The new law gives individuals greater control over their data by setting out additional and more clearly defined rights for individuals whose personal data is collected and processed by organisations.
Personal data is any information that can identify an individual person. This includes a name, an ID number, location data (for example, location data collected by a mobile phone) or a postal address, online browsing history, images or anything relating to the physical, physiological, genetic, mental, economic, cultural or social identity of a person.
GDPR is based on the core principles of data protection which existed under previous law. These principles require organisations and businesses to:
collect no more data than is necessary from an individual for the purpose for which it will be used
obtain personal data fairly from the individual by giving them notice of the collection and its specific purpose
retain the data for no longer than is necessary for that specified purpose
keep data safe and secure
provide an individual with a copy of his or her personal data if they request it
How we use personal data
The Department of Rural and Community Development is committed to protecting and respecting your privacy and employs appropriate technical and organisational measures to protect your information from unauthorised access.
The department needs to process certain personal data in order to carry out tasks required in the course of the performance of our functions and to comply with certain legal obligations to which the department is subject.
Examples of this include processing related to our role as an employer or in relation to appointments to boards; processing data in order to make payments or carry out audits; processing submissions from public consultations; processing contact details in the course of communicating with a wide range of the department’s stakeholders; processing formal requests for information or general queries from customers; processing connected to public procurement and contractual agreements with service providers, processing in relation to applications to programmes run by the department, etc.
Personal data will only be exchanged with other departments, agencies or public bodies in certain circumstances where this is provided for by law.
Personal data will only be retained by the department for the period necessary for the purposes for which the data was collected and processed, or where subject to statutory requirements. Personal data no longer required will be destroyed or deleted in a secure manner.
The department’s Data Protection Policy
contains further details on how we deal with personal data and your rights as a data subject.
How to make a GDPR request
If you wish to obtain details about personal data that this department may be processing relating to you then please download the Subject Access Request form by clicking on the link below.
Please return the completed form, either by post or email to:
Data Protection Officer
Information that can be obtained with a GDPR request
Under the GDPR individuals have the significantly strengthened rights to:
obtain details about how their data is processed by an organisation or business
obtain copies of personal data that an organisation holds on them
have incorrect or incomplete data corrected
have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data
obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability)
object to the processing of their data by an organisation in certain circumstances
not to be subject to (with some exceptions) automated decision making, including profiling
You will receive an acknowledgement letter from us once we have verified that your Subject Access Request form is fully completed and when we have also verified your identity based on the documentation you provide.
We will reply to requests within a calendar month but we do reserve the right to extend that deadline by up to two months if the request is complex or if we are processing numerous requests at that time. In such cases we will notify you of the requirement to extend the deadline within a month of receiving the request and we will provide a reason for the delay.
Cost of making a GDPR request
If the Subject Access Request is either unfounded, excessive or repetitive the department will charge for dealing with the request by levying a fee to take into account the administrative costs of providing the information. In all other cases the service is free of charge.