General Data Protection Regulation - Exercising your rights
From 25 May 2018, the General Data Protection Regulation (GDPR) as supplemented by the UK Data Protection Act 2018 has legal effect.
This replacement data protection framework places new obligations on organisations and strengthens the rights that individuals have over the processing of their personal information.
The Greater Manchester Authorities have produced this guide to explain your enhanced rights and how we will deal with any requests we may receive from you.
You can also obtain full information about your rights from the Information Commissioner’s Office (the ICO). The ICO is the UK's independent regulator responsible for upholding and enforcing the rights of individuals under data protection law.
In brief, you have the following rights:
- the right to be informed;
- to ask us for access to copies of the personal information we hold about you;
- to ask us to rectify your personal information if it is inaccurate or incomplete;
- to ask us to stop processing your personal information (this is known as the 'right to object');
- to ask us to erase personal information we hold about you (this is also known as the 'right to be forgotten');
- to ask us to 'restrict' the processing of your personal information (e.g. restrict our access and use pending our consideration, for example, of any objection or erasure request you have submitted);
- to ask us ensure that a decision which legally affects you is reviewed by a person if the decision has been made solely using an automated computerised process;
- to ask us to put the personal information you have given us into a portable electronic machine readable format so it is capable of being transmitted to someone else.
Please be aware that these rights are not absolute and are subject to conditions and exemptions. In some cases the rights described above only apply if the processing activity is undertaken on specific legal grounds and/or in defined circumstances. Therefore all of these rights are unlikely to be engaged in all cases.
This Guide sets out:
- a summary of your rights
- what these are, and
- when and how these apply
- how you can exercise these rights
- what we will need from you; and
- what you can expect from us
- the meaning of some of the terms we have used (Appendix 1)
Summary of your rights
Right to be informed
Every time we seek to collect information from you, we must inform you why we need to process your personal information, including how we propose to use it, who we intend to share it with and the safeguards we have put in place. If we receive information about you from someone else, we will usually tell you before we use or share your personal information unless we are aware you already have this information or, where the law says this is not necessary, such as where this would be prejudicial to ongoing law enforcement/criminal investigations.
We meet these obligations in various ways depending on how you come into contact with us, including directing you to our Privacy Notice viewable on our web site.
Access to your personal information
You are entitled to ask us for copies of the personal information that we hold about you.
At the time of fulfilling your access request, we will provide the following information:
- (a) the reasons why it is necessary to process your personal information;
- (b) the types of personal information we process;
- (c) the recipients or categories of recipient to whom your personal information have been or will be disclosed, including any recipients in third countries or international organisations and if relevant, the safeguards applicable to the transfer;
- (d) where possible, the envisaged period for which your personal information will be stored, or, if not possible, the criteria used to determine that period;
- (e) the right to request rectification, erasure of personal information or to object or seek to restrict such processing;
- (f) the right to lodge a complaint with a supervisory authority;
- (g) the source(s) of any personal information we hold that has not been collected directly from you;
- (h) whether or not decisions are made about you solely using automated means, including profiling, without human intervention and, if so, provide meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
We will also explain if we have redacted any information that identifies third parties.
If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reason why one or more exemptions apply.
In certain circumstances we may refuse to respond to your request if we consider that it is unfounded, excessive or repetitive in nature.
You are entitled to ask us to:
- correct inaccurate information about you
- update the information we hold if it is incomplete
If we agree that the personal information you have identified is factually inaccurate, we will correct it.
- endeavour to inform anyone with whom we may have shared your personal information of any correction(s) we have made so they can rectify the information they hold about you;
- tell you who the recipients of your information are if you ask us to do this so you can check they if have updated the personal information they hold about you.
If we disagree with your view that the information we hold about you is factually wrong, then in our response we will explain the basis for our decision and your right to complain to the Information Commissioner if you are not satisfied.
If you consider that personal information we hold about you is incomplete and we do not agree with this, we may offer you the option of adding a supplementary statement explaining why you consider the information we hold is incomplete.
