Data Protection and Access
1 – SUBJECT ACCESS REQUESTS
1.1 Data subjects (i.e. individuals relating to whom you hold data) should be encouraged to use FORM No. 1 below when submitting a request to exercise their right of access
(Access Request”). All data subjects have the right to have access to a copy of all
information (called ‘personal data’) that Optique Opticians holds and processes relating to them.
Additional information that may be required before responding to an Access Request.
1.2 The Scope of the searches
If it is not clear from the request what information the data subject seeks to obtain, Insert name of company can confirm the scope of the search(es) it will carry out for that
individual’s personal data. Optique Opticians is expected to make extensive efforts to search for all information that the data subject wishes to obtain. Insert name of company cannot insist that the data subject narrow the scope of the proposed searches.
Optique Opticians can refuse requests if they are ‘manifestly unfounded’, or ‘excessive’ particularly if the requests are repetitive. Optique Opticians can ask the data subject if there is particular data being sought by them, which would satisfy their request, whilst always making it clear that Optique Opticians the Practice will furnish a complete response if required. Where the request can readily be complied with, no narrowing should be sought.
1.3 When sending the data subject confirmation of the request, Optique Opticians can describe the scope of the searches to be carried out and request confirmation that these are appropriate.
1.4 When reviewing the relevant form and confirming the scope of the searches, Insert name of company may suggest to the data subject an agreed scope, for example, searches of the email folders of relevant individuals (e.g. if they are an employee, the data subject, their line manager, and any employees with whom they worked closely), folders of network hard drives such as HR folders, and any other areas particularly relevant to that individual. Specific search terms could can also be agreed with the data subject.
Generally, these will be the name of the data subject, along with a reasonable date range, and any other relevant identifiers. This can allow electronic documents to be searched quickly.
1.5 The following considerations may be relevant when determining the scope of the search:
(a) Date ranges: if there is a particular matter in which the data subject is interested, it may be appropriate to limit the date range to when the matter was active. This can be particularly important with respect to CCTV footage. The data subject can, however, insist on any date range, provided it is not manifestly unfounded or excessive.
(b) Back-up data: With respect to back-up data, if Optique Opticians is satisfied that the back-up replicates the data held in live systems, it is unlikely that searches of back-up data would be required.
(c) Archived data: Archived data should be searched, this is data that Insert name of company has decided it may wish to retrieve at a later date.
(d) Hard copy documents: Hard copy documents that are stored in such a way that information about individuals is accessible are within the scope of an Access Request. This would include a HR file about that individual, although it might not include notes made by individuals in a personal notebook, or data which is ad hoc, and not organized, or intended to be put on any organized system.
When is an Access Request valid?
1.6 The Practice is not required to respond to repeated requests that are made at unreasonably frequent intervals, provided Optique Opticians can show that the request is manifestly unfounded or excessive in character. If the requestor fails to provide the necessary identification verification, Optique Opticians may request additional information to confirm the identity of the data subject. If the request is for specific personal data that is protected for some reason (e.g. is privileged, contains personal data of others, etc.) then the request should be declined on those grounds. If you receive a repeated request from the same individual and the previous request was very recent, you should take into account whether the personal data is particularly sensitive, whether the processing might affect the data subject’s rights and whether the personal data is likely to have changed since the last request before determining whether the interval between requests is unreasonable. If you have any doubts about whether a repeat request has been made unreasonably soon, please refer to specialist expertise.
In the event of a repeated request, you could offer only to provide information that has changed since the previous request, but if the data subject insists on receiving all the personal data again, Optique Opticians must provide this, unless you deem the request to be manifestly unfounded or excessive In character, particularly because of its repetitious nature.
Information relevant to carrying out an Access Request
1.7 As well as the documents held by Optique Opticians in hard copy or electronic form, the scope of the searches may refer to information held by third parties such as service providers. In this case, Optique Opticians should consider whether third parties may be holding information to which The Practice would not have access. If the third party is a ‘controller’ in respect of that data, (i.e. if it is that third party’s data, not the Practice’s data) Optique Opticians should advise the data subject to contact that controller. If, however, the third party is a processor on behalf of Insert name of company, the personal data should be provided.
