Data Subject Rights Procedure
1. Introduction
The purpose of this document is to define the procedure to be followed by Bud Leaders (hereinafter “Bud Leaders”, “we”, “us”, “our”), in those cases in which a request for the exercise of rights is received from a data subject.
In this regard, the Data Subjects Rights Procedure (hereinafter, the “Procedure”) aims to ensure maximum efficiency in the management of such rights, in line with our commitment to the protection of personal data, respect for privacy and compliance with the requirements of the applicable regulations in this area.
All organizational and technical levels of Bud Leaders shall ensure the real and effective application of this Procedure, so that no request for the exercise of rights is left unattended or is attended to with delay.
An inadequate response to a request could constitute a violation under the applicable data protection regulations. For example, it constitutes a very serious violation of the UK GDPR (as defined below), which can lead to very high penalties (up to £17.5 million) and have a major impact on the reputation of Bud Leaders.
2. Scope
This Procedure shall apply to requests for the exercise of rights submitted by any type of data subject in the terms defined in the applicable regulations. By way of example, employees, freelancers, consultants and participants in BUD activities.
3. Applicable Regulations
- This Procedure is based on the following standards and reference guides:
- Retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”)
- The Data Protection Act 2018 (“DPA”)
- The Information Commissioner’s Office UK GDPR Guidance
- And in the following internal policies:
- BUD Leaders Website Privacy Policy
- BUD Leaders Employee Privacy Policy
- BUD Leaders Service Policy
- BUD Leaders Cyber Incident and Data Breach Policy
In this sense, the drafting of this Procedure is mainly carried out with an approach based on compliance with the requirements of the UK GDPR and the ICO guidelines on this matter..
4. Rights recognized by the UK GDPR
BUD Leaders is committed to maintaining the highest standards in terms of privacy, so, as indicated above, this Procedure follows the approach of the rights recognized under the UK GDPR and the ICO guidelines on this matter.
As established by the UK GDPR, personal data is understood as “any information relating to an identified or identifiable natural person”. In this sense, data subjects may exercise the rights granted to them by the data protection regulations, and BUD Leaders is obliged to comply with them in the terms provided for by the regulations.
The UK GDPR specifically grants data subjects the rights detailed below:
4.1 Right of access:
The right of access allows the data subject to obtain confirmation as to whether or not personal data concerning him or her are being processed by BUD Leaders. If the data is being processed, the data subject has the right to access it and the following information:
- The purposes of the processing.
- The categories of personal data concerned.
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations.
- Where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period.
- The existence of the right to request from BUD Leaders rectification or erasure of personal data or restriction of processing of personal data concerning the data subject, or to object to such processing.
- The right to lodge a complaint with a supervisory authority.
- Where the personal data are not collected from the data subject, any available information as to their source.
- The existence of automated decisions, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
BUD Leaders will provide the requester with a copy of the personal data undergoing processing. If the data subject repeatedly requests additional copies from BUD Leaders, a reasonable fee based on administrative costs may be charged.
Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information will be provided in a commonly used electronic form.
4.2 Right to rectification:
The right to rectification allows the data subject to obtain from BUD Leaders without undue delay the rectification of inaccurate personal data concerning him or her.
Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
BUD Leaders shall implement measures to verify the quality and accuracy of the data in order to prevent the data subject from making any mistakes in the process of rectification or replacement of the old data with the new data.
BUD Leaders will communicate any rectification carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
In this regard, if requested by the data subject, the list of recipients will be sent to him/her.
4.3 Right to erasure:
- The data subject shall have the right to obtain from BUD Leaders the erasure of personal data concerning him or her without undue delay. BUD Leaders shall be obliged to erase personal data in the following circumstances:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to his or her particular situation, and there are no overriding legitimate grounds for the processing.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation.
- The personal data have been collected in relation to the offer of information society services.
- The requested erasure of data will not apply to the extent that processing is necessary:
- For exercising the right of freedom of expression and information.
- For compliance with a legal obligation that requires the processing of data or for the performance of a task carried out in the public interest.
- For reasons of public interest in the area of public health.
- For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, insofar as the right of erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing.
- For the establishment, exercise, or defense of legal claims.
BUD Leaders will communicate any rectification carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
In this regard, if requested by the data subject, the list of recipients will be sent to him/her.
Once the request has been responded, the personal data will be kept duly excluded from processing or isolated from any processing system (i.e. blocked), so that, in practice, the data will be recorded as erased. Per the regulations in force, the conservation of such data will have a duration equivalent to the statute of limitations of the corresponding actions. Once these periods have elapsed, the data will be definitively erased.
4.4 Right to object:
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on public interest or legitimate interest, including profiling based on those provisions.
BUD Leaders shall no longer process the personal data, unless it demonstrates compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing.
4.5 Right not to be subject to automated individual decision-making
This is the right of the data subject not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
BUD Leaders may deny the request for this right if the decision:
- Is necessary for entering into, or performance of, a contract between the data subject and BUD Leaders .
- Is based on the data subject’s explicit consent.
- Is authorized by a law that lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests.
However, in requests for this right where the reason for refusal is the first or second of the above, BUD Leaders shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, to express his or her point of view and to contest the decision.
4.6 Right to restriction of processing:
- This is the right of the data subject to obtain from BUD Leaders restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the data subject, for a period enabling BUD Leaders to verify the accuracy of the personal data.
- The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
- BUD Leaders no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims.
- The data subject has objected to the processing pursuant to his or her particular situation, pending the verification of whether the legitimate grounds of BUD Leaders override those of the data subject.
