Individual Rights Request Policy

1. Introduction and Scope

1.1

Under the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which is European data protection law which is effective in all European Union (“EU”) member states (and which will likely continue to apply to the UK once withdrawn from the EU), individuals have the right to understand how Catholic Voices (“CV”) uses any personal data which it collects and uses about them and have the right to make certain decisions about how that personal data is used.

1.2

When CV uses, or 'processes’, personal data for its own purposes (rather than processing personal data for another organisation as part of providing a service to that organisation), CV is called a 'controller' of that personal data under the GDPR. This means that CV is responsible for meeting the requirements of the GDPR, and other EU / individual member state (i.e. usually UK, and principally the Data Protection Act 2018) data protection laws / regulations (together, the “Data Protection Laws”), which apply to it, and for making sure that individuals can exercise their rights over their personal data.

1.3 

In particular, individuals whose personal data is collected and/or used by CV have the following rights in relation to that personal data:

(a)            the right of access to personal data;

(b)            the right to rectification of personal data;

(c)            the right to erasure of their personal data;

(d)            the right to 'data portability';

(e)            the right to restrict CV's processing of their personal data; and

(f)              the right to object to CV's processing of their personal data.

1.4 

This policy explains how CV must deal with an individual's request to exercise each of their rights (each a "Rights Request").

Failure to comply with this policy is a serious matter and may result in disciplinary action if you are a CV employee, or a fine or legal proceedings against CV.

 

2. What is the purpose of this policy?

2.1 

CV is required to respond to all Rights Requests in a documented, consistent and timely manner in a way that complies with the Data Protection Laws.

2.2

All Rights Requests should be either complied with (where CV is obliged to comply) or responded to within 1 calendar month of the receipt of the Rights Request or, where applicable, receipt of the information needed to verify the identity of the requestor. If these documents are provided separately, the deadline will be 1 calendar month from the date of receipt of the later document. In rare cases, it may be possible to extend the deadline in certain circumstances as described in section 4.12.

We are required to respond to Rights Requests promptly and within one month. So don’t ignore communications you think could be Rights Requests – act quickly!

 

3. What is 'personal data'?

3.1

Personal data is information which relates to an individual, who can be identified either directly by that information or in combination with other information held or easily accessible by CV.

3.2

Personal data includes, among other things, names, email addresses, images of the individual, membership numbers, bank details and opinions about that individual stated by others, in other words it is information about an individual whether their name is used or not, so long as it is clear that it is about that individual. We recommend that you review CV’s privacy policy, available on the CV website, to familiarise yourselves with the types of personal data which CV routinely collects and uses.

Individuals have rights in relation to their personal data. Personal data is a broadly defined concept. If you’re not sure whether information is personal data, ask the CV Administrator.

 

4. Procedure for Responding to Rights Requests

Submitting a Rights Request

4.1

There is no specified way in the Data Protection Laws by which individuals must make Rights Requests in order for them to be valid. However, Rights Requests will normally be made by individuals contacting us through email or postal mail. CV should consider and respond to all requests from individuals relating to their rights, even if it just to inform them that we do not consider it obligatory for us to comply.

4.2

If a CV employee, or anyone else acting on our behalf, receives a Rights Request from an individual, that Rights Request should be forwarded to the CV Administrator immediately, where it will be assigned to one of the executive team or a trustee (the "Responding Individual ").

 If you are the Responding individual, you are responsible for ensuring that the Rights Request is properly dealt with in accordance with this Policy.

Receipt of the request

4.3

When the Responding Individual receives a Rights Request, they should review that request.

4.4

The Responding  Individual should:

(a) ensure that the scope of the Rights Request is sufficiently clear. If it is not clear, the Responding Individual should contact the requestor to request further information. The types of further information which may be required in respect of each right are set out in the descriptions of each right in the Appendix; and

(b) check that the identity of the requestor has been verified. Where CV has reasonable doubts concerning the identity of the requestor, CV can ask the requestor for additional information necessary to confirm his or her identity. The Responding Individual should check in the first instance whether the requestor’s identity can be verified from the information CV already has in relation to that individual (for example, has CV had any correspondence with the individual in the past?). If it is not possible to identify the requestor with certainty, CV is only obliged to comply with the Rights Request if the requestor supplies CV with sufficient information which allows CV to confirm their identity. This should comprise proof of identity (e.g. copy of passport, driving licence or ID card) and proof of address (e.g. recent utility bill or bank statement). The Responding Individual should contact the requestor to ask for such information where it is necessary to confirm the requestor’s identity. It may sometimes also be reasonable to ask for further information to confirm an individual’s identity in certain circumstances, for example where the subject matter of a Rights Request is particularly sensitive.

We must always ensure that the scope of any request is sufficiently clear and that we can verify the identity of the requestor.

4.5

Once the Responding Individual has received any additional information required about the scope of the request and appropriate identification documents from the requestor, they should acknowledge receipt of the Rights Request by contacting the requestor.

4.6

The Responding Individual should then determine whether the Rights Request is valid. Information about whether a Rights Request is valid is set out in the information about each particular right in the Appendix.

4.7 

If the Rights Request is not valid, the Responding Individual  should contact the requestor and explain the reasons why the Rights Request is not valid. However, if the Rights Request is valid, the Responding Individual should properly action and respond to the Rights Request.

We must always acknowledge a Rights Request by contacting the requestor. We should always check that the Rights Request is valid and identify which right the requestor wishes to exercise e.g. access, rectification, objection etc.

 

Actioning the Rights Request

4.8

The Responding Individual should follow the appropriate steps for actioning the relevant type of Rights Request. Relevant considerations with respect to each right are set out in the descriptions of the rights in the Appendix. It is important for the Responding Individual to record the steps he or she takes when responding to the Rights Request.

4.9

In general, we should respond in the same format as the Rights Request was made, or, where this is not possible or appropriate, in an easy to use, accessible format which is commonly understood.

4.10

In considering the personal data that falls within the Rights Request, the Responding Individual may need to contact different people working for CV Everyone asked to assist should provide full cooperation to the Responding Individual.

4.11

In certain cases, actioning a Rights Request will require third parties (e.g. service providers and other third parties with which CV shares personal data) to take certain actions, for example to amend their records in response to a request to rectify personal data, or to delete personal data they hold in response to a request for erasure. The Responding Individual should therefore contact all third parties who hold personal data relating to the relevant individual and ask that they action the Rights Request, and confirm to CV that they have done so.

If we need to involve a third party (e.g. a service provider hosting the personal data) to help us respond to the Rights Request, inform them as soon as possible.

4.12

If, due to the scope of the Rights Request, it is possible that concluding the Rights Request will take longer than 1 calendar month (due to its complexity and the number of requests), the Responding Individual should notify the CV Administrator and should then contact the requestor to inform them that the response to the Rights Request will be delayed. This should only happen in exceptional circumstances, and the Responding Individual should document the reasons why the deadline was not met internally, and to the requestor. We can only extend our response period by a further two months.

In exceptional circumstances, we can take longer than 1 calendar month to respond in full to the Rights Request but we must keep the requestor updated about the delay.

4.13

Once the Rights Request has been responded to in full, the Responding Individual should prepare a report which sets out how the Rights Request has been responded to in full, detailing all correspondence shared with the requestor and all actions taken. This report should contain a description of all steps taken to determine whether the Rights Request was valid, and all steps taken to action the Rights Request. The Responding Individual should then contact the CV Administrator to confirm that the Rights Request has been completed, attaching the report. The additional information which may be required in respect of each right is set out in the Appendix.

You must record the steps taken and the results of the Rights Request.