About

As well as providing training and a GDPR Toolkit (details below) I also provide extended support to people who have attended training, bought the toolkit, or just need some friendly guidance. The GDPR Toolkit can be found here http://www.adaptconsultingcompany.com/gdprtoolkit/ Jersey Business as supporting the GDPR Training and they can be found at https://www.jerseybusiness.je/get-advice/it-office-systems/data-protection-small-business/

Tuesday, 6 February 2018

What information must be given to individuals whose data is collected?




 QUESTION

What information must be given to individuals whose data is collected?

ANSWER

At the time of collecting their data, people must be informed clearly about at least:

1.      who your company/organisation is (your contact details, and those of your DPO if any);
2.      why your company/organisation will be using their personal data (purposes);
3.      the categories of personal data concerned;
4.      the legal justification for processing their data;
5.      for how long the data will be kept;
6.      who else might receive it;
7.      whether their personal data will be transferred to a recipient outside the EU;
8.      that they have a right to a copy of the data (right to access personal data) and other basic rights in the field of data protection (see complete list of rights);
9.      their right to lodge a complaint with a Data Protection Authority (DPA);
10. their right to withdraw consent at any time;
11. where applicable, the existence of automated decision-making and the logic involved, including the consequences thereof.

See complete list of information to be provided.
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679

The information may be provided in writing, orally at the request of the individual when identity of that person is proven by other means, or by electronic means where appropriate. Your company/organisation must do that in a concise, transparent, intelligible and easily accessible way, in clear and plain language and free of charge.

When data is obtained from another company/organisation, your company/organisation should provide the  information listed above to the person concerned at the latest within 1 month after your company obtained the personal data; or, in case your company/organisation communicates with the individual, when the data is used to communicate with them; or, if a disclosure to another company is envisaged, when the personal data was first disclosed.

Your company/organisation is also required to inform the individual of the categories of data and the source from which it was obtained including if it was obtained  from publicly accessible sources. Under specific circumstances listed in Articles 13(4) and 14(5) of the GDPR your company/organisation may be exempted from the obligation to inform the individual. Please check whether that exemption applies to your company/organisation.

References
Article 12(1), (5) and (7), Articles 13 and 14 and Recitals (58) to (62) of the GDPR
Article 29 Working Party guidelines on transparency

FURTHER ADVICE AND SUPPORT

If you need more specific support (for example a meeting) I know the Jersey Community Partnership and Association of Jersey Charities are looking to co-ordinate some resources with various local suppliers. Where necessary grant funding may be available.

http://www.jerseycommunitypartnership.org/
http://www.jerseycharities.org/

USEFUL LINKS

Jersey Data Protection Association
https://jdpa.org.je/

There is a list of Jersey Data Protection events here
https://www.eventbrite.com/d/jersey--saint-helier/jersey-data-protection-association/

For a general understanding of GDPR I highly recommend the guidance of Jersey’s Data Protection Authority
https://thinkgdpr.org/
https://thinkgdpr.org/article/gdpr-guidance/

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)