breaches, either reported or not will be kept on ECPT a secure, cloud based system.
In the event of any ECPT employee experiencing a data breach please complete the data breach reporting template and pass the information to the admin team firstname.lastname@example.org as soon as you are able.