The General Data Protection Regulation (“The GDPR”)
You may be aware that the law in relation to data protection is changing with effect from 25 May 2018, when the GDPR comes into force in the UK.
Paragon takes the protection of individuals’ data very seriously, and will comply with the new data protection law when the GDPR comes into force on 25 May 2018. We will be updating our Data Protection and our Digital policies to reflect the new law. We will update our website when the new policy documentation is approved by the Paragon Board.
In the meantime, individuals about whom Paragon holds data (we will call these individuals “data subjects”) have new legal rights under the GDPR in respect of their personal data and can make requests to us to exercise them.
Here we’re setting out for you how you can exercise your data rights and how Paragon will process requests by data subjects:
“Personal data” means any information relating to an identified or identifiable data subject. An identifiable data subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier.
“Processing” means any operation or set of operations that is performed on personal data, such as collection, use, storage, sharing and destruction.
New Individual Data Subject Rights
From 25 May 2018 data subjects have the right to approach Paragon and:
- Request access to personal information (commonly known as a “data subject access request” or a DSAR) and have the right to be informed about collection and use of their personal data;
- Request rectification of personal information;
- Request erasure of personal information;
- Request the restriction of processing of personal information;
- Request the transfer of personal information to another party;
- Object to processing of personal information where Paragon is relying on a legitimate interest (or those of a third party) to lawfully process it; and
- Request not to be subject to automated decision making.
Rights are not absolute
It is important to note that the new rights that are afforded to data subjects under the GDPR are not absolute rights; they have to be considered and assessed and a response prepared on a case by case basis.
Before responding to any request by a data subject in relation to their personal data, we shall check whether there are any exemptions that apply to the personal data that is the subject of the request. Exemptions may apply where it is necessary and proportionate for Paragon not to comply with a data subject request as described above in order to safeguard:
- national security;
- public security;
- the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
- other important objectives of general national public interest, in particular an important national economic or financial interest, including monetary, budgetary and taxation matters, public health and social security;
- the protection of judicial independence and judicial proceedings;
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
- a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority;
- the protection of the data subject or the rights and freedoms of others; or
- the enforcement of civil law claims.
How to make your request to exercise your data protection rights
A request to exercise these rights should be made to Paragon’s Creative Director and you can submit your request as follows:
Via email to firstname.lastname@example.org
Via post to Paragon Music, Centre for Contemporary Arts, 350 Sauchiehall Street, Glasgow, G2 3JD
Once Paragon receives your data subject request
- We must provide a copy of the information that you are entitled to under the GDPR free of charge.
- However, Paragon is entitled under the law to charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
- Paragon must deal with your request for information and provide you with the information to which you are legally entitled at the latest within one month of receipt.
- However, we will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, Paragon must inform you within one month of the receipt of the request and explain why the extension is necessary.
Information that Paragon is processing
We will be providing a number of new notices, as required by the new law, setting out for you what personal information Paragon holds, why we need that information, what we are using it for, and whether we are sharing the information.
Where Paragon is holding information that relates to you and from which you are identifiable, we will retain that for so long as it is necessary, reasonable and proportionate to do so in order to allow Paragon to perform its functions and tasks undertaken in the public interest and in order to allow us to meet our public sector duty to deliver best value.