Data Protection and Access

1 – SUBJECT ACCESS REQUESTS

 

1.1 Data subjects (i.e. individuals relating to whom you hold data) should be encouraged to

use FORM No. 1 below when submitting a request to exercise their right of access

(Access Request"). All data subjects have the right to have access to a copy of all

information (called ‘personal data’) that Optique Opticians holds and processes

relating to them.

 

Additional information that may be required before responding to an Access

Request.

 

1.2 The Scope of the searches

If it is not clear from the request what information the data subject seeks to obtain, Insert

name of company can confirm the scope of the search(es) it will carry out for that

individual's personal data. Optique Opticians is expected to make extensive

efforts to search for all information that the data subject wishes to obtain. Insert name of

company cannot insist that the data subject narrow the scope of the proposed searches.

Optique Opticians can refuse requests if they are ‘manifestly unfounded’, or

‘excessive’ particularly if the requests are repetitive. Optique Opticians can ask

the data subject if there is particular data being sought by them, which would satisfy their

request, whilst always making it clear that Optique Opticians the Practice will

furnish a complete response if required. Where the request can readily be complied with,

no narrowing should be sought.

 

1.3 When sending the data subject confirmation of the request, Optique Opticians can

describe the scope of the searches to be carried out and request confirmation that these

are appropriate.

 

1.4 When reviewing the relevant form and confirming the scope of the searches, Insert name

of company may suggest to the data subject an agreed scope, for example, searches of

the email folders of relevant individuals (e.g. if they are an employee, the data subject,

their line manager, and any employees with whom they worked closely), folders of

network hard drives such as HR folders, and any other areas particularly relevant to that

individual.  Specific search terms could can also be agreed with the data subject.

Generally, these will be the name of the data subject, along with a reasonable date range,

and any other relevant identifiers. This can allow electronic documents to be searched

quickly.

 

1.5 The following considerations may be relevant when determining the scope of the search:

(a) Date ranges: if there is a particular matter in which the data subject is interested, it

may be appropriate to limit the date range to when the matter was active. This can

be particularly important with respect to CCTV footage. The data subject can,

however, insist on any date range, provided it is not manifestly unfounded or

excessive.

 

(b) Back-up data: With respect to back-up data, if Optique Opticians is

satisfied that the back-up replicates the data held in live systems, it is unlikely that

searches of back-up data would be required.

(c) Archived data: Archived data should be searched, this is data that Insert name of

company  has decided it may wish to retrieve at a later date.

(d) Hard copy documents: Hard copy documents that are stored in such a way that

information about individuals is accessible are within the scope of an Access

Request.  This would include a HR file about that individual, although it might not

include notes made by individuals in a personal notebook, or data which is ad hoc,

and not organized, or intended to be put on any organized system.

 

When is an Access Request valid?

1.6 The Practice is not required to respond to repeated requests that are made at

unreasonably frequent intervals, provided Optique Opticians can show that the

request is manifestly unfounded or excessive in character. If the requestor fails to provide

the necessary identification verification, Optique Opticians may request additional

information to confirm the identity of the data subject. If the request is for specific personal

data that is protected for some reason (e.g. is privileged, contains personal data of others,

etc.) then the request should be declined on those grounds. If you receive a repeated

request from the same individual and the previous request was very recent, you should

take into account whether the personal data is particularly sensitive, whether the

processing might affect the data subject's rights and whether the personal data is likely to

have changed since the last request before determining whether the interval between

requests is unreasonable. If you have any doubts about whether a repeat request has

been made unreasonably soon, please refer to specialist expertise.

 

In the event of a repeated request, you could offer only to provide information that has

changed since the previous request, but if the data subject insists on receiving all the

personal data again, Optique Opticians must provide this, unless you deem the

request to be manifestly unfounded or excessive In character, particularly because of its

repetitious nature.

