Individual Rights

The Right to be Informed covers some of the key transparency requirements under GDPR.  It is about providing you with clear and concise information about what we do with your personal data.

Articles 13 and 14 of the GDPR specify what you have the rights to be informed about.  Please view our Privacy Notices.

The right of access, more commonly known as subject access, gives you the right to obtain a copy of your personal data as well as other supplementary information.

You have the right to obtain the following:

• Confirmation that we are processing your personal data;
• A copy of your personal data; and
• Other supplementary information - this largely corresponds to the information we have within our Privacy Notices

You are entitled to your own personal data and not to information relating to other people (unless the information is also about you or someone is acting on your behalf). Please see the 'How to Apply for a Subject Access Request' section.

You have the right to have inaccurate personal data rectified.  You may also be able to have incomplete data completed, however this will depend on the purposes for the processing.  It may involve providing a supplementary statement to the incomplete data.

You have the right to have your personal data erased.  This is also known as 'the right to be forgotten'.  However this right is not absolute and will only apply in certain circumstances.

You can request that your personal data be erased if:

• The personal data is no longer necessary for the purpose for which the we collected or processed it for;
• You withdraw your consent;
• You object to the processing of your data and we have no over-riding legitimate reason to continue processing it;
• You object to your personal data being used for direct marketing purposes;
• We have processed your data unlawfully;
• We have to comply with a legal obligation;
• We have processed personal data to offer information society services to a child.

You have the right to restrict the processing of your personal data in certain circumstances.  This means that you can limit the way we use your data and is an alternative to requesting the erasure of your data.

You have the right to restrict the processing where you have a particular reason for wanting the restriction.  This could be because you have issues with the content of the information we hold or how we have processed your data.  In most cases we will not be required to restrict your personal data indefinitely, but we will need to have the restriction in place for a certain period of time.

You can request that we restrict the processing of your personal data in the following circumstances:

• You contest the accuracy of your personal data and we are verifying the accuracy;
• The data has been unlawfully processed and you oppose erasure and request restriction instead;
• We no longer require the personal data but you need us to keep it in order to establish, exercise or defend a legal claim; or
• You have objected to us processing your data under Article 21(1) and we are considering whether our legitimate grounds override yours.

The right to data portability gives you the right to receive personal data, that you have provided to us, in a structured, commonly used and machine readable format.  It also gives you the right to request this data is transmitted by us (as the data controller) directly to another controller.

The right to data portability only applies when:

• Our lawful basis for processing the information is consent OR for the performance of a contract; and
• We are carrying out the processing by automated means (ie excluding paper).

Information is only within the scope of the right to data portability if it is your personal data that you have provided to us.

The right to object to the processing of your personal data allows you to ask us to stop processing your data.

The right to object only applies in certain circumstances. Whether it applies depends on the purposes for which we are processing it and our lawful basis for processing.

You have the absolute right to object to the processing of your personal data if it is for direct marketing purposes.  You can also object if the processing is for:

• A task carried out in the public interest;
• The exercise of official authority vested in the University;
• Our legitimate interests (or those of a third party).

In these circumstances the right to object is not absolute.

If the we are processing data for scientific or historical research, or statistical purposes, the right to object is more limited.

Automated individual decision-making is a decision made by automated means without any human involvement.

Examples of this include:

• An online decision to award a loan
• A recruitment aptitude test which uses pre-programmed algorithms and criteria.

Automated individual decision-making does not have to involve profiling, although it often will do.

Organisations obtain personal information about individuals from a variety of different sources. Internet searches, buying habits, lifestyle and behaviour data gathered from mobile phones, social networks, video surveillance systems and the Internet of Things are examples of the types of data organisations might collect.                             

Information is analysed to classify people into different groups or sectors, using algorithms and machine-learning. This analysis identifies links between different behaviours and characteristics to create profiles for individuals. 

