General Data Protection
The privacy of our stakeholders is important to us. The General Data Protection Regulation (GDPR) requires organisations to process personal data in a transparent manner. Our Privacy Notices describes how Derby College Group uses the personal information it is provided with. A copy of all our Privacy Notices can be found at the links below:
The Privacy Notices will be updated when required and the latest version is published on the DCG website. If you have any questions about this policy, please contact the Data Protection Officer.
Subject Access Requests
The Data Protection Act 2018 and Derby College Data Protection Policy gives any individual the right to obtain confirmation that their data is being processed, and where this is the case, access to the personal data. The right of access to this information is referred to as Subject Access Request (SAR).
The College will endeavour to provide access to personal data within one month of receipt of a subject access request. If a request is complex, an extension of a further two months will be requested from the individual making the request.
A copy of the information will be provided free of charge however, a ‘reasonable fee’ may be charged is a request is unfounded or excessive.
Who can make a Subject Access Request?
Persons who are entitled to access personal data under this procedure are:
The individual (also known as the data subject).
A representative of the data subject who has written consent (e.g. solicitor; a court appointed representative if the data subject could no longer manage his or her own affairs; a person with enduring Power of Attorney or quite simply anyone else the individual wants acting for them).
The parent or guardian of a child under 16 years of age: In cases where the child agrees, or it was in the child’s best interest for access to the data to be granted.
How can I make a Subject Access Request?
Please use the Subject Access Request online form to make a request.
Right to Erasure
What is the right to erasure?
Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.
The right only applies to data held at the time the request is received. It does not apply to data that may be created in the future. The right is not absolute and only applies in certain circumstances.
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which it has been originally collected or processed;
- where consent was relied on as the lawful basis for holding the data, and the individual wishes to withdraw their consent;
- legitimate interests has been relied on as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- personal data has been processed for direct marketing purposes and the individual objects to that processing;
- personal data has been processed unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- to comply with a legal obligation; or personal data has been processed to offer information society services to a child.