The below details Lumify Work requirements to comply to General Data Protection Regulation (GDPR). The GDPR gives individuals the right to request personal data, which is processed from a controller.
Requests are referred to as Data subject access requests or access requests.
Right of access, correction, erasure
An individual has the right to obtain the following information from a controller:
Confirmation if personal data concerning the individua is being processed.
In the instance personal data is being processed, can request a copy of the personal data
The purpose of the processing
Categories of personal data
Recipients of personal data, who it has or will be disclosed to - identifying recipients in third countries or international organizations and appropriate safeguards
The retention period or criteria used to determine the retention period.
Existence of the following rights:
right to rectify
right to erasure
right to restrict processing
right to object
Right to raise a concern with supervisory authority
Where personal data is not collected from the data subject, any available information as to it's source
Existence of automated decision making, how decisions are made, significance and consequence of processing
Requests in writing, specific as possible in relation to personal data you wish to access. Provide evidence of your identity
Controller will provide information in writing
Controller can refuse where access request is manifestly unfounded or excessive - need to provide proof.
Controller needs to consider the rights of third parties when reviewing a request - rights such as data protection, trade secrets or intellectual property of others.
A balance of rights, the controller should endeavour to comply with the request insofar as possible, whilst protecting the rights and freedoms of others.
Client to make request in writing to [email protected]
The request will be assessed by the Data Protection Officer.
The assessment will factor in the GDPR controller requirements - ensuring proof of identity. If not provided in the first instance, the Data Protection Officer will request prior to the assessment.
A response will be issued to the client in writing either providing the requested information or action taken; or in the event the request is deemed to be unfounded or excessive, provide justification for declining the request.
The PII will be reviewed in all listed business systems.
Request to modify can be actioned such as change of name, contact information.
Request to erase information will need to be considered and the client informed of potential implications of engaging with Lumify Work.
Example: the client is booked for a course in two months' time and requests Lumify Work to remove their email address from our system. Booking management processes in the lead up to training include email communication.
Staff can source PII retained via Employment Hero and can actively manage their own information.