The GDPR requires organisations handling personal data to do so according to its six data processing principles, namely that:
- a) it is processed fairly, lawfully and transparently
- b) it is collected and processed for specific reasons and stored for specific periods of time, and that it is not used for reasons beyond its original purpose
- c) only the data necessary for the purpose it is intended is collected, and not more
- d) it is accurate and that reasonable steps are taken to ensure it remains accurate
- e) it is kept in a form that allows individuals to be identified only as long as is necessary
- f) it is kept securely and protected from unlawful access, accidental loss or damage
From these principles, GDPR requires organisations collecting, using and storing personal data to define a lawful basis that the organisation will use to explain its use of personal data. These are, for example, that they have the individual’s consent, or that they need to do so in order to provide a product or service the individual has asked for, or that they are legally obliged to do. Every bit of personal data held by an organisation must be justified according to one of the six lawful bases.
Your privacy rights
The GDPR also defines the rights that individuals have to access and control their data:
When they are collecting data from you, organisations must properly inform you what data they are collecting, what they are using for, how long they are keeping it and which organisations it is being shared with.
You have the right to contact an organisation and ask them to provide the data they hold on you. This includes the data they hold, why they hold it, and what they are doing with it, including which organisations it is shared with.
You have the right to ensure that information about you is correct, and to ensure that information is corrected if found to be inaccurate.
Also known as the “right to be forgotten”, this means you have the right to demand that information a company holds about you is deleted, in part or entirely. This is not an absolute right, and in some circumstances this request can be refused.
You have the right to deny consent for an organisation to process your data, even if you have given consent for it to do so in the past. This right also is not absolute and can in some circumstances be refused. But an organisation must be able to show you what it is doing with your data so you can decide to restrict processing if you wish.
This right gives you the opportunity to take the data an organisation holds on you and extract it for use elsewhere. A good example are the features that Facebook or Google offers that allow you to download the profile information accumulated on the service. This is to promote competition, so that users are not forcibly tied to an uncompetitive service due to the weight of accumulated data.
This allows you to demand that organisations stop using your data in ways you object to. For example, sending direct marketing, or making nuisance commercial phone calls.
Finally, with the growth in profiling and the use of data to make automated, from targeted advertising or content to credit decisions or job applications, this provides individuals with the right to object to or appeal against automated decisions that affect them. This is particularly the case where decisions have serious legal consequences or similar. All such processing requires the explicit, informed consent of the individual.
Real Soca Deal Privacy Rights Statement
Should you wish to remove your data from the Real Soca Deal database or believe that your details are being held without your consent, please contact firstname.lastname@example.org where your issue will be dealt with immediately.
At any time, your details can be removed by subscribing here.