Objections to processing
You have the right to object to us using your personal information where it is being processed for:
- direct marketing
- profiling whether linked to direct marketing or for other purposes
- performing our statutory functions, tasks carried out in the public interest or when exercising official authority;
- our legitimate interest or those of a third party;
- scientific/historical research/statistics where:
- this is likely to cause substantial damage or substantial or distress; or
- involves decision-making about an individual
If you object to us using your personal information for direct marketing (or profiling linked to direct marketing) we will cease processing for this purpose(s).
If you object to the use of your personal data for scientific/historical research or statistical purposes on one or both of the above grounds, we will carefully consider your request and let you know the outcome. It may not always be possible to meet your objection if for example, the processing is carried out for the purpose of measures or decisions with respect to particular individuals where this is in accordance the law and is necessary for specified bodies to carry out approved medical research.
Where you object to us processing your personal information for any of the other reasons above, we will:
- consider if we have compelling legitimate grounds for continued processing; and
- whether or not these grounds are sufficiently compelling to justify overriding your privacy rights.
Where the law requires us to process your information to meet our statutory functions and public tasks, including our law enforcement functions, it is very likely that we will not be able to comply with your request.
For example, you will not be able to use this right to prevent us from:
- collecting and administering council tax or assessing benefit entitlements
- taking measures to protect the health and safety of our staff
- establishing, exercising or defending our legal rights
- pursuing criminal investigations or proceedings
If we do not uphold your objection, we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.
Restriction on use / access
This right may be exercised in circumstances where:
- we need time to consider your representations where you are:
- contesting the accuracy of the personal information we hold about you; or
- objecting to our processing of your information
- it has already been determined the processing is 'unlawful' and you ask us to retain and 'restrict' its use;
- we no longer need to retain your personal information but you ask us to retain it for the establishment, exercise or defence of own legal claims.
If you make a request we will let you know if we agree to restrict access to your information for one or more of the above reasons.
If we decide a restriction is appropriate, we will endeavour to notify any recipients of your personal information and let you know who they are if you ask us to do so.
Where processing is restricted, as well as storing your personal information we will only process it during the period of restriction:
- with your consent; or
- if it is necessary for the establishment, exercise or defence of legal claims;
- if it is necessary for the protection of the rights of another person; or
- if it is necessary for reasons of important public interest, including for example, communicating with the Information Commissioner.
Where a restriction is applied pending a determination of 'accuracy' or any 'objection' you may have submitted, we will let you know the outcome of your representations and will notify you prior to lifting the restriction.
Where the reason for the restriction is for one of the other reasons above, the erasure of the personal information will not take place until we have resolved evidential issues with you.
We will also tell you about your right to complain to the Information Commissioner if you are not satisfied.
Erasure (also referred to as the right to be "forgotten")
You have the right to request that we erase your personal information in defined circumstances.
These defined circumstances are:
- (a) if we are storing your personal information for longer than is necessary or in breach of a legal obligation that requires its erasure;
- (b) you decide to withdraw your consent and you ask us to erase your personal information where there is no other legal ground for processing;
- (c) we have accepted an objection made by you to our processing of your personal information and you have further requested that we erase the personal information in question;
- (d) we are processing or publishing your personal information without a legal basis for doing so;
We will carefully consider a request for erasure. Our response will outline whether or not we consider retention of your personal information is unwarranted.
There are circumstances why it may not always be possible to agree to your erasure request and we have listed a number of grounds below where it may be necessary for us to retain your information:
- in the interests of freedom of expression (special journalistic purposes)
- in order to comply with a legal obligation;
- for archiving in public interest;
- for public health functions in public interest
- for exercising legal rights or defending legal claims
If we agree to erase your personal information, we will endeavour to notify any recipients and let you know who they are if you ask us to do so.
If we refuse your request for erasure we will explain our reasons in our response and your right to complain to the Information Commissioner if you are not satisfied.
In certain circumstances, you have the right to request that personal information you have supplied to an organisation be converted into a structured, commonly used and machine-readable format so that it can be transmitted to another organisation. This right is primarily intended to stimulate competition in the commercial sector by making it easier for consumers to switch from one supplier to another.
As most of the processing activities undertaken by us are governed by statute or as a result of legal obligations imposed on us, this right is only be engaged where:
- we process your personal information on an automated basis, and the legal basis for our processing:
- is based on your consent; or
- is for entering into or the performance of a contract with you
If you make a request for the personal information you have supplied to us to be converted into a portable format where our legal basis for processing falls within one of the grounds above, we will let you know our decision and if you are not satisfied with our response of your right to complain to the Information Commissioner.