 

Information relevant to carrying out an Access Request

1.7 As well as the documents held by Optique Opticians in hard copy or electronic

form, the scope of the searches may refer to information held by third parties such as

service providers. In this case, Optique Opticians should consider whether third

parties may be holding information to which The Practice would not have access. If the

third party is a ‘controller’ in respect of that data, (i.e. if it is that third party’s data, not the

Practice’s data) Optique Opticians should advise the data subject to contact that

controller. If, however, the third party is a processor on behalf of Insert name of

company, the personal data should be provided.

 

1.8 After the searches are carried out, the documents returned should be reviewed by Insert

name of company as quickly as possible. The following considerations may be relevant

to the review process:

a) If the documents contain any personal data of individuals other than the data subject, this

information should be redacted (made illegible) in order to provide only the personal data

of the data subject and can only be disclosed if the other individual has consented to its

disclosure;

b) If information might be subject to a legal privilege, for example personal data included in

legal advice provided to Optique Opticians or has been prepared by lawyers in

reasonable anticipation of litigation, it should not be disclosed to the data subject and the

request must be referred to specialist expertise; or

c) If personal data is included in information that relates to the prevention or detection of a

crime, it should not be disclosed if doing so might prejudice the investigation into that

crime;

What must Optique Opticians provide in response to an Access Request?

1.9 The Practice  will provide the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be

disclosed, in particular recipients outside the EU or international organisations;

d) where possible, the envisaged period for which the personal data will be stored, or, if not

possible, the criteria used to determine that period;

e) the following statement “ You have the right in some circumstances to request from us

rectification or erasure of your personal data or restriction of processing of your personal

data or to object to such processing”;

f) the following statement “ You have the right to lodge a complaint with the Data Protection

Commission;

g) where the personal data is not collected from the data subject, any available information

as to their source; this

h) if there is any automated decision-making, including profiling, which produces legal effects

on or significantly affects the data subject and information about the logic involved, as well

as the significance and the envisaged consequences of such processing for the data

subject.

1.10 In addition to the above Optique Opticians and the cover letter set out here, Insert

name of company will provide the data subject with a copy of all personal data deemed

validly requested in the relevant Access Request.

1.11 An individual who makes an Access Request is only entitled to receive a copy of the

personal data processed by Optique Opticians relating to them. They are not

entitled to full copies of the documents containing personal data as these may, for

example, contain personal data relating to other individuals. Therefore, when responding

to these requests, ensure that the response is limited to only data relating to the data

subject, rather than the entire documents containing their personal data.  This may involve

redactions, particularly of names or other identifiers of other people.

1.12 Where the data subject makes their request by electronic means, the information should

be provided in a commonly used electronic form, except when the data subject asks for it

to be provided otherwise.

 

 

 

FORM NO. 1

ACCESS REQUEST FORM

 

As described in the AOI Code of Conduct, you have the right to access and receive a copy of

the personal information we hold about you. We ask that you complete this form so we can

determine the details of your request, and respond to and implement your request as quickly

as possible.

This process will provide you with the personal information we hold about you, and information

relating to you, in manual or electronic form. Information relating to third parties or other

information exempt under applicable law(s) will not be provided.

Please complete your details below and sign where indicated.  Send the completed form and

proof of identity (by way of proof of your name and your address) to: Insert designated

department/person

Agent of the requestor:  Please note that you must provide your own contact details and you

must provide proof of your entitlement to act on the data subject’s behalf.

Please complete as much of the following information as you can:

Full name of data subject:

(First)                                  (Surname)

Present Address:

 

Street

 

Town

 

County

 

Postcode

 

 

 

Other contact details:

 

Telephone No.

 

e-mail

 

Mobile

 

If applicable; Current/last post held in

Practice

 

Department

 

Office location

 

Your employee no. (if any)

 

If applicable:

Dates of contact with Practice

 

Dates of actual visits to Practice

 

Any other relevant Information:

 

 

 

 

 

 

Details of the Agent or Requestor (if any)

 

Name:

 

Address:

 

Phone Number:

 

Email address

 

Proof of entitlement to act (enclose

authorisiation)

 

 

Details regarding what information you

are looking for.  The more details you can

give to us the better and quicker we will

be able to respond to you!