Based on the traits of others who appear similar, organisations use profiling to:

• Find something out about individuals’ preferences;
• Predict their behaviour; and/or
• Make decisions about them.

This can be very useful for organisations and individuals in many sectors, including healthcare, education, financial services and marketing.

Automated individual decision-making and profiling can lead to quicker and more consistent decisions. But if they are used irresponsibly there are significant risks for individuals. The GDPR provisions are designed to address these risks.

The University does not currently undertake any profiling activities or take automated decisions about you.

In most cases we will not charge a fee.

However, where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.

We can also charge a reasonable fee if you request further copies of your data following a request, this fee will be based on the administrative costs of providing further copies.

If you wish to exercise one of your individual rights detailed above, contact gdpr@derby.ac.uk. 

You can make any request either verbally or in writing, we recommend that you email gdpr@derby.ac.uk. Please give a full and clear description of the nature of your request, this will help us to handle it effectively. 

You will be required to provide valid ID (birth certificate, driving licence or passport)

Please provide sufficient details in order for us to locate your personal information.

For subject access requests, request for your information, please see more tab below.

Under the UK GDPR and the guidance from the Information Commissioner’s Office (ICO), the response time for handling a request from you to exercise one of your 'individual rights' is generally as follows:

One Month Response Time

• We must respond to a request within one calendar month from the date the request is received. This period starts the day after the request is received

Extension of Time

• If the request is complex or if multiple requests have been received, we can extend the response time by an additional two months. If an extension is necessary, we must inform, you, the requester within the initial one-month period, explaining the reasons for the delay

Clarification and Verification

• The response time may be paused if we need further information to identify you, the individual or clarify the request. In such cases, the time frame does not start until the required information is provided

Notification of Decision

• We must inform you, the requester whether the request has been granted or denied and, if denied, provide reasons for the refusal

If you wish to request your information please follow the instructions below.

Your request

For a Subject Access Request (SAR), the request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that you are asking for your own personal data. The request however must be in writing (for example an email or letter) and it must include:

• Your full name
• Your address for correspondence
• A clear description of the information you are seeking

This will help us to process your request efficiently and accurately.

Response Time

We are legally required to respond to a request within one calendar month. Upon receiving your subject access request, we will process, and respond within one calendar month, starting from the next working day after receipt.

If your request is complex or if we have received multiple requests from you, we may extend the response time by an additional two months. Should an extension be necessary, we will notify you within the initial one-month period and explain the reasons for the delay.

To ensure timely processing, please provide any additional information that we may request so that we can locate the data you are requesting, including:

• Any information necessary to clarify your request
• Proof of identity, as required

To clarify

• If a request (including ID) is received on 5th May, the response period will start on 6th May, giving us until 6th June to comply
• If the response date falls on a weekend or public holiday, the deadline will be extended to the next working day
• If the following month has fewer days than the start date the deadline is adjusted accordingly (e.g., a request received on 30th January will have a deadline of 28th February (unless it is a leap year)

Please note that the response time begins only when we receive a complete request, including valid ID and any required clarifications.

Appointing an Agent

You can appoint someone to act as an agent to request on your behalf. If you choose to do so, please ask them to provide the same details as listed above. Additionally, we will require proof of your consent and your valid ID.

We will acknowledge receipt of your request, to the Agent in line with the details above, and may contact you for further clarification regarding the information they have requested.

Contact details

Please email your subject access request to Assurance Services at gdpr@derby.ac.uk or post to:

University of Derby, Assurance Services, Legal, Governance & Assurance Services, Kedleston Road, Derby, DE22 1GB

If you are unsatisfied with the way in which we process your personal data, we ask that you let us know so that we can try and put things right.

If you are still unhappy with our response or the processing of your request you can make an appeal or complaint to the University's designated Data Protection Officer, at DPO@derby.ac.uk.

If we are not able to resolve issues to your satisfaction, you can refer the matter to the Information Commissioner's Office (ICO). The ICO can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113