Data Subject Rights

Data Subject Rights

Right to be informed

  • You have the right to be informed how an organisation is processing your personal data. Usually this will be via a Privacy Notice. The University publishes its key Privacy Notices here.
  • This means that organisations have to be transparent about how they are using your personal data.
  • The information should make it clear who is using your data, the purposes for which it is used and the legal basis for its use.

Right of Access

  • You have the right to receive a copy of the personal data that an organisation holds about you and information about how it is used/processed.
  • This allows you to understand which data is being used and verify the lawfulness of the processing.
  • A Subject Access Request is free of charge unless your request is manifestly unfounded, excessive or repetitive.
  • Where a request is manifestly unfounded or excessive, an organisation may either charge a reasonable fee to cover the administrative costs of providing the information or refuse the request.
  • The data must be provided to you within one month of the organisation receiving the request, although where requests are complex and numerous the organisation may extend this deadline by a further two months.
  • This right may not apply where the University is processing your personal data for research purposes.

Right of Rectification

  • You have the right to have your personal data rectified if it is inaccurate or incomplete.
  • This right may not apply where the University is processing your personal data for research purposes.

Right of Erasure/Right to be Forgotten

This is not an absolute right, but allows individuals to request the deletion or removal of data where there is no compelling reason for its continued processing:

  • where it is no longer necessary for the purpose for which it was originally collected/processed
  • when you withdraw consent
  • if you object to the processing and there is no overriding legitimate interest in continuing the processing
  • the use of the data is unlawful
  • the data has to be erased to comply with a legal obligation
  • the data is processed in relation to the offer of information society services to a child

Organisations can refuse your request for erasure if:

  • it is used to exercise the right of freedom of expression and information
  • it is needed to comply with a legal obligation or the performance of a public interest task
  • it is needed for public health purposes in the public interest
  • it is for archiving in the public interest, for scientific or historical research, or for statistical purposes
  • it is needed for making or defending legal claims

Right to Restrict Processing

  • You have a right to block or suppress the use of your personal data.
  • Organisations are permitted to store the personal data but not to further process it and should retain only enough information to ensure that the restriction is respected in the future.
  • The right applies where:
    • you contest the accuracy of the data or the lawfulness of the processing
    • you have objected to the processing and the organisation is considering whether it has an overriding grounds to continue processing
    • the organisation no longer needs the data but you need it to make or defend a legal claim
  • This right may not apply where the University is processing your personal data for research purposes.

Right to Object

You have the right to object to the use of your personal data where the organisation

  • has claimed that it is being used in the legitimate interests of the organisation or because it is a public task in the public interest. The organisation must show compelling legitimate grounds to continue to use your data
  • is using your data for direct marketing, including profiling
  • is processing for scientific or historical research or statistical purposes unless the processing is necessary for a public task carried out in the public interest

Right to Portability

  • You have the right to obtain your personal data in a useable, transferable format for further use free of charge.
  • This allows you to move, copy, or transfer your data from one IT environment to another in a safe and secure way.
  • Applies only where:
    • you have provided the data to the organisation;
    • the processing is either based on your consent or because it is necessary for a contract; and,

Rights in relation to automated decision making and profiling

  • Automated decision-making is where a decision is made solely by automated means without any human involvement e.g. just by a computer algorithm.
  • Profiling is the automated processing of personal data to evaluate certain things about an individual

You have the right:

  • to know whether an organisation is using automated decision making and profiling
  • to request human intervention and challenge a decision.

Sheffield Hallam University Data Protection Officer (DPO)

If you would like to exercise any of these rights in relation to the University's use of your data, please contact the DPO:

DPO@shu.ac.uk  ☎ 0114 225 3361 or 0114 225 6496

Information Commissioner

You also have the right to complain to the Information Commissioner who is the regulator for data protection in the UK:

https://ico.org.uk/global/contact-us/  ☎ Helpline: 0303 123 1113