- For the duration of the restriction, BUD Leaders may only process the data subjects’ data, other than for their storage, if any of the following circumstances apply:
- With the data subject’s consent.
- For the establishment, exercise or defense of legal claims.
- For the protection of the rights of another natural or legal person.
- For reasons of public interest.
Any data subject who has obtained the restriction of processing according to this paragraph shall be informed by BUD Leaders prior to the lifting of such restriction in the event that any of the above circumstances are met.
BUD Leaders will communicate any rectification carried out to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves a disproportionate effort.
In this regard, if requested by the data subject, the list of recipients will be sent to him/her.
4.7 Other Rights:
Provided that the data processing is carried out under the legal basis of the data subject’s explicit consent, the data subject has the right to withdraw his/her consent at any time under the terms explained in the relevant informative documentation on the processing of his or her personal data (e.g. for sending marketing communications based on the data subject’s profile).
5. Request Entry Channels
BUD Leaders will identify all entry channels for receiving data subject requests and will be responsible for raising awareness at all organizational levels of the importance of knowing how to identify such requests and immediately forward them to the team responsible for managing them The person or people responsible for rights management at BUD Leaders (hereinafter, the “Responsible Person”),may respond directly to the data subjects, or manage it through the third parties it deems appropriate, being in any case available for any questions that may arise in this regard.
The Responsible Person can be contacted at: georgina@budleaders.org.
In this regard, BUD Leaders is committed to the implementation of measures that allow the effective awareness of all its employees in this matter so that, in those cases in which they receive a request for rights, such request is immediately redirected to the Responsible Person. Delay or failure to send requests for the exercise of rights received shall constitute a serious violation of BUD Leader’s internal regulations.
6. Reception of Requests
BUD Leaders will have a register of requests for the exercise of rights in which (i) all requests received, (ii) the identity of the requesters and (iii) the right exercised by them will be recorded; as well as the steps taken in responding to the corresponding request.
Those responsible for the database will be previously informed and advised of the need to manage and execute each right and confirm if the individuals have not been located in the database.
7. Request Requirements
- The request for the exercise of rights must comply with the requirements listed below.
- Identification of the data subject by name and surname.
- Copy of the requester’s ID card or any other identification document, only when it is considered indispensable to verify the requester’s identity and it has not been possible to identify the data subject by any other means.
- Document accrediting the representation of the data subject in the event that the request is made through a legal representative.
- Right being exercised (although the explicit mention of the right is not required as long as it can be reasonably inferred to which right it refers).
- Supporting documents of the request (if applicable).
- In the event that the request does not meet these requirements:
- The requester will be asked to remedy it using the “REQUEST FOR ADDITIONAL INFORMATION” template included in this regard in in the corresponding ANNEX).
- If no response is received within one (1) month, a reminder will be sent to the requester using the “REMINDER OF REMEDIATION” template included in the corresponding ANNEX).
- If no reply is received within fifteen (15) days of sending the reminder, the case will be considered closed and the requester shall be informed of the impossibility of fulfilling the right exercised using the “RESPONSE INFORMING OF THE IMPOSSIBILITY OF FULFILLING THE RIGHT” template included in this regard in the corresponding ANNEX).
- In the event that the request does comply with the above requirements:
BUD Leaders shall acknowledge receipt of the correct reception of the request by contacting the requester; using the “CONFIRMATION OF RECEIPT OF REQUEST” template included in this regard in the corresponding ANNEX).
8. Response to Requests
BUD Leaders will respond to requests for the exercise of rights within a maximum period of one (1) month. Said period shall commence on the date of receipt of the request and may be extended by two (2) further months in the case of particularly complex requests, and the data subject must be informed of any such extension within one (1) month of receipt of the request, indicating the reasons for the delay (see the template “COMMUNICATION OF EXTENSION OF PERIOD” included in this regard in the corresponding ANNEX). The assessment of whether it is appropriate to extend the response period shall be the sole responsibility of the Responsible Person.
BUD Leaders will always respect its obligation to respond to such requests, even when the response is negative, giving the reasons for such refusal, by using the “REQUEST REFUSAL” template included in this regard in the corresponding ANNEX.
If the request for rights is valid, BUD Leaders shall comply with and respond appropriately to such request using the “CONFIRMATION OF COMPLETION OF REQUEST” template included in this regard in the corresponding ANNEX.
As indicated in previous sections, the delay or failure to send requests for the exercise of rights received by BUD Leaders shall constitute a very serious violation of BUD Leaders’ internal regulations.
It is therefore very important to record the activity carried out from the date of the request for the exercise of rights until the moment the request is responded by means of a communication system that generates proof of sending, the date of sending, the content and, if possible, of delivery to the data subject.
The exercise of the rights must be free of charge for the data subject, except in cases where manifestly unfounded or excessive requests are made, in particular, because of their repetitive character. In these cases, as provided for in the UK GDPR, BUD Leaders may charge a fee to compensate for the administrative costs of fulfilling the request. The fee may not imply additional income for BUD Leaders, and must correspond to the true cost of processing the request. This assessment will be carried out by the Responsible Person.
9. Update
This Procedure will be updated periodically in order to reflect changes and improvements made in the matter of personal data protection. In particular, it will be updated when:
- there is any change in the actual procedure for managing data protection rights; or
- there are any significant changes in legislation, guidelines or resolutions issued by competent supervisory authorities that affect this Procedure.
Contact Us
Please send any questions, comments or requests relating to this procedure to hello@budleaders.org