 

Hard copy files (please specify department

& location, if known)

 

Search criteria (i.e. name, key word, date),

 

Connection to file (i.e.

employee/partner/staff/client/supplier)

 

Electronic data (please specify system, if

known)

 

Search Criteria (please specify the search

criteria, e.g. system name, identifier no., if

known)

 

Connection to file (i.e.

employee/partner/staff/client/supplier)

 

Any other filing system

 

Search criteria

 

Any other information you feel might

assist us in responding to your request:

 

 

 

We promise to make every effort to respond to you within 1 calendar month of the receipt of your

request and valid identification documentation, but please note that this time may be extended to

3 months, when necessary, taking into account the complexity and number of requests.

 

 

Signed:  _________________________________

 

 

 

Date: ______________________

 

 

 

 

 

 

2. THE RIGHT OF RECTIFICATION & CORRECTION

2.1 Data subjects should be encouraged to use Form 2 below when submitting a request to

exercise their right of rectification/correction (a "Rectification Request").

2.2 Individuals have the right to require Optique Opticians to correct their personal

data if it is inaccurate. For example, if a data subject’s name is incorrectly recorded, Insert

name of company must update their records on receipt of a Rectification Request.

2.3 Individuals also have the right for any other personal data that is incomplete to be

updated, taking into account the purposes of the processing.

Additional information that may be required before responding to a Rectification

Request:

2.4 Upon receipt of a Rectification Request, Optique Opticians should verify, in so far

as possible, that the personal data provided as a correction to the existing personal data

is factually correct. For example, if a data subject who is a staff member is provided

additional information about their qualifications, this could be verified by the provision of

certifications.

2.5 If there are doubts about the accuracy of the provided information, further information

should be requested from the data subject who made the Rectification Request, and they

should be informed what information would be required by the Practice to verify the

changes.

When is a Rectification Request valid?

2.6 A Rectification Request is valid if the information that Optique Opticians has on

file is incorrect, and the updated information provided by the data subject is correct as

described above.

      Information relevant to carrying out a Rectification Request

2.7 Set out the operational steps required for The Practice's records to be updated, to reflect

changes under a Rectification Request. This process will of necessity vary according to

the category of data requiring correction.

2.8  Optique Opticians will inform any external entities that have received the personal

data that was subject to the Rectification Request of the updated personal data, unless

doing so would be impossible or take disproportionate effort. Optique Opticians

should have a list of Optique Opticians principal service providers, and a summary

of the data held by that processor, and the contact personnel at each one. Insert name of

company should keep a record of all communications to such entities and their response.

What must Optique Opticians provide in response to a Rectification Request?

2.9 Let the data subject know what changes have been made.

2.10  Optique Opticians must also provide the data subject with information on what

providers have been contacted and informed of the changes to the data.

 

 

 

FORM NO. 2

 

DATA CORRECTION/UPDATE REQUEST FORM

 

As described in the AOI Code of Conduct, you have the right to correct and update any

personal information about you that is inaccurate. We ask that you complete this form so we

can determine the details of your request and, where applicable, implement your request.

If your request is valid, we will correct and update the information requested.

Please complete your details below and sign where indicated.  Send the completed form and

proof of identity (by way of proof of your name and your address) to Insert name of the Privacy

Compliance Co-ordinator at address or Insert email address.

Please also provide any documentation you have to prove that the information you wish to update

needs to be updated or corrected.

Agents of the requestor:  Please note that you must provide your own contact details and you

must provide proof of your entitlement to act on the requestor’s behalf.

Please complete as much of the following information as you can:

Full name of data subject:

 (First)                           (Surname)

Present Address:

 

Street

 

Town

 

County

 

Postcode

 

Other contact details:

 

Telephone

 

Email

 

Mobile

 

 

Details of the Agent or Requestor (if any)

 

Name:

 

Address:

 

Phone Number:

 

Email address

 

Proof of entitlement to act (enclose

authorisiation)

 

 

 

 

 

 

Category of personal

information

Personal Information

Currently on File

Corrected Personal

Information

e.g. name, address.

