EUROPEAN GENERAL DATA PROTECTION REGULATION On May 25, 2018, the EU General Data Protection Regulation (“GDPR”) came into operation and is directly applicable in all EU member states. In addition, a new Data Protection Act 2018 was enacted to complement the GDPR.
he Act and Regulation The main purpose of the legislation is to protect the personal data of living individuals, and ensure that it is handled fairly, securely, and properly. It also provides individuals with the right to access personal data that is held in both computer and paper-based records. The changes are being brought about to improve customer confidence in the information that is provided and to make firms accountable for the information they control and process.
The GDPR strengthens individuals' rights and introduces new obligations on data controllers and data processors. The controller says how and why personal data is processed, and the processor acts on the controller’s behalf.
This is done through setting out six Data Protection Principles that must be adhered to when dealing with personal data. Under the GDPR, the data protection principles set out the main responsibilities for organizations. Article 5 (1) of the GDPR requires that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organizational measures.”
Use of Personal Data Lawfulness of processing:
Article 6 - Processing shall be lawful only if and to the extent that at least one of the following applies: Energy Shares will have a lawful purpose to process data, which will include:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Individuals Rights Individuals have the following rights:
The right to be informed Energy Shares will provide detailed information to data subjects. Information provided to data subjects must be concise, transparent, intelligible, and easily accessible, be in clear plain language and delivered in writing including electronic means but only if appropriate. The right of access Customers can access their processed personal data; including receiving a copy on request, unless providing a copy adversely affects the rights and freedoms of others. Customers have a right to obtain confirmation from the data controller (Energy Shares that it is processing their personal data. Energy Shares must provide this information for free. However, Energy Shares may charge a ‘reasonable’ fee for requests that are excessive or unfounded.
Responding to Data Subject Access Requests When responding to data subject requests, the GDPR imposes several obligations on data controllers under Article 12 (Transparent information, communication, and modalities for the exercise of the rights of the data subject). Energy Shares will aim to respond within one month of receiving the request unless there is a need to extend the response time.
The data subject can obtain certain information about the data controller's processing including: purposes of data processing categories of personal data processed recipients or categories of recipients who receive personal data from the data controller how long the data controller stores the personal data, or the criteria the data controller uses to determine retention periods information on the personal data's source if the data controller does not collect it directly from the data subject and whether the data controller uses automated decision-making, including profiling, the auto-decision logic used, and the consequences of this processing for the data subject.
The right to rectification Individuals are entitled to have their personal data rectified if it is inaccurate or incomplete and must be done within one month, which can be extended by a further two months if it is a complicated request. Where Energy Shares does not take any action in response to a request for rectification, Energy Shares must explain to the individual why this is the case and inform them of their right to complain to the supervisory authority, and to a judicial remedy.
The right to erase / right to be forgotten Data subjects (individuals) have the right to request the erasure of the personal data that a data controller (Energy Shares) holds about them, also known as the right to be forgotten. A data subject has the right to request erasure of their personal data if one of the following applies:
If the personal data is no longer necessary for the purpose the data controller collected it for then Energy Shares will erase the data.
If the customer withdraws consent to the processing activities and if there is no legal reason why we have to engage in processing then Energy Shares will erase the data, this will also include if the use or sharing of the data is not in line with the need to use for the original purpose, i.e. for the performance of an agreement.
The data subject can withdraw his or her consent if the use or sharing of the data is intrusive or particularly unexpected, against the original purpose for the data.
When the individual objects to the processing and there is no absolute legitimate reason for continuing the processing or if the processing is unlawfully breached, then Energy Shares will erase the data. When Energy Shares deletes any personal data, it has to be erased in order to comply with a legal obligation. This is not a choice and has to be done; otherwise Energy Shares will be in breach of the General Data Protection regulations.
However, Energy Shares can refuse an erasure request specifically if they are complying with a legal obligation, exercising, or defending a legal claim, or using the data for statistical purposes or for law enforcement purposes to produce data to law enforcement agencies such as the National Crime Agency, Police and Department for Work and Pensions.
If Energy Shares has disclosed data to third parties in the course of their business relationship, they must inform the third parties about the data subject’s request for erasure of the personal data unless it is impossible or a disproportionate effort to do so.
The right to restrict processing The GDPR grants data subjects the right to restrict the processing of their personal data under certain circumstances, such as inaccurate data. If the data subject contests the accuracy of the personal data, this could be where Energy Shares have recorded it incorrectly or it’s been supplied to Energy Shares by the dealer or third party incorrectly. The data controller must restrict processing the contested data until it can verify its accuracy.
If the processing is unlawful instead of requesting erasure, the data subject can request that the data controller restrict use of the unlawfully processed personal data.
When a data subject requests a data processing restriction the data controller can continue to store the personal data but may only process it with the data subject's consent; to establish, exercise, or defend legal claims; to protect the rights of another individual or legal entity or for important public interest reasons.
Before lifting the data processing restriction, the data controller must notify the data subject.
The right to data portability The GDPR gives data subjects the right to data portability.
The right to data portability is distinct from the right to access personal data. The data subject's right to data portability includes the right to receive a copy of the personal data from the data controller in a commonly used and machine-readable format and store it for further personal use on a private device and to transmit the personal data to another data controller. In addition, data subjects can have their personal data transmitted directly from one data controller to another where technically possible. This new right helps give data subjects more control over their personal data and helps switching from one service provider to another by allowing the data subject to easily move, copy, or transmit their personal data. The right to data portability only applies under limited circumstances and to a limited subset of personal data processed by the data controller.
The data portability right only applies to personal data about the data subject and pseudonymous data that can be clearly linked to a data subject. It does not apply to anonymous data or information that does not concern the data subject.
Information provided to the data controller by the data subject can include the following: information that a data subject knowingly and actively provides, such as name and contact information. information generated by and collected from the data subject's activities while using the service or device, for example, search history; and does not include personal data that the data controller generates as part of data processing, for example, data derived in the process of profiling from personal data provided by the data subject.
The right to data portability also only applies to automated data processing that is either based on a data subject's consent and necessary to perform a contract between the data controller and the data subject.
Data controllers should avoid retrieval and transmission of data containing personal data about third parties where the processing would affect the rights and freedoms of the third parties. Also, if the data contains personal data about third parties, the recipient data controller must have a lawful ground to process the personal data.
The right to object The GDPR grants data subjects the right to object to data processing under certain circumstances such as for direct marketing purposes, including profiling related to direct marketing. A data controller must stop processing a data subject's personal data for direct marketing purposes when the person objects.
For processing, including any profiling based on the following legal grounds that is necessary to perform a task in the public interest under or necessary for the data controller's or a third party's legitimate interest.
If the data subject objects to processing, the data controller must stop processing the personal data unless the data controller either demonstrates a compelling legitimate ground for processing the personal data that overrides the data subject's interests and needs to process the personal data to establish, exercise, or defend legal claims.
The data controller must clearly notify data subjects of their right to object to certain data processing when it initially provides an information privacy notice.
Rights in relation to automated decision making and profiling Data subjects have the right to not be subject to automated decision-making, including profiling, which has legal or other significant effects on the data subject. This right does not currently apply to Energy Shares as there is no automated decision-making.