Midton Data Protection Policy

Background

The General Data Protection Regulations (GDPR) is legislation that requires all organisations that process personal data to review their procedures, processes and security measures and ensure that individual’s whose data they process are aware of their rights. As such Midton has developed this policy to provide clarity on how it will process personal data.

1.1   GDPR Principles

The Principles of the GDPR outline how personal data should be processed to ensure legal compliance.

The Principles are as follows:

Data should be:

• Processed, lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and, where necessary, kept up to date
• Retained for only as long as necessary
• Processed in an appropriate manner to maintain security

1.2   Legal Basis for Processing Personal Data

The GDPR requires all data controllers and processors to meet at least one of the following legal basis for processing personal data:

• consent
• contract
• legal obligation
• vital interest
• public interest
• legitimate interest

Failure to meet at least one of these legal reasons for processing personal data means the data processing is likely to be illegal (unless a relevant exemption applies).

1.3   Special Category Data

Special category data is more sensitive than personal data, and therefore needs more protection. For example, information about an individual’s:

• race
• ethnic origin
• politics
• religion
• trade union membership
• genetics
• biometrics (where used for ID purposes)
• health
• sex life
• sexual orientation

Special category personal data must still meet at least one of the above legal basis for processing, however it must also meet further conditions. For example special category personal data can be processed by a data controller in the following circumstances*:

• the purposes of performing or exercising obligations or rights of the employer or employee under employment law
• establishing, exercising or defending legal claims
• the assessment of an employee’s working capacity (preventative or occupational medicine)
• the data subject has given explicit consent
• to protect the vital interests of the data subject
• the personal data has been made public by the data subject.

*there are other legal conditions, however they are unlikely to apply to Midton..

1.4   Data Subject Rights

Data subjects, under GDPR, have a number of rights with regards to their personal data. These are the right to:

• Be informed
• Access
• Rectification
• Erasure (Right to be forgotten)
• Restriction of processing
• Portability
• Object to processing
• Automated decision making, including profiling
• Compensation

Details regarding specific procedures in each Section will be given to clarify how the Data Subject Rights will be taken forward in different circumstances.

Right to be Informed
Midton has an obligation to ensure openness and transparency in the way in which it processes personal data. This policy and the subsequent procedures provide data subjects with the information they need to understand how and why their personal data is being processed, and how to access their rights.

Access
Data subjects have the right to request access to their personal data which Midton is processing. Where justified, a reasonable administrative fee may be charged, however this information will usually be provided for free.

Rectification
Data Subjects have the right to have any inaccurate information that Midton is processing about them rectified without undue delay.

Erasure (right to be forgotten)
Data subjects have the right to request that their personal data be deleted in certain circumstances, for example:

• if they withdraw consent for processing

 or

• they believe the grounds for processing are no longer legitimate.

Midton will be required to liaise with 3rd parties regarding the erasure of personal  data when:

• the personal data has been disclosed to others

• the personal data has been made public in an online environment (for example on social networks, forums or websites).

If Midton disclosed personal data to others, it must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, Midton must also inform the individuals about these recipients.

The right to erasure does not apply in some circumstances, for example if processing:

• to exercise the right of freedom of expression and information
• to comply with a legal obligation
• for the establishment, exercise or defence of legal claims.

The right to erasure will not apply to special category data if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee). 

Erasure requests may be refused in some circumstances: if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

Restriction of processing

Data subjects have the right to request the restricting of personal data being processed by Midton in the following circumstances:

• they contest the accuracy of their personal data and the verification process is in progress
• the data has been unlawfully processed and they oppose erasure and request restriction instead
• Midton no longer needs the personal data but the data subject needs Midton to keep it in order to establish, exercise or defend a legal claim, or
• the data subject has objected to Midton regarding the processing of their data, and Midton is considering whether its legitimate grounds override those of the data subject.

In such circumstances, the relevant data will be:

• temporarily moved to another processing system

and/or

• unavailable to users.

Your restricted data will not be processed in any way except to store it while the restriction is in place, unless:

•  you give consent
• it is for the establishment, exercise or defence of legal claims;
• it is for the protection of the rights of another person (natural or legal); or
• it is for reasons of important public interest.

Where a 3rd party processes your data, they will be informed of the restriction.

In many cases the restriction of processing is only temporary. Where Midton decides to lift the restriction, you will be informed of this before the restriction is lifted. You will also be advised why the restriction is being lifted and of your right to make a complaint to the Information Commissioner’s Office.

Portability
Data subjects have the right to obtain a copy of their personal data in a commonly used format and have it transferred to another data controller.

Object to Processing
Data subjects have the right to object to:

• processing based on legitimate interests;
• direct marketing (including profiling); and
• processing for purposes of scientific/historical research and statistics.

If a data subject has an objection on “grounds relating to his/her particular situation”, Midton must stop processing the personal data unless:

• it can can demonstrate compelling legitimate grounds for the processing, 

or

• the processing is for the establishment, exercise or defence of legal claims.

Automated decision making, including profiling
Data subjects have the right to object to a significant decision, including profiling, solely made by automated means. Exemptions include the necessity for the performance of a contract or where the data subject has given explicit consent.

Complaints
Data subjects have the right to complain to the Information Commissioner’s Office (ICO) if they believe that their rights have not been recognised. Details of where to write to can be found on the ICO’s website: www.ico.org.uk