DRAFT: TASIS GDPR FAQs
COMPREHENSIVE FAQs
What rights must organisations enable under the GDPR?
The GDPR provides EU residents with control over their personal data through a set of “data subject rights.” This includes the right to:
• • • •
• •
Access information about how personal data is used
Access personal data held by an organization
Have incorrect personal data deleted or corrected
Have personal data rectified and erased in certain circumstances (sometimes referred to as the “right to be forgotten”)
Restrict or object to automated processing of personal data Receive a copy of personal data
I have heard something about a right to be forgotten. What does this mean?
Basically, this means that an individual can request for their data to be removed or deleted when there is no compelling reason for the School to continue processing that information. This has been watered down a little and in the GDPR legislation, it has been termed as the ‘right to erasure’.
This right will apply in certain circumstances:
• when the data is longer necessary or relevant;
• when the individual specifically withdraws consent to processing personal data has been unlawfully processed in breach of the GDPR; and
• the data must be erased in order for a controller to comply with legal obligations
If any of the above conditions applies under this right of erasure, it is the School’s responsibility to delete and remove the data. This should be done without any unreasonable delay but definitely within a month unless specific circumstances apply.
It is worth noting that this right is not absolute and it is not unlimited either.
How much can organisations be fined for noncompliance?
Companies can be fined up to €20m or 4% of annual global turnover, whichever is greater, for failure to meet certain GDPR requirements. Additional individual remedies could increase our risk if we fail to adhere to GDPR requirements.
How do I know if the data that my School is processing is covered by the GDPR?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as: