data subject

  • HR and GDPR The General Data Protection Regulation (GDPR) was enforced on the 25th May 2018, which applied major changes to the way data is protected, enabling employers to reconsider their employment and HR procedures, and amend them in order to comply with GDPR requirements.

     Employers should maintain focus on the following factors:

  •  

    Practicalities of a data processing agreement

    Article 28 of the General Data Protection Regulation (GDPR) states the conditions of a data processing agreement between the data controller and the data processor.

    Recently, this agreement has been brought in to question, regarding its workability and whether it is actually working in the way it is prescribed in the GDPR requirements. https://gdpr-info.eu/art-28-gdpr/

    Organisations are usually established as the data controller, and the program they use acts as the data processer, i.e. Microsoft One Drive for Business, which is utilised by various companies. In accordance with Article 28 of the GDPR, an organisation should have a controller-processor agreement with their chosen software, which would usually be dictated by the data processor.

  • Record keeping - right to be forgotten

    GDPR gives individuals the right to have their personal data deleted, although this is not an 'absolute' right. If you still need to retain the personal data concerned, you may be able to refuse the request. Moreover, the right to erasure does not mean you erase all the data if you have a need and legitimate interest basis to process their data for audit records. If you cannot erase data (for example, there is a legal requirement to keep certain records for 6 years) then consider restricting the processing, such as moving to archiving.

    The data minimisation principles should also be applied, together with an appropriate retention period. Ensure that you inform the data subject as to what data you are keeping.

  • Subject Access Request outside of the EU

    On some occasions, an EU subject may require a Subject Access Request (SAR) which involves a transaction outside of the EU. Therefore, data processors must be aware that a data controller outside of the EU will not necessarily give up any or many obligations to the General Data Protection Regulation (GDPR).

    So, the question is whether data processors need to address the Subject Access Request without the controller or not?

  •  Right to be forgotten

    Companies need to consider what technical measures they can take in an effort to adhere to the data subject's right to erasure, or 'right to be forgotten'.

    Anonymisation ensures that the anonymised data is no longer identifiable to a person. Therefore, it is no longer considered personal data under GDPR. Where anonymisation has been done, and a subject access request (SAR) follows, you would be then able to explain that you no longer have personal data related to that subject on your database. That said, anonymised data is very hard to achieve perfectly and leaves some risk unless performed properly.

Make a free enquiry, call now

0151 659 1070




Please let us know your name.



Please enter a valid telephone number



Please let us know your email address.



Please let us know your message.

Please tick the box below

Invalid Input

Invalid Input
I understand that by submitting my query to you, my personal data (name, email address and contact number) will be processed by you in order to contact me and assist me with my query. I confirm I have read and understood the Privacy Notice and I consent to you processing my data for the purpose of contacting me to assist me with my query.




How can we help you?

To find how our friendly and knowledgeable solicitors can help you, contact us today.

Make a free enquiry - Call now - 0151 659 1070