Automated Decision Making
In general, decisions which affect you legally or have similarly significant effects are not permitted using solely automated processing, especially if this involves the use of personal information which because of its nature, is termed 'Special' or 'Sensitive'. This is because decisions made using automated electronic programmes or software do not involve human beings.
But there are some exceptions where automated decision-making is permitted. This is where the processing:
- is based on your explicit consent;
- is necessary for entering into or the performance of a contract with you;
- it is required or authorised by law
Where an automated decision is made about you based on one of the reasons above, you are entitled to be:
- informed that our processing activity involves automated decision making and to be informed about the logic involved and the likely consequences of the processing for you;
- told what measures and safeguards we have implemented to protect your privacy;
- Within 1 month of your receipt of the above notification, you have the right to:
- contest the automated decision;
- to ask that the automated decision be reconsidered by an appropriate person with the authority/seniority to reach a fresh decision that is not based solely on automated processing.
If you contest an automated decision and ask for it to be reconsidered, we will respond within the allowed time period and let you know whether or not this fresh decision has led to the same or a different outcome.
We will also explain your right to complain to the Information Commissioner if you are not satisfied.
How you can exercise your rights
How do I make a request (known as a Subject Access Request)?
Where you are seeking a copy of your personal information please submit your request to the Data Protection Officer, Bury Council, Town Hall, Knowsley Place, Bury BL9 0SW.
For all other requests please contact us (see contact details at the end of the page).
For all requests, we will need:
- documentary proof that you are who you say you are (this is for security reasons to ensure we are dealing with you and that none of your personal information is accessed or interfered with by anyone else falsely claiming to be you);
- information about the request you are making and your dealings with us to help identify the information in question and to your request.
Please ensure you provide at least two forms of identification with your request [copies of utility bills, driving licence or similar] bearing your full name and current postal address.
On receipt of your request, we will always send you a written acknowledgement and may need to ask you for:
- proof of identification if you have not supplied this already;
- information about the nature of your request and your dealings with us so we can understand, identify and locate information that is relevant where this is not already clear from your request.
If we do not hear back from you with confirmation of your identity and/or sufficient information to respond to your request within 2 weeks, we will not be able to process your request and it will be treated as lapsed for accounting purposes.
Can someone else make a request for me?
A friend, relative, advocate or solicitor may act on your behalf. However, this person must supply written authority from you to confirm that they are acting for you and we will still require identification for you.
What if a data subject 'lacks mental capacity'?
A person with a lasting power of attorney appointed directly by the data subject or a Deputy appointed by the Court of Protection may exercise these rights.
What about requests involving children?
Unlike Scotland, there is no set age in England which recognises when children are automatically able to exercise data protection rights.
A child aged 13 or over is able to create an on line social media account without the consent of a person with parental responsibility.
As a general rule a child must have sufficient understanding and maturity to exercise their own rights and a common sense approach will be adopted in the event a child or young person submits a request.
For children aged under 13, it will generally be expected that a request is made by a person with parental responsibility with whom the child normally resides and 'best interest' considerations will be taken into account.
When can I expect your response?
We aim to respond to your request without undue delay and no later than 1 calendar month counted from the first working day after we are in receipt of your request, and:
- proof of your identity, and
- any further information (where we have requested this from you) we need to process your request and/or locate and retrieve your personal information.
Where it is not possible to respond sooner and the last day before expiry of 1 calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.
If your request is complex, we may need to extend the length of time required to respond.
If this applies, we will let you know before the latest due date on which you would be expecting to hear back from us.
The law says we can extend the length of time to respond by a maximum of a further 2 calendar months.
Where it is not possible to respond sooner and the last day before expiry of the 2nd calendar month, falls over a weekend or on a bank holiday, the latest due date will be treated as the first working day after the weekend or bank holiday.
We will always endeavour to respond as quickly as we can.
Will I have to pay a charge?
Ordinarily we will not charge a fee for fulfilling a request from you.