 

 

 

 

 

 

We will make every effort to respond to you within 1 calendar month of the receipt of your

request and valid identification documentation, but please note that this time may be

extended to 3 months, when necessary, taking into account the complexity and number

of requests.

 

 

 

Signature   ____________________

 

Date   _____________________

 

 

 

 

 

 

3. RIGHT TO OBJECT TO PROCESSING

3.1 Data subjects should be encouraged to use Form 3 below when submitting a request to

exercise their right to object to processing (an "Objection Form”). Individuals have the

right to object to the processing activities that Optique Opticians carries out with

respect to their own personal data, in certain circumstances.

Additional information that may be required before responding to a Objection

Request.

3.2 If it is not clear from the Objection Form, Optique Opticians should confirm which

uses or processing of personal data the data subject objects to.

When is an Objection Form valid?

3.3 Individuals have the right to object to the processing activities that Insert name of

company carry out with respect to their personal data. An objection will be valid where

(a) the processing activity in question takes place on the basis of Insert name of

company's 'legitimate interests' without Optique Opticians having

compelling legitimate grounds which overrides the interests of the data subject.

Refer to legal basis for processing to determine if the personal data is

processed on the basis of Optique Opticians legitimate interests

grounds or for the establishment exercise or defence of legal claims.

To determine whether Optique Opticians has compelling legitimate

grounds which override the interests, freedoms and rights of the data subject in

continuing to process the personal data, Optique Opticians must

consider what business reason Optique Opticians has for using it. This

must then be balanced this against the data subject's right to control their

personal data. For example, while Optique Opticians may track its

users' behaviour on its websites and apps in order to understand how they are

used and to improve the functionality and individually customize the

appearance on the basis of how they use the websites or apps.  Collecting

website history is intrusive and if users object, their privacy interests will

probably override Optique Opticians business interests.

With the exception of processing related to direct marketing, where the data

subject continues to use Optique Opticians services, Insert name of

company legitimate interests, if such processing is necessary to provide the

service, may override the data subject's interests.  Alternatively, the processing

may be legitimized as being necessary to perform the contract or on consent.

You can refer to the records of processing activities that Insert name of

company keeps to determine the basis for processing;

(b) the processing takes place for the purposes of carrying out direct marketing

activities (such as sending marketing emails, letters, SMS messages, push

notifications or serving online behavioral advertising). In this case, Insert

name of company should immediately cease the processing related to those

direct marketing activities. For example, if there is an objection to the creation

of a profile about a customer that is used to send targeted direct marketing,

Optique Opticians should immediately cease using that profile to serve

advertising to that customer.

3.4 If, however, Optique Opticians is required to keep the personal data by virtue

of other legislation (e.g. for Revenue reasons, or by virtue of employment law), or in

order to make or defend legal claims (for example if a former employee is making a

claim against Optique Opticians, or if the processing was not based on the

legitimate interests grounds but on some other lawful ground, an objection would not

be valid. If the Optique Opticians has questions about whether an Objection is

valid, please seek specialist advice.

Information relevant to responding to an Objection Form

3.5 Set out any operational steps required for Optique Opticians processing activities

to be altered, to reflect changes after a valid objection. This process will of necessity vary

according to the category of data being processed.

3.6 Taking into account the costs of implementation, Optique Opticians should inform

any entities that carry out processing activities that were subject to the objection of the

request, unless doing so would be impossible or take disproportionate effort. Insert name

of company should have a list of Optique Opticians principal service providers,

for example CRM services, payroll providers, payment processing providers and IT

service providers, and a summary of the data being processed by that processor, and the

contact personnel at each one. Optique Opticians should keep a record of all

communications to such entities and their response.

e.g. :-

Name of processor; service provided/data processed; contact person

What must Optique Opticians provide in response to an Objection Form?