1.8 After the searches are carried out, the documents returned should be reviewed by Insert name of company as quickly as possible. The following considerations may be relevant to the review process:
a) If the documents contain any personal data of individuals other than the data subject, this information should be redacted (made illegible) in order to provide only the personal data of the data subject and can only be disclosed if the other individual has consented to its disclosure;
b) If information might be subject to a legal privilege, for example personal data included in legal advice provided to Optique Opticians or has been prepared by lawyers in reasonable anticipation of litigation, it should not be disclosed to the data subject and the request must be referred to specialist expertise; or
c) If personal data is included in information that relates to the prevention or detection of a crime, it should not be disclosed if doing so might prejudice the investigation into that crime;
What must Optique Opticians provide in response to an Access Request?
1.9 The Practice will provide the following information:
a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients outside the EU or international organisations;
d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e) the following statement “ You have the right in some circumstances to request from us rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing”;
f) the following statement “ You have the right to lodge a complaint with the Data Protection Commission;
g) where the personal data is not collected from the data subject, any available information as to their source; this
h) if there is any automated decision-making, including profiling, which produces legal effects on or significantly affects the data subject and information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
1.10 In addition to the above Optique Opticians and the cover letter set out here, Optique Opticians will provide the data subject with a copy of all personal data deemed validly requested in the relevant Access Request.
1.11 An individual who makes an Access Request is only entitled to receive a copy of the personal data processed by Optique Opticians relating to them. They are not entitled to full copies of the documents containing personal data as these may, for example, contain personal data relating to other individuals. Therefore, when responding to these requests, ensure that the response is limited to only data relating to the data subject, rather than the entire documents containing their personal data. This may involve redactions, particularly of names or other identifiers of other people.
1.12 Where the data subject makes their request by electronic means, the information should
be provided in a commonly used electronic form, except when the data subject asks for it to be provided otherwise.
FORM NO. 1
ACCESS REQUEST FORM
As described in the AOI Code of Conduct, you have the right to access and receive a copy of the personal information we hold about you. We ask that you complete this form so we can determine the details of your request, and respond to and implement your request as quickly as possible.
This process will provide you with the personal information we hold about you, and information relating to you, in manual or electronic form. Information relating to third parties or other information exempt under applicable law(s) will not be provided.
Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to: Insert designated department/person
Agent of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf.
Please complete as much of the following information as you can:
Full name of data subject:
(First) (Surname)
Present Address:
Street
Town
County
Postcode
Other contact details:
Telephone No.
Mobile
If applicable; Current/last post held in
Practice
Department
Office location
Your employee no. (if any)
If applicable:
Dates of contact with Practice
Dates of actual visits to Practice
Any other relevant Information:
Details of the Agent or Requestor (if any)
Name:
Address:
Phone Number:
Email address
Proof of entitlement to act (enclose
authorisiation)
Details regarding what information you are looking for. The more details you can give to us the better and quicker we will be able to respond to you!
Hard copy files (please specify department & location, if known)
Search criteria (i.e. name, key word, date),
Connection to file (i.e. employee/partner/staff/client/supplier)
Electronic data (please specify system, if known)
Search Criteria (please specify the search criteria, e.g. system name, identifier no., if known)
Connection to file (i.e. employee/partner/staff/client/supplier)
Any other filing system
Search criteria
Any other information you feel might assist us in responding to your request:
We promise to make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Signed: _________________________________
Date: ______________________
2. THE RIGHT OF RECTIFICATION & CORRECTION
2.1 Data subjects should be encouraged to use Form 2 below when submitting a request to exercise their right of rectification/correction (a “Rectification Request”).
2.2 Individuals have the right to require Optique Opticians to correct their personal data if it is inaccurate. For example, if a data subject’s name is incorrectly recorded, Insert name of company must update their records on receipt of a Rectification Request.
2.3 Individuals also have the right for any other personal data that is incomplete to be updated, taking into account the purposes of the processing.
Additional information that may be required before responding to a rectification
Request:
2.4 Upon receipt of a Rectification Request, Optique Opticians should verify, in so far as possible, that the personal data provided as a correction to the existing personal data is factually correct. For example, if a data subject who is a staff member is provided additional information about their qualifications, this could be verified by the provision of certifications.
2.5 If there are doubts about the accuracy of the provided information, further information should be requested from the data subject who made the Rectification Request, and they should be informed what information would be required by the Practice to verify the changes.
When is a Rectification Request valid?
2.6 A Rectification Request is valid if the information that Optique Opticians has on file is incorrect, and the updated information provided by the data subject is correct as described above.
