The European Union’s General Data Protection Regulation (GDPR), also known as RGPD in French, and DSGVO in German, is a regulation that applies to non-profit organisations, companies, and public entities worldwide to strengthen data protection for all individuals within the European Union (EU). The GDPR gives individuals the right to request personal data, which is processed by a controller.
Lumify Work collects personal data when you place an order to study with us. The below policy details Lumify Work requirements to comply with the GDPR.
Requests are referred to as Data subject access requests or access requests.
Right of access, correction, erasure
An individual has the right to obtain the following information from a controller:
Confirmation if personal data concerning the individual is being processed
In the instance personal data is being processed, can request a copy of the personal data
The purpose of the processing
Categories of personal data
Recipients of personal data, who it has or will be disclosed to - identifying recipients in third countries or international organisations and appropriate safeguards
The retention period or criteria used to determine the retention period
Existence of the following rights:
right to rectify
right to erasure
right to restrict processing
right to object
Right to raise a concern with supervisory authority
Where personal data is not collected from the data subject, any available information as to its source
Existence of automated decision making, how decisions are made, significance and consequence of processing
Process
An individual is to put their request in writing to privacy@lumifygroup.com. While writing is preferred, these requests maybe received via phone call, email, or mail. Context of the requests needs to be verified to ensure that the individual is wanting to withdraw consent relating to their PII data. Right of access is also dependant on the individual's ability to verify their identity.
Request from the individual's verification of identity, utilising available contact information stored within our information systems. Important to note that Lumify Group parties should not disclose any of the information to the individual during this verification process.
A written response will be issued to the individual acknowledging their request and advising a response will be received within one month.
The request should always also be assessed by the Data Protection Officer.
The assessment will factor in the GDPR controller requirements. If not provided in the first instance, the Data Protection Officer will request prior to the assessment.
If the request is to rectify a record, the individual will be directed to https://my.lumifywork.com - this is a client interface where they can update their PII.
The assessment should include a review of third parties - has Lumify Group shared the individual's information for the purpose of delivery of services? Request must be shared with the third party (if applicable).
This information can be shared via third party portal or email - action taken will be recorded against the Helpdesk ticket.
Individual response needs to include details of the third party and acknowledgement the request was provided to the third party.
A response will be issued to the individual in writing either providing the requested information or action taken; or in the event the request is deemed to be unfounded or excessive, provide justification for declining the request.
The PII will be reviewed in all listed business systems - this includes direct and indirect PII.
Request to modify can be actioned such as change of name, contact information.
Request to erase information will need to be considered and the individual informed of potential implications of engaging with Lumify Group.
Example: the individual is booked for a course in two months time and requests Lumify Group to remove their email address from our system. Booking management processes in the lead up to training, include email communication.
Controller can refuse where access request is manifestly unfounded or excessive - need to provide proof.
Controller needs to consider the rights of third parties when reviewing a request - rights such as data protection, trade secrets, or intellectual property of others.
A balance of rights, the controller should endeavour to comply with the request insofar as possible, whilst protecting the rights and freedoms of others.
Staff request
Staff can source PII retained via Employment Hero and can actively manage their own information.