3.7 Optique Opticians must inform the data subject, where such is the case, that the

processing of their personal data has ceased in line with their request, and in particular

provide details of which processing activities have ceased.

 

 

FORM NO. 3

 

  OBJECTION TO PROCESSING FORM

As described in the AOI Code of Conduct, you have the right to object to our processing of

your personal information in certain circumstances. We ask that you complete this form so

we can determine the details of your request and, where applicable, implement your request.

If your request is valid, we will cease processing your personal information for the purposes to

which you object.

Please complete your details below and sign where indicated.  Send the completed form and

proof of identity (by way of proof of your name and your address) to Insert name of the Privacy

Compliance Co-ordinator at insert address/email address

Agents of the requestor:  Please note that you must provide your own contact details and you

must provide proof of your entitlement to act on the data subject’s behalf.

Please complete as much of the following information as you can:

Full name of data subject:

 (First)                                                     (Surname)

Present Address:

 

Street

 

Town

 

County

 

Postcode

 

Other contact details:

 

Telephone

 

Email

 

Mobile

 

 

Details of the Agent or Requestor (if any)

 

Name:

 

Address:

 

Phone Number:

 

Email address

 

Proof of entitlement to act (enclose

authorisiation)

 

 

 

 

Uses of personal information that you

object to

Reason for objecting to these uses of

your personal information

Please make reference to the uses of

personal information set out in our privacy

notice

e.g. our uses of the personal information are

unlawful, specifying precisely why; you no

longer want to receive direct marketing

messages from us

 

 

 

 

 

 

 

 

 

We will make every effort to respond to you within 1 calendar month of the receipt of your request

and valid identification documentation, but please note that this time may be extended to 3

months, when necessary, taking into account the complexity and number of requests.

 

 

 

Signature   ____________________

 

Date   _____________________

 

 

 

 

4. THE RIGHT TO RESTRICTION OF PROCESSING

4.1 Individuals should be encouraged to use FORM No, 4 below when submitting a request to

exercise their right of restriction of Optique Opticians processing of their personal

data (a "Restriction Request”). Individuals have the right to restrict the processing

activities that Optique Opticians can carry out with respect to their personal data.

Additional information that may be required before responding to a Restriction

Request

4.2 If it is not clear from the Restriction Request, Optique Opticians should confirm

which uses of personal data the data subject wishes to restrict.

When is a Restriction Request valid?

4.3 A Restriction Request is valid only where:

(a) the accuracy of the personal data is contested by the data subject for a period to

enable Optique Opticians to check the accuracy of the data;

(b) the processing is unlawful but, the individual does not wish to have the personal

data erased and wishes to restrict its use instead;

(c) Optique Opticians no longer requires the personal data for a lawful

purpose, but the individual requires the personal data for the establishment,

exercise or defence of legal claims; or

(d) the individual has objected to the processing (see section 3 above) and pending

verification of whether the legitimate interests of Optique Opticians

override those of the individual.

If a Restriction Request is found to be valid, Optique Opticians cannot process the

individual's personal data other than where the individual has consented to the

processing; for the establishment, exercise or defence of legal claims; to protect the rights

of another person; or for reasons of important public interest to the EU or a Member State.

If you have any questions about whether a restriction request is valid, please seek

specialist expertise.

Information relevant to implementing a Restriction Request.

4.4 Optique Opticians should set out the operational steps required for Insert name

of company processing activities to be altered, to reflect restrictions in operation after

implementing a valid request. This process will of necessity vary according to the nature

of processing being undertaken.

4.5 Optique Opticians should have a list of Optique Opticians principal

service providers, for example CRM services, payroll providers, payment processing

providers and IT service providers, and a summary of the data being processed by that

processor, and the contact personnel at each one. Optique Opticians should keep

a record of all communications to such entities and their response.

 

e.g. :-

Name of Processor; service provided/data processed; contact person

What must Optique Opticians provide in response to a Restriction Request?