Information relevant to carrying out a Rectification Request
2.7 Set out the operational steps required for The Practice’s records to be updated, to reflect changes under a Rectification Request. This process will of necessity vary according to the category of data requiring correction.
2.8 Optique Opticians will inform any external entities that have received the personal data that was subject to the Rectification Request of the updated personal data, unless doing so would be impossible or take disproportionate effort. Optique Opticians should have a list of Optique Opticians principal service providers, and a summary of the data held by that processor, and the contact personnel at each one. Insert name of company should keep a record of all communications to such entities and their response.
What must Optique Opticians provide in response to a Rectification Request?
2.9 Let the data subject know what changes have been made.
2.10 Optique Opticians must also provide the data subject with information on what providers have been contacted and informed of the changes to the data.
FORM NO. 2
DATA CORRECTION/UPDATE REQUEST FORM
As described in the AOI Code of Conduct, you have the right to correct and update any personal information about you that is inaccurate. We ask that you complete this form so we can determine the details of your request and, where applicable, implement your request.
If your request is valid, we will correct and update the information requested.
Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Insert name of the Privacy Compliance Co-ordinator at address or Insert email address.
Please also provide any documentation you have to prove that the information you wish to update needs to be updated or corrected.
Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the requestor’s behalf.
Please complete as much of the following information as you can:
Full name of data subject:
(First) (Surname)
Present Address:
Street
Town
County
Postcode
Other contact details:
Telephone
Mobile
Details of the Agent or Requestor (if any)
Name:
Address:
Phone Number:
Email address
Proof of entitlement to act (enclose
authorisiation)
Category of personal information
Personal Information
Currently on File
Corrected Personal
Information
e.g. name, address.
We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Signature ____________________
Date _____________________
3. RIGHT TO OBJECT TO PROCESSING
3.1 Data subjects should be encouraged to use Form 3 below when submitting a request to exercise their right to object to processing (an “Objection Form”). Individuals have the right to object to the processing activities that Optique Opticians carries out with respect to their own personal data, in certain circumstances.
Additional information that may be required before responding to a Objection
Request.
3.2 If it is not clear from the Objection Form, Optique Opticians should confirm which uses or processing of personal data the data subject objects to.
When is an Objection Form valid?
3.3 Individuals have the right to object to the processing activities that Insert name of
company carry out with respect to their personal data. An objection will be valid where
(a) the processing activity in question takes place on the basis of Insert name of company’s ‘legitimate interests’ without Optique Opticians having compelling legitimate grounds which overrides the interests of the data subject.
Refer to legal basis for processing to determine if the personal data is processed on the basis of Optique Opticians legitimate interests grounds or for the establishment exercise or defence of legal claims.
To determine whether Optique Opticians has compelling legitimate grounds which override the interests, freedoms and rights of the data subject in continuing to process the personal data, Optique Opticians must
consider what business reason Optique Opticians has for using it. This must then be balanced this against the data subject’s right to control their personal data. For example, while Optique Opticians may track its users’ behaviour on its websites and apps in order to understand how they are used and to improve the functionality and individually customize the appearance on the basis of how they use the websites or apps. Collecting website history is intrusive and if users object, their privacy interests will probably override Optique Opticians business interests.
With the exception of processing related to direct marketing, where the data subject continues to use Optique Opticians services, Insert name of company legitimate interests, if such processing is necessary to provide the service, may override the data subject’s interests. Alternatively, the processing may be legitimized as being necessary to perform the contract or on consent.
You can refer to the records of processing activities that Insert name of company keeps to determine the basis for processing;
(b) the processing takes place for the purposes of carrying out direct marketing activities (such as sending marketing emails, letters, SMS messages, push notifications or serving online behavioral advertising). In this case, Insert name of company should immediately cease the processing related to those direct marketing activities. For example, if there is an objection to the creation of a profile about a customer that is used to send targeted direct marketing, Optique Opticians should immediately cease using that profile to serve advertising to that customer.
3.4 If, however, Optique Opticians is required to keep the personal data by virtue of other legislation (e.g. for Revenue reasons, or by virtue of employment law), or in order to make or defend legal claims (for example if a former employee is making a claim against Optique Opticians, or if the processing was not based on the legitimate interests grounds but on some other lawful ground, an objection would not be valid. If the Optique Opticians has questions about whether an Objection is valid, please seek specialist advice.
