The General Data Protection Regulation (GDPR) sets the standards for how personal data should be collected, stored, processed, and distributed.
For council operations and service provision, we collect personal information about individuals such as customers, employees, suppliers, and other business contacts. Compliance with legal requirements necessitates the collection and use of specific personal information. This data, regardless of whether it's stored digitally or on paper, must be managed properly to align with GDPR standards.
For further details, visit the Information Commissioner's Office website.
Your rights under GDPR
Under GDPR, you have the right to access personal data we may process about you, albeit with certain exceptions.
- Right of access (to receive a copy of your personal data)
- Right to rectification (to request data is corrected inaccurate)
- Right to erasure (to request that data is deleted)
- Right to restrict processing (to request we don’t use your data in a certain way)
- Right to data portability (in some cases, you can ask to receive a copy of your data in a commonly-used electronic format so that it can be given to someone else)
- Right to object (generally to make a complaint about any aspect of our use of your data)
- Right to have explained if there will be any automated decision-making, including profiling, based on your data and for the logic behind this to be explained to you.
Right of Access: Subject Access Request (SAR)
Requests for personal data access are known as subject access requests (SAR). Upon making a SAR, you are entitled to:
- a description of the data, its processing purposes, and potential disclosures
- a copy of the data in an understandable format, with clarification of any complex terms
- any available information about the data's source
- an explanation of decisions made about you solely through automated means, if specifically requested
This right applies to both electronic and manual data formats, subject to certain limitations.
If your request involves information other than personal data, such as decisions or actions taken by us, it cannot be processed as a subject access request.
How to make a Subject Access Request