4.6 Optique Opticians must inform the data subject that the processing of their

personal data has been restricted in line with their request, and provide details of which

processing activities have ceased or being amended.

4.7  Optique Opticians must also provide a list of all the entities that process the

relevant personal data, and that have been contacted by Optique Opticians in

accordance with Section 4.5 above, and should provide a copy of their response.

 

 

FORM NO. 4

RESTRICTION REQUEST FORM

As described in the AOI Code of Conduct you have the right to restrict our processing of your

personal information in certain circumstances. We ask that you complete this form so we can

establish the details of your request and, where possible, implement your request.

If your request is valid, we will restrict our processing of your personal information unless you

give your consent to us using it in the future, or we need to use it for other legal reasons.

Please complete your details below and sign where indicated.  Send the completed form and

proof of identity (by way of proof of your name and your address) to Insert name of the Privacy

Compliance Co-ordinator at insert address/email address

Agents of requestor:  Please note that you must provide your own contact details and you must

provide proof of your entitlement to act on the data subject’s behalf.

Please complete as much of the following information as you can:

Full name of data subject:

 (First)                                    (Surname)

Present Address:

 

Street

 

Town

 

County

 

Postcode

 

Other contact details:

 

Telephone

 

Email

 

Mobile

 

 

 

 

 

 

Uses of personal information to be

restricted

Reason for restricting these uses of

your personal information

Please make reference to the uses of

personal information set out in our privacy

notice

e.g. the personal information is inaccurate,

our uses of it are unlawful, etc.

 

 

 

We will make every effort to respond to you within 1 calendar month of the receipt of your request

and valid identification documentation, but please note that this time may be extended to 3

months, when necessary, taking into account the complexity and number of requests.

 

 

 

Signature   ____________________           Date   _____________________

 

 

 

 

 

 

5. THE RIGHT OF ERASURE/DELETION

 

5.1 Individuals (‘data subjects’) should be encouraged to use Form 5 below when submitting

a request to exercise their right of erasure/deletion (an "Erasure Request”) to require

Optique Opticians to delete their personal data in certain circumstances.

Additional information, which may be required before responding to an Erasure

Request.

5.2 If it is not clear from the Erasure Request, Optique Opticians may need to verify

precisely which personal data the requestor wishes to be deleted, and it may also be

helpful to understand why the requestor wishes to have that information deleted.

When is an Erasure Request valid?

5.3 Optique Opticians must delete personal data on receipt of an Erasure Request

where the Practice no longer has a valid reason to continue that processing. Examples

are set out below:

(a) the personal data is no longer necessary for the purpose for which it was collected

or otherwise lawfully processed. For example, if a contact at a client no longer

works for that client and makes an Erasure Request, there would be no need to

retain that information as the information was originally collected for processing in

the context of that client relationship;

(b) the personal data is processed only on the basis of the consent of the requestor,

and the requestor withdraws that consent. In general, making an Erasure Request

would be considered a withdrawal of consent;

(c) the requestor objects to processing being carried out in the legitimate interests of

Optique Opticians and there are no overriding legitimate grounds for

Optique Opticians to continue processing the personal data:-

To determine whether Optique Opticians has an overriding interest in

retaining the personal data, you should consider what business reason(s)

Optique Opticians has for retaining it. You should then balance these

against the requestor's right to control their personal data. For example, while

Optique Opticians may retain customer information in order to conduct

analytics and create appropriate marketing segments on the basis that this

allows it to manage its business most effectively, using a customer's personal

data after that customer has not used their account for a significant period is

not a particularly compelling business interest. As a general rule of thumb, an

individual with whom Optique Opticians has had not contact for a year

or more is no longer considered a customer. If that customer actively objects to

the retention of their personal data, their privacy interests would likely outweigh

Optique Opticians business interests.