Information relevant to responding to an Objection Form
3.5 Set out any operational steps required for Optique Opticians processing activities to be altered, to reflect changes after a valid objection. This process will of necessity vary according to the category of data being processed.
3.6 Taking into account the costs of implementation, Optique Opticians should inform any entities that carry out processing activities that were subject to the objection of the request, unless doing so would be impossible or take disproportionate effort. Insert name of company should have a list of Optique Opticians principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data being processed by that processor, and the contact personnel at each one. Optique Opticians should keep a record of all communications to such entities and their response.
e.g. :-
Name of processor; service provided/data processed; contact person
What must Optique Opticians provide in response to an Objection Form?
3.7 Optique Opticians must inform the data subject, where such is the case, that the processing of their personal data has ceased in line with their request, and in particular provide details of which processing activities have ceased.
FORM NO. 3
OBJECTION TO PROCESSING FORM
As described in the AOI Code of Conduct, you have the right to object to our processing of your personal information in certain circumstances. We ask that you complete this form so we can determine the details of your request and, where applicable, implement your request.
If your request is valid, we will cease processing your personal information for the purposes to which you object.
Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Insert name of the Privacy Compliance Co-ordinator at insert address/email address
Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf.
Please complete as much of the following information as you can:
Full name of data subject:
(First) (Surname)
Present Address:
Street
Town
County
Postcode
Other contact details:
Telephone
Mobile
Details of the Agent or Requestor (if any)
Name:
Address:
Phone Number:
Email address
Proof of entitlement to act (enclose
authorisiation)
Uses of personal information that you object to
Reason for objecting to these uses of your personal information
Please make reference to the uses of personal information set out in our privacy notice
e.g. our uses of the personal information are unlawful, specifying precisely why; you no longer want to receive direct marketing messages from us
We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Signature ____________________
Date _____________________
4. THE RIGHT TO RESTRICTION OF PROCESSING
4.1 Individuals should be encouraged to use FORM No, 4 below when submitting a request to exercise their right of restriction of Optique Opticians processing of their personal data (a “Restriction Request”). Individuals have the right to restrict the processing activities that Optique Opticians can carry out with respect to their personal data.
Additional information that may be required before responding to a Restriction
Request
4.2 If it is not clear from the Restriction Request, Optique Opticians should confirm which uses of personal data the data subject wishes to restrict.
When is a Restriction Request valid?
4.3 A Restriction Request is valid only where:
(a) the accuracy of the personal data is contested by the data subject for a period to enable Optique Opticians to check the accuracy of the data;
(b) the processing is unlawful but, the individual does not wish to have the personal data erased and wishes to restrict its use instead;
(c) Optique Opticians no longer requires the personal data for a lawful purpose, but the individual requires the personal data for the establishment, exercise or defence of legal claims; or
(d) the individual has objected to the processing (see section 3 above) and pending verification of whether the legitimate interests of Optique Opticians override those of the individual.
If a Restriction Request is found to be valid, Optique Opticians cannot process the individual’s personal data other than where the individual has consented to the
processing; for the establishment, exercise or defence of legal claims; to protect the rights of another person; or for reasons of important public interest to the EU or a Member State.
If you have any questions about whether a restriction request is valid, please seek specialist expertise.
Information relevant to implementing a Restriction Request.
4.4 Optique Opticians should set out the operational steps required for Insert name of company processing activities to be altered, to reflect restrictions in operation after implementing a valid request. This process will of necessity vary according to the nature of processing being undertaken.
4.5 Optique Opticians should have a list of Optique Opticians principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data being processed by that processor, and the contact personnel at each one. Optique Opticians should keep a record of all communications to such entities and their response.
e.g. :-
Name of Processor; service provided/data processed; contact person
What must Optique Opticians provide in response to a Restriction Request?
4.6 Optique Opticians must inform the data subject that the processing of their personal data has been restricted in line with their request, and provide details of which processing activities have ceased or being amended.
4.7 Optique Opticians must also provide a list of all the entities that process the relevant personal data, and that have been contacted by Optique Opticians in accordance with Section 4.5 above, and should provide a copy of their response.
FORM NO. 4
RESTRICTION REQUEST FORM
As described in the AOI Code of Conduct you have the right to restrict our processing of your personal information in certain circumstances. We ask that you complete this form so we can establish the details of your request and, where possible, implement your request.
