GDPR INDIVIDUAL RIGHTS
At Referral-AI, we care about your privacy
The General Data Protection Regulation (“GDPR”) was enacted in the European Union on May 2018, to protect the personal data and privacy of EU residents.
GDPR regulates how companies, located both within and outside of the EU, can lawfully handle EU personal data, and provides individuals with certain rights over their own data.
Companies that handle personal data need to have an individual’s consent or their own legitimate interest.
Individual Rights under GDPR
In Chapter 3 of GDPR there are eight specific rights that individuals have over their personal data.
- To Be Informed
You have the right to be informed when a company collects, uses or processes your personal information, including the purpose for processing the data, how long the data will be retained, and who it it will be shared with. Only on specific circumstances, companies do not need to inform individuals, for example, if they already know about it, or if they deem it would involve a disproportionate amount of effort to provide.
- Access
Data Subject Access Requests (DSAR) provides individuals with the right to ask for and get a copy of their personal data, including information on how the data is processed.
- Rectification
Data Subject Access Requests (DSAR) provides individuals with the right to ask for and get a copy of their personal data, including information on how the data is processed.
- Erasure
Individuals can only exercise their right to have personal data deleted in the following circumstances:
- Your data is no longer necessary to continue processing.
- In order to comply with a legal obligation.
- You withdraw that consent you gave the company to process your data.
- You object to the processing of your data and the company has no overriding legitimate interest to continue the processing.
- Your data has been processed unlawfully.
- Your data is being processed for marketing purposes and you object to that.
- Restriction
Individuals can only exercise the right for restricition usually temporarily and in the following circumstances:
- During the period of time a company spends verifying the accuracy of the personal data they have for you because of a challenge you made.
- During the period of time a company spends considering whether they have a legitimate interest ground to override the request to object to the processing of personal data.
- The data has been processed unlawfully (i.e. no lawful basis for processing) but there is no need for the data to be deleted.
- You require the data to be held with the company, even if they don’t need it anymore, because you are involved in a legal claim.
- Data Portability
Individuals have the right to obtain a copy of personal data that has been previously provided to a service provider and to reuse it for other services. Personal data in this context includes observations of an individual’s activities, it does not include data that has been extrapolated by the service provider, such as a user profile.
- Objection
The right to object will stop or prevent the processing of personal data, in the following circumstances:
- If the lawful basis of the processing is either legitimate interest, or for a “public task” carried out in the interest of the public or to exercise official authority.
- In order to stop all processing for the purpose of marketing.
* If the company can demonstrate compelling and overriding legitimate interest, or if the processing is related to legal action, then this trumps the individual’s right to object.
- Automate decision making and profiling
Profiling means automated processing of personal data to evaluate certain things about an individual such as predicting behavior.
Referral-AI complies with the GDPR
- The Company’s Privacy Policy informs individuals at the point in time the personal data is collected.
- A webform is available for individuals to submit DSAR requests. Requests may take up to one month to respond. It may take longer to respond if the request is complex, in which case you should be informed of that fact. Usually the service is free unless the request is unfounded or excessive.
- A webform is available to correct / complete personal data. You can also request restriction of the data whilst it is being corrected. The same timelines apply as for a DSAR!
- When an individual has the right to request erasure, the way to exercise it is the same as above (web form). The same timelines apply.
- When an individual has the right to restrict erasure, the way to exercise it is via a web form. The same timelines apply. The right is usually exercised in conjunction with the right to rectification or the right to object. It could also be an alternative to the right to erasure. A requestor should be notified before any restriction is subsequently lifted.
- When an individual has the right to data portability, the way to exercise it is the same as above and it should be free. The same timelines apply.
- This right is exercised in the same way as above with one qualification. If the objection is made regarding personal data processed under legitimate interest or public task, the request needs to be accompanied with specific reasons for the objection.
- If you believe that a company is using automated decision-making but shouldn’t be, you can submit a request that they don’t subject you to this. When an individual has the right to refrain from profiling, the way to exercise it is the same as above and it should be free. The same timelines apply.
- Used for a different purpose than was meant for
- Kept longer than necessary
- Not kept securely or there’s been a data breach
- Processed without a lawful basis
- Has been disclosed unlawfully
If you think your personal details and data are part of our database, please use our Privacy Center, Claim Page where you can find the tools to control your data.