In general, if the requestor continues using Optique Opticians services

for which their personal data is processed on the basis of Insert name of

company legitimate interests, these legitimate interests may outweigh the

requestor's interest in having their personal data deleted, and therefore the

personal data need not be deleted. You can refer to the records of processing

activities that Optique Opticians keeps in determining the basis for

processing;

(d) the personal data is being processed without a valid basis, for example if Insert

name of company was processing on the basis that the processing was

necessary for the performance of a contract with the requestor, but that contract

has now been terminated;

(e) the personal data must be deleted to comply with a legal obligation under EU law

or the law of an EU Member State to which Optique Opticians is subject;

or

(f) the personal data relates to a child under the age of 13 that was processed on the

basis of parental consent in the context of providing an 'information society

service', including any service provided over the internet.

5.4 Optique Opticians is not required to delete personal data which is subject to an

Erasure Request where Optique Opticians processing of the personal data is

necessary:

(a) For exercising Optique Opticians right of freedom of expression and

information.  This is unlikely to apply to Optique Opticians, but if you

consider it might, seek specialist expertise;

(b) For compliance with a legal obligation under EU law or the law of an EU Member

State to which Optique Opticians is subject, or for the performance of a

task carried out in the public interest. This is unlikely to apply to Insert name of

company;

(c) For reasons of public interest in the area of public health. This is unlikely to apply

to Optique Opticians;

(d) For archiving purposes in the public interest, scientific or historical research

purposes or statistical purposes, and only if erasing the personal data would be

likely to render impossible or seriously impair the achievement of these objectives.

This is unlikely to arise for Optique Opticians; or

(e) For the establishment, exercise or defence of legal claims. For example, Insert

name of company would not be required to delete personal data about a former

employee with whom there is an existing or potential employment dispute.

If you have any questions about whether these factors apply, you should seek specialist

expertise.

Information relevant to complying with an Erasure Request

5.5 Optique Opticians should set out the operational steps required for Insert name

of company records to be updated, to reflect changes under an Erasure Request. This

process will of necessity vary according to the category of data requiring correction.

5.6 Optique Opticians should inform any external entities that have received the

personal data that was subject to the Erasure Request of the updated personal data,

unless doing so would be impossible or take disproportionate effort. Insert name of

company should have a list of Optique Opticians principal service providers, for

example CRM services, payroll providers, payment processing providers and IT service

providers, and a summary of the data held by that processor, and the contact personnel at

each one. Optique Opticians should keep a record of all communications to such

entities and their response.

e.g. :-

(a) Name of Processor; service provided/data processed; contact

Implementing the Erasure Request

5.7 Optique Opticians should list out the specific steps, it might have to take to

implement a specific Erasure Request. These might include, for example, a system

identifying where particular types of data are stored within the Optique Opticians

particular systems.

What must Optique Opticians provide in response to an Erasure Request?

5.8 Once an Erasure Request has been implemented, Optique Opticians should

contact the requestor to inform them that their personal data has been deleted, as

requested.

5.9 If requested, Optique Opticians must also provide a list of all the entities that

have received the personal data and that have been contacted by Insert name of

company in accordance with section 5.6 above.

 

 

FORM NO. 5

 

ERASURE REQUEST FORM

 

As described in the AOI Code of Conduct you have the right to have your personal

information deleted in certain circumstances. We ask that you complete this form so we can

determine the details of your request and, where applicable, implement your request.

If your request is valid, we will delete the information requested, unless we are required by law to

keep it  - in this case we will advise you of what we are keeping, and the reasons why.

Please complete your details below and sign where indicated.  Send the completed form and

proof of identity (by way of proof of your name and address) to Insert the name of the Privacy

Compliance Co-ordinator at insert address/email address

Agents of the requestor:  Please note that you must provide your own contact details and you

must provide proof of your entitlement to act on the data subject’s behalf.