The only exception is where you make repeat requests for the same of similar information. In these cases, we reserve the right to charge a reasonable fee based on the administrative costs of supplying further copies if we consider a reasonable time period has not intervened since fulfilling a previous request.
Will I get all of the information I am requesting?
Normally this is likely to be the case.
But it is important to note that the right of access to your own information does not extend to information about other people who may be identified in the information that also refers to you.
We may therefore redact personal information about other persons (including third parties) where we are satisfied it is reasonable in the circumstances to do so.
In some cases information may be so interlinked that it is not possible to fulfil your request without breaching another person's privacy rights.
The names of professional staff (whether directly employed by us or not) involved in decision-making about your care and education will often be disclosable and their identities will not be automatically redacted, unless this is warranted in a particular case.
The law recognises that there are occasions when it may be appropriate to withhold certain information and provides exemptions in specified circumstances.
If we withhold information on the basis that it is exempt from disclosure, where it is possible to do so, we will explain the exemption(s) we are relying on and the reasons why one or more are necessary.
Can I choose the format in which my information is supplied?
Where you have submitted your request electronically or asked us to respond in a particular format, we will try to do so wherever this is reasonably practicable.
Can you refuse my request?
In certain circumstances we may refuse to act on your request if we consider that your request is unfounded, excessive or repetitive in nature.
We will give our reasons if we refuse to comply with your request on this ground.
What if I am not satisfied with your response or it is taking too long?
If you do not hear from us by the latest due date or are not satisfied with the response we have given, you have the right to complain to the Information Commissioner.
The Information Commissioner is the UK's independent regulator responsible for upholding and enforcing the rights of individuals under data protection law.
You can email the Information Commissioner's office at email@example.com or write to:
Information Commissioner's Office,
Full information about your rights is also available at Information Commissioner’s Office.
Appendix 1 - Meaning of terms
"Personal information" means any information relating to an identified or identifiable living person. An identifiable person is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.
"Special or Sensitive Personal information" is information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and personal information relating to criminal offences and convictions.
"Processing" means any activity that involves the use of personal information. It includes obtaining, recording or holding the information, or carrying out any operation or set of operations on the information including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal information to other Recipients.
"Data Subject" a living, identified or identifiable individual about whom we as the Controller hold personal information.
"Controller" means the person or organisation (in this case us) that determines when, why and how to process personal information.
"Privacy Notices" are notices setting out the information given to you at the time we collect information from you or within a reasonable time period after we obtain information about you from someone else. These notices may take the form of an overarching privacy statement (as available on our web site) or apply to a specific group of individuals (for example, service specific or employee privacy notices) or they may be stand-alone, one time privacy statements covering processing related to a specific purpose.
"Consent" must be freely given, specific, informed and unambiguous indication of an individuals' wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
"Explicit Consent" requires a very clear and specific statement, leaving no room for misinterpretation.
"Third Party" is a living individual other than the person who is the data subject
"Recipient" means a person or organisation who receives your personal information from us. This may be a company with whom we have entered into a contract to provide services on our behalf or another Controller with whom we are either required or permitted to share personal information.
"Latest due date" means 1 calendar month counted from the first working day after proof of ID and any requested information is received by us, except where this falls on a weekend or a bank holiday in which case the "latest due date" is treated as the first working day after the weekend or bank holiday. The same method is applied to calculating the "latest due date" for complex requests where an extension of time is permitted and claimed.
"Automated Processing" means any processing of personal information that is automated through the use of computers and computer software.
"Automated Decision-Making (ADM)" means a decision which is based solely on Automated Processing (including Profiling) which produces legal effects or significantly affects an individual. The GDPR generally prohibits Automated Decision-Making except in defined circumstances, subject to certain conditions and safeguards being met.
"Profiling" means the recording and analysis of a person's psychological and behavioural characteristics, so as to assess or predict their capabilities in a certain sphere or to assist in identifying categories of people.
"General Information Protection Regulation (GDPR)" means the General Information Protection Regulation ((EU) 2016/679).
"Data Protection Act 2018" means UK legislation that repeals the 1998 Act; implements discretions delegated to EU Member States under the GDPR; provides for the role, responsibilities and enforcement powers of the Information Commissioner and sets data protection standards for processing activities that do not fall within the purview of the GDPR.