Personal Information Rights

The below details Lumify Work requirements to comply to General Data Protection Regulation (GDPR). The GDPR gives individuals the right to request personal data, which is processed from a controller.

Requests are referred to as Data subject access requests or access requests.

Right of access, correction, erasure

An individual has the right to obtain the following information from a controller:

  • Confirmation if personal data concerning the individua is being processed.

  • In the instance personal data is being processed, can request a copy of the personal data

  • The purpose of the processing

  • Categories of personal data

  • Recipients of personal data, who it has or will be disclosed to - identifying recipients in third countries or international organizations and appropriate safeguards

  • The retention period or criteria used to determine the retention period.

  • Existence of the following rights:

    • right to rectify

    • right to erasure

    • right to restrict processing

    • right to object

  • Right to raise a concern with supervisory authority

  • Where personal data is not collected from the data subject, any available information as to it's source

  • Existence of automated decision making, how decisions are made, significance and consequence of processing

Requests in writing, specific as possible in relation to personal data you wish to access. Provide evidence of your identity 
Controller will provide information in writing 

Controller can refuse where access request is manifestly unfounded or excessive - need to provide proof.

Controller needs to consider the rights of third parties when reviewing a request - rights such as data protection, trade secrets or intellectual property of others. 

A balance of rights, the controller should endeavour to comply with the request insofar as possible, whilst protecting the rights and freedoms of others.


An individual is to put in writing to [email protected]. While writing is preferred, these requests maybe received via phone call or mail. Context of the requests needs to be verified to ensure that the individual is wanting to withdraw consent relating to their PII data. Right of access is also dependant on the individual's ability to verify their identity.

Request from the individual's verification of identity, utilizing available contact information stored within our information systems. Important to note that Lumify Group parties should not disclose any of the information to the individual during this verification process.

A written response will be issued to the individual acknowledging their request and advising a response will be received within one month.

The request should always also be assessed by the Data protection officer.

The assessment will factor in the GDPR controller requirements. If not provided in the first instance, the Data protection officer will request prior to the assessment.
If the request is to rectify a record, the individual will be directed to - this is a client interface where they can update their PII.

The assessment should include a review of third parties - has Lumify Group shared the individual's information for the purpose of delivery of services? Request must be shared with the third party (if applicable)
This information can be shared via third party portal or email - action taken will be recorded against the Helpdesk ticket.

individual response needs to include details of the third party and acknowledgement the request was provided to the third party.

A response will be issued to the individual in writing either providing the requested information or action taken; or in the event the request is deemed to be unfounded or excessive, provide justification for declining the request.

The PII will be reviewed in all listed business systems - this includes direct & indirect PII

Request to modify can be actioned such as change of name, contact information.

Request to erase information will need to be considered and the individual informed of potential implications of engaging with Lumify Group.

Example the individual is booked for a course in two months time and requests Lumify Group to remove their email address from our system. Booking management processes in the lead up to training, include email communication.

Staff request

Staff can source PII retained via Employment Hero and can actively manage their own information.