If your request is valid, we will restrict our processing of your personal information unless you give your consent to us using it in the future, or we need to use it for other legal reasons.
Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Insert name of the Privacy
Compliance Co-ordinator at insert address/email address
Agents of requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf.
Please complete as much of the following information as you can:
Full name of data subject:
(First) (Surname)
Present Address:
Street
Town
County
Postcode
Other contact details:
Telephone
Mobile
Uses of personal information to be restricted
Reason for restricting these uses of your personal information
Please make reference to the uses of personal information set out in our privacy notice
e.g. the personal information is inaccurate, our uses of it are unlawful, etc.
We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Signature ____________________ Date _____________________
5. THE RIGHT OF ERASURE/DELETION
5.1 Individuals (‘data subjects’) should be encouraged to use Form 5 below when submitting a request to exercise their right of erasure/deletion (an “Erasure Request”) to require Optique Opticians to delete their personal data in certain circumstances.
Additional information, which may be required before responding to an Erasure Request.
5.2 If it is not clear from the Erasure Request, Optique Opticians may need to verify precisely which personal data the requestor wishes to be deleted, and it may also be helpful to understand why the requestor wishes to have that information deleted.
When is an Erasure Request valid?
5.3 Optique Opticians must delete personal data on receipt of an Erasure Request where the Practice no longer has a valid reason to continue that processing. Examples are set out below:
(a) the personal data is no longer necessary for the purpose for which it was collected or otherwise lawfully processed. For example, if a contact at a client no longer works for that client and makes an Erasure Request, there would be no need to retain that information as the information was originally collected for processing in the context of that client relationship;
(b) the personal data is processed only on the basis of the consent of the requestor, and the requestor withdraws that consent. In general, making an Erasure Request would be considered a withdrawal of consent;
(c) the requestor objects to processing being carried out in the legitimate interests of Optique Opticians and there are no overriding legitimate grounds for Optique Opticians to continue processing the personal data:-
To determine whether Optique Opticians has an overriding interest in retaining the personal data, you should consider what business reason(s)
Optique Opticians has for retaining it. You should then balance these against the requestor’s right to control their personal data. For example, while Optique Opticians may retain customer information in order to conduct analytics and create appropriate marketing segments on the basis that this allows it to manage its business most effectively, using a customer’s personal data after that customer has not used their account for a significant period is not a particularly compelling business interest. As a general rule of thumb, an individual with whom Optique Opticians has had not contact for a year or more is no longer considered a customer. If that customer actively objects to the retention of their personal data, their privacy interests would likely outweigh Optique Opticians business interests.
In general, if the requestor continues using Optique Opticians services for which their personal data is processed on the basis of Insert name of company legitimate interests, these legitimate interests may outweigh the requestor’s interest in having their personal data deleted, and therefore the personal data need not be deleted. You can refer to the records of processing activities that Optique Opticians keeps in determining the basis for processing;
(d) the personal data is being processed without a valid basis, for example if Insert name of company was processing on the basis that the processing was necessary for the performance of a contract with the requestor, but that contract has now been terminated;
(e) the personal data must be deleted to comply with a legal obligation under EU law or the law of an EU Member State to which Optique Opticians is subject;
or
(f) the personal data relates to a child under the age of 13 that was processed on the basis of parental consent in the context of providing an ‘information society service’, including any service provided over the internet.
5.4 Optique Opticians is not required to delete personal data which is subject to an Erasure Request where Optique Opticians processing of the personal data is necessary:
(a) For exercising Optique Opticians right of freedom of expression and information. This is unlikely to apply to Optique Opticians, but if you consider it might, seek specialist expertise;
(b) For compliance with a legal obligation under EU law or the law of an EU Member State to which Optique Opticians is subject, or for the performance of a task carried out in the public interest. This is unlikely to apply to Insert name of company;
(c) For reasons of public interest in the area of public health. This is unlikely to apply to Optique Opticians;
(d) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, and only if erasing the personal data would be likely to render impossible or seriously impair the achievement of these objectives.
This is unlikely to arise for Optique Opticians; or
(e) For the establishment, exercise or defence of legal claims. For example, Insert name of company would not be required to delete personal data about a former employee with whom there is an existing or potential employment dispute.
If you have any questions about whether these factors apply, you should seek specialist expertise.
