Midton Data Protection Policy

Background

The General Data Protection Regulations (GDPR) is legislation that requires all organisations that process personal data to review their procedures, processes and security measures and ensure that individual’s whose data they process are aware of their rights. As such Midton has developed this policy to provide clarity on how it will process personal data.

1.1   GDPR Principles

The Principles of the GDPR outline how personal data should be processed to ensure legal compliance.

The Principles are as follows:

Data should be:

1.2   Legal Basis for Processing Personal Data

The GDPR requires all data controllers and processors to meet at least one of the following legal basis for processing personal data:

Failure to meet at least one of these legal reasons for processing personal data means the data processing is likely to be illegal (unless a relevant exemption applies).

1.3   Special Category Data

Special category data is more sensitive than personal data, and therefore needs more protection. For example, information about an individual’s:

Special category personal data must still meet at least one of the above legal basis for processing, however it must also meet further conditions. For example special category personal data can be processed by a data controller in the following circumstances*:

*there are other legal conditions, however they are unlikely to apply to Midton..

1.4   Data Subject Rights

Data subjects, under GDPR, have a number of rights with regards to their personal data. These are the right to:

Details regarding specific procedures in each Section will be given to clarify how the Data Subject Rights will be taken forward in different circumstances.

Right to be Informed
Midton has an obligation to ensure openness and transparency in the way in which it processes personal data. This policy and the subsequent procedures provide data subjects with the information they need to understand how and why their personal data is being processed, and how to access their rights.

Access
Data subjects have the right to request access to their personal data which Midton is processing. Where justified, a reasonable administrative fee may be charged, however this information will usually be provided for free.

Rectification
Data Subjects have the right to have any inaccurate information that Midton is processing about them rectified without undue delay.

Erasure (right to be forgotten)
Data subjects have the right to request that their personal data be deleted in certain circumstances, for example:

 or

Midton will be required to liaise with 3rd parties regarding the erasure of personal  data when:

If Midton disclosed personal data to others, it must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, Midton must also inform the individuals about these recipients.

The right to erasure does not apply in some circumstances, for example if processing:

The right to erasure will not apply to special category data if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee). 

Erasure requests may be refused in some circumstances: if the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

Restriction of processing

Data subjects have the right to request the restricting of personal data being processed by Midton in the following circumstances:

In such circumstances, the relevant data will be:

and/or

Your restricted data will not be processed in any way except to store it while the restriction is in place, unless:

Where a 3rd party processes your data, they will be informed of the restriction.

In many cases the restriction of processing is only temporary. Where Midton decides to lift the restriction, you will be informed of this before the restriction is lifted. You will also be advised why the restriction is being lifted and of your right to make a complaint to the Information Commissioner’s Office.

Portability
Data subjects have the right to obtain a copy of their personal data in a commonly used format and have it transferred to another data controller.

Object to Processing
Data subjects have the right to object to:

If a data subject has an objection on “grounds relating to his/her particular situation”, Midton must stop processing the personal data unless:

or

Automated decision making, including profiling
Data subjects have the right to object to a significant decision, including profiling, solely made by automated means. Exemptions include the necessity for the performance of a contract or where the data subject has given explicit consent.

Complaints
Data subjects have the right to complain to the Information Commissioner’s Office (ICO) if they believe that their rights have not been recognised. Details of where to write to can be found on the ICO’s website: www.ico.org.uk