Coacto GDPR Policy
Individuals have the right to request erasure of their personal data in certain circumstances. Our business must comply with the requirements of the UK General Data Protection Regulations (UK GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).
Upon receipt of a request for erasure our internal policy is as follows:
Paul Harris, Founder and Principal Consultant is responsible for the handling of right of erasure requests in our business.
The duties of the data protection team include but are not limited to:
- Log the receipt and fulfilment of all requests received from a data subject/the person making the request/requestor.
- Acknowledge the request.
- Verify the identity of any person making the request.
- Maintain a database on the volume of requests and compliance against the statutory timescales.
- Verify whether if we are the controller of the data subject’s personal data.
- Check if we are not a controller, but rather a processor. If so, inform the data subject and refer them to the actual controller. This needs to be recorded in writing.
- Where applicable, decide if a request is excessive, unfounded or repetitive and communicate this to the requestor.
- Decide if an exemption applies.
- If a request is submitted in electronic form, any information should preferably be provided by electronic means as well.
Oral or written requests
Right of erasure requests can be made in writing, electronically or verbally.
If a member of staff is in any doubt if a certain situation has given rise to a valid right of erasure, contact Paul Harris by email providing full details of the incident. Staff should do this without delay and certainly within two business days.
Where a member of staff receives a right of erasure request, they must email the relevant information to Paul Harris at email@example.com without delay and certainly within two business days.
How do we verify the requestor’s identity?
If we are in doubt as to the identity of the requestor, you may ask the individual to supply valid evidence to prove their identity.
We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.
We accept the following forms of identification:
• Current UK/EEA Passport
• UK Driving Licence
How to process the request
Our aim is to determine the validity of the erasure request. If the request is not clear, or where if we process a large quantity of information about an individual, the UK GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.
We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the UK GDPR.
Any employee, who receives a request from Paul Harris to locate and supply information relating to an erasure request, must make a full exhaustive search of the records which they are responsible for or own. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.
Paul Harris should check whether the erasure request also involves data shared with third parties or online.
If it’s found to be a valid request for erasure we must comply unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we must explain acronyms, codes or complex terms, where relevant.
No charge to comply with the request (with exceptions)
We must fulfill valid requests for erasure free of charge, as per the UK GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Where applicable, Paul Harris will determine the ‘reasonable fee’ that must be based on our administrative cost incurred by our business.
Excessive, manifestly unfounded or repetitive requests
Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. Paul Harris will make a decision on this.
Paul Harris must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.
As stated we have to respond to a request for erasure within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner and within 30 days.
Where we decide not to take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.
How to handle exemptions?
If a member of staff believes that we have a valid business reason for an exemption, please inform the data protection team without delay by email to firstname.lastname@example.org.
Where a requestor is not satisfied with a response to a request, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.
Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.