Information relevant to complying with an Erasure Request
5.5 Optique Opticians should set out the operational steps required for Insert name of company records to be updated, to reflect changes under an Erasure Request. This process will of necessity vary according to the category of data requiring correction.
5.6 Optique Opticians should inform any external entities that have received the personal data that was subject to the Erasure Request of the updated personal data, unless doing so would be impossible or take disproportionate effort. Insert name of company should have a list of Optique Opticians principal service providers, for example CRM services, payroll providers, payment processing providers and IT service providers, and a summary of the data held by that processor, and the contact personnel at each one. Optique Opticians should keep a record of all communications to such entities and their response.
e.g. :-
(a) Name of Processor; service provided/data processed; contact
Implementing the Erasure Request
5.7 Optique Opticians should list out the specific steps, it might have to take to implement a specific Erasure Request. These might include, for example, a system identifying where particular types of data are stored within the Optique Opticians particular systems.
What must Optique Opticians provide in response to an Erasure Request?
5.8 Once an Erasure Request has been implemented, Optique Opticians should contact the requestor to inform them that their personal data has been deleted, as requested.
5.9 If requested, Optique Opticians must also provide a list of all the entities that have received the personal data and that have been contacted by Insert name of company in accordance with section 5.6 above.
FORM NO. 5
ERASURE REQUEST FORM
As described in the AOI Code of Conduct you have the right to have your personal information deleted in certain circumstances. We ask that you complete this form so we can determine the details of your request and, where applicable, implement your request.
If your request is valid, we will delete the information requested, unless we are required by law to keep it – in this case we will advise you of what we are keeping, and the reasons why.
Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and address) to Insert the name of the Privacy
Compliance Co-ordinator at insert address/email address
Agents of the requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf.
Please complete as much of the following information as you can:
Full name of data subject:
(First) (Surname)
Present Address:
Street
Town
County
Postcode
Other contact details:
Telephone
Mobile
Personal Information Currently on File to be deleted
Reason why that personal information should be deleted
e.g. name, mobile number, email address
e.g. is the information inaccurate or out of date?
We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Signature ____________________ Date _____________________
6. THE RIGHT TO DATA PORTABILITY
6.1 Individuals should be encouraged to use Form No. 6 below when submitting a request to exercise their right of data portability (a “Portability Request”). Data Subjects have the right:
(a) To retrieve data relating to them processed by an organization, for personal use, and to store the data on a device or a private cloud, for example. This right allows them to manage their personal data more easily and by themselves.
(b) To transfer their personal data from one controller to another. The personal data can thus be transmitted to a new controller, for example, to a competitor
i. by the person themselves
ii. directly by Optique Opticians, if the direct transfer is “technically possible”.
Additional information that may be required before responding to a Portability
Request
6.2 Optique Opticians should have in place appropriate procedures for the data subject to make a request for portability and to receive data about him (such as Form No.
4). In particular, data controllers must propose an authentication procedure that verifies the identity of the data subject exercising the right to portability. Insert name of company may also wish to contact the data subject to confirm the data controller or data controllers to which their personal data should be transmitted, including a means by which this personal data should be transmitted.
When is a Portability Request valid?
6.3 This right applies if ALL these three conditions are met
(a) The right to portability is limited to the personal data provided by the data subject,
AND
(b) The data is processed automatically (paper files are not included) and on the basis of :
i. the prior consent of the data subject or
ii. the execution of a contract concluded with the data subject, AND
(c) The exercise of the right to portability must not affect the rights and freedoms of third parties. (See para 6.7 below).
Information relevant to carrying out a Portability Request
6.4 The phrase “provided by the data subject” means
(i) data actively and consciously given by the data subject, such as data provided to create an online account (eg email address, username, age), and
(ii) data generated by the data subject’s activity when using a service or device
(e.g. purchases recorded on a loyalty card, history of searches made on the internet, invoices, e-mails sent or received, records of Practice stays, etc.)
It does not include personal data that is derived, calculated or inferred from data provided by the data subject. This data is excluded from the right to portability, to the extent that the data is not provided by the data subject but created by Insert name of company.
6.5 If the portability right applies, Optique Opticians should compile the personal data about the data subject that meets the requirements set out above. To do thisOptique Opticians should set out the operational steps Optique Opticians has in place to extract data that is subject to the right to data portability. This might include running a script to extract particular categories of personal data from databases.Optique Opticians should also consider the format into which the data should be extracted. This should retain as much metadata as is practicable, while also being sufficiently abstract from any proprietary data formats that might reveal information about the ways that Optique Opticians operates its systems (for example XML, JSON or CSV). The format can be made sufficiently abstract so it does not reveal any of Insert name of company intellectual property rights or trade secrets. In practice, this may need to be outsourced
Can all the data provided by the person concerned be subject to the right to portability?
6.6 The right to portability does not apply to personal data processed on any legal basis other than the consent of the data subject or the performance of a contract. For example, personal data processed by Optique Opticians only on the basis of legitimate interest of legal obligations are not affected by the right to portability.
It is recommended that Portability Requests be analysed on a case-by-case basis, whether for data processing in human resources management or in other areas.
6.7 Optique Opticians response to and implementation of a Portability Request should not adversely affect the rights of others (e.g. individuals whose contact details appear in an online address book that is subject to a Portability Request). WhenOptique Opticians wishes to transmit such data to a third party, it can in no way transmit the data without a legal basis to do so. Optique Opticians should not provide personal data of other individuals included in the data subject’s files.
6.8 An organization can respond to a request for portability through the provision of a file containing all portable data, or by providing automated tools and APIs that allow the extraction of relevant data.
6.9 Whatever the means of provision proposed, it must be easy to use, accessible, allow the reception of data in a secure manner and minimize the risk of violation of the data processed by the organisation. The organisation must therefore research and analyse each of the methods intended to be used to remove any obstacle and facilitate the access of the right to portability to the data subject concerned. Outsourcing of this is recommended.
What are the controller’s responsibilities after transmitting the Data?
6.10 Optique Opticians responding to a person exercising the portability right is not responsible for the data subject’s processing of their own data once it has been received by the data subject. It is also not responsible for the processing carried out by the recipient controller receiving said data at the request of the person exercising his right to portability.
What if Optique Opticians is receiving data from a Portability Request ?
6.11 If Optique Opticians is receiving data at the request of a data subject as part of their right to portability, Optique Opticians is required to ensure that such data is relevant and not excessive in view of the purpose of the new processing of the data that the data subject wishes to be transferred to Optique Opticians. Insert name of company must also clearly inform the data subject concerned of the purpose of the new processing and, more generally, the principles of data protection of the personal data applicable to this new processing .
FORM NO. 6
PORTABILITY REQUEST FORM
As described in the AOI Code of Conduct, where we use your personal information to fulfill our contractual obligations to you, or where you have consented to our use of your personal information, you have the right to ‘port’ any such personal information you provide to us.
This means you have the right to receive a copy of it in a machine readable format and to have it transmitted to another company. We ask that you complete this form so we can determine the details of your request and implement your request.
This process will provide you with certain personal information that you have provided to us in a format that can be read electronically, and, if you wish this, can be sent to another data controller.
Please complete your details below and sign where indicated. Send the completed form and proof of identity (by way of proof of your name and your address) to Insert name of the Privacy
Compliance Co-ordinator at insert address/email address
Agents of requestor: Please note that you must provide your own contact details and you must provide proof of your entitlement to act on the data subject’s behalf.
Please complete as much of the following information as you can:
Full name of data subject:
(First) (Surname)
Present Address:
Street
Town
County
Postcode
Other contact details:
Telephone
Mobile
Details of the Agent or Requestor (if any)
Name:
Address:
Phone Number:
Email address
Proof of entitlement to act (enclose
authorisiation)
To help us to respond to your request as
quickly as possible, please provide as
much detail as possible regarding the
personal information you seek. If you
wish to ‘port’ all applicable personal
information, please write ‘all’ below
Names and contact details of companies
to which that data should be transmitted
e.g. all information I have uploaded to the
website; payment details; or billing and
delivery addresses.
We will make every effort to respond to you within 1 calendar month of the receipt of your request and valid identification documentation, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Signature ____________________
Date _____________________
ADDITIONAL FORMS
Appendix A
FORM DESCRIPTION PAGE
7
Request For Further Information
8
Acknowledgement of Rights Request
9
Rejection of Rights Request – Unable to comply
10
Request to Third Party
11
Letter advising Delayed Response
12
Completion of Rights Request
FORM NO. 7
REQUEST FOR FURTHER INFORMATION
Date:
To: Data Subject’s address or email
Bcc: Insert Responder’s Address or email
Subject: Your request to exercise your rights – further information required.
Dear Data Subject’s name
We have received your request to exercise your right to insert right being exercised, dated date and received by us on date However, to determine whether this request is valid, we require further information from you.
If identification is in doubt please provide a copy of your passport or driving licence or other form of official identification so that we can confirm your identity. This is a legal requirement to ensure we do not comply with a request about you from somebody posing as you.
Clarification of Request Needed
We require further information about the precise details of your request in order to be able to comply with it appropriately. Please could you provide us:
Here advise the Data Subject as precisely as possible what it is that you need to clarify Please do not hesitate to contact us if you have any queries about the progress of your request.
_____________________
Signature
_____________________
Date
FORM NO. 8
Acknowledgement of Rights Request Date:
To: Data Subject’s Address/email address
Bcc: Responder’s address/email address
Subject: Acknowledgement of you request to exercise your rights
Dear Data Subject’s name
We have received your request to exercise your right to insert right being exercised, dated insert date.
We aim to respond to this request within 1 calendar month, but please note that this time may be extended to 3 months, when necessary, taking into account the complexity and number of requests.
Please do not hesitate to get in touch if you have any questions about the progress of your request.
_____________________
Signature
_____________________
Date
FORM NO. 9
REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY
Date:
To: Data Subject’s Address/email address
Bcc: Responder’s address/email address
Subject: Your request to exercise your rights.
Dear Data Subject’s name
Dear Data Subject’s name
We have received your request to exercise your right to insert right being exercised, dated insert date.
Unfortunately, we are not able to comply with such request for the following reasons:
Set out the reason/s for refusal to comply, based on the reasons set out in Schedule 1
Please do not hesitate to get in touch with me if you have any further questions about the reasons we were not able to comply with your request.
Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at ttps://dataprotection.ie
Yours etc,
Signature ____________________
Date _____________________
*Contact Details :
Data Protection Commission.
Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.
Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757
email: info@dataprotection.ie
FORM NO. 10
REQUEST TO THIRD PARTY PROCESSOR
ACTING ON THE PRACTICE’S BEHALF
Date:
To: Third Party’s address or email address
Bcc: Responder’s address or email address
Subject: Request to exercise rights for Data Subject’s name
Dear Third Party
We received a request from Data Subject’s name and identifying features to exercise their right to insert right being exercised.
Because of the services you provide to this Practice, relevant personal information is held in your systems and you carry out relevant processing activities that are subject to this request. Please action this request in accordance with our contract with you and with applicable law within 10 business days. Please complete the information requested below and return a copy to me at this address.
If you should have any questions about this request, please contact me at Responder’s contact information. We appreciate your prompt response.
Signature ____________________
Date _____________________
_____________________________________________________________________________
Third Party Notes:
0 The request has been implemented as requested.
0 The request has been complied with, but with the following exceptions:-
___ _____________________________________________________________________
____ ____________________________________________________________________
_____ ___________________________________________________________________
___
0A full Report has been sent to the Practice.
FORM NO. 11
LETTER ADVISING DELAYED RESPONSE
Date:
To: Data Subject’s address or email
Bcc: Responder’s address or email
Subject: Delay in our response to your request to exercise your rights
Dear Data Subject’s Name
We are still processing your request to exercise your right to insert right being exercised, dated insert date and expect to respond to this request by insert date.
The reason for this delay is that insert reason.
We appreciate your understanding as we work to process this request.
Please do not hesitate to get in touch if you have any questions about the progress of
your request.
Signature ____________________
Date _____________________
FORM NO. 12
COMPLETION OF RIGHTS REQUEST
Date:
To: Data Subject’s address or email
Bcc: Responder’s address or email
Subject: Your request to exercise your rights.
Dear Data Subject’s name
We have now implemented your request to exercise your right to insert right being exercised, dated insert date. We have prepared the attached Report to provide details to you of how this has been carried out.
We trust that this satisfies your request to exercise your rights, but if you have any further questions please contact us at .
Please note that you also have the right to contact the Data Protection Commission, and we give their contact details* below. Their website is at https://dataprotection.ie
Signature ____________________
Date _____________________
Attached or Enclosed :
Report and any other information required.
*Contact Details :
Data Protection Commission.
Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.
Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757
email: info@dataprotection.ie