 

Please complete as much of the following information as you can:

Full name of data subject:

 (First)                                  (Surname)

Present Address:

 

Street

 

Town

 

County

 

Postcode

 

Other contact details:

 

Telephone

 

Email

 

Mobile

 

 

Personal Information Currently on File

to be deleted

Reason why that personal information

should be deleted

e.g. name, mobile number, email address

e.g. is the information inaccurate or out of

date?

 

 

 

 

 

We will make every effort to respond to you within 1 calendar month of the receipt of your request

and valid identification documentation, but please note that this time may be extended to 3

months, when necessary, taking into account the complexity and number of requests.

 

 

 

 

Signature   ____________________    Date _____________________

 

6. THE RIGHT TO DATA PORTABILITY

 

6.1 Individuals should be encouraged to use Form No. 6 below when submitting a request to

exercise their right of data portability (a "Portability Request"). Data Subjects have the

right:

(a) To retrieve data relating to them processed by an organization, for personal use,

and to store the data on a device or a private cloud, for example. This right allows

them to manage their personal data more easily and by themselves.

(b) To transfer their personal data from one controller to another. The personal data

can thus be transmitted to a new controller, for example, to a competitor

i. by the person themselves

ii. directly by Optique Opticians, if the direct transfer is

"technically possible”.

Additional information that may be required before responding to a Portability

Request

6.2 Optique Opticians should have in place appropriate procedures for the data

subject to make a request for portability and to receive data about him (such as Form No.

4). In particular, data controllers must propose an authentication procedure that verifies

the identity of the data subject exercising the right to portability. Insert name of

company may also wish to contact the data subject to confirm the data controller or data

controllers to which their personal data should be transmitted, including a means by which

this personal data should be transmitted.

When is a Portability Request valid?

6.3 This right applies if ALL these three conditions are met

(a) The right to portability is limited to the personal data provided by the data subject,

AND

(b) The data is processed automatically (paper files are not included) and on the

basis of :

i. the prior consent of the data subject or

ii. the execution of a contract concluded with the data subject, AND

(c) The exercise of the right to portability must not affect the rights and freedoms of

third parties. (See para 6.7 below).

Information relevant to carrying out a Portability Request

6.4 The phrase “provided by the data subject” means

(i) data actively and consciously given by the data subject, such as data

provided to create an online account (eg email address, username, age), and

(ii) data generated by the data subject's activity when using a service or device

(e.g. purchases recorded on a loyalty card, history of searches made on the

internet, invoices, e-mails sent or received, records of Practice stays, etc.)

It does not include personal data that is derived, calculated or inferred from data

provided by the data subject. This data is excluded from the right to portability, to the

extent that the data is not provided by the data subject but created by Insert name of

company.

6.5 If the portability right applies, Optique Opticians should compile the personal data

about the data subject that meets the requirements set out above. To do this Insert

name of company should set out the operational steps Optique Opticians has

in place to extract data that is subject to the right to data portability. This might include

running a script to extract particular categories of personal data from databases. Insert

name of company should also consider the format into which the data should be

extracted. This should retain as much metadata as is practicable, while also being

sufficiently abstract from any proprietary data formats that might reveal information about

the ways that Optique Opticians operates its systems (for example XML, JSON

or CSV). The format can be made sufficiently abstract so it does not reveal any of Insert

name of company intellectual property rights or trade secrets.  In practice, this may

need to be outsourced

Can all the data provided by the person concerned be subject to the right to

portability?

6.6 The right to portability does not apply to personal data processed on any legal basis other

than the consent of the data subject or the performance of a contract. For example,

personal data processed by Optique Opticians only on the basis of legitimate

interest of legal obligations are not affected by the right to portability.

It is recommended that Portability Requests be analysed on a case-by-case basis,

whether for data processing in human resources management or in other areas.

6.7 Optique Opticians response to and implementation of a Portability Request

should not adversely affect the rights of others (e.g. individuals whose contact details

appear in an online address book that is subject to a Portability Request). When Insert

name of company wishes to transmit such data to a third party, it can in no way transmit

the data without a legal basis to do so. Optique Opticians should not provide

personal data of other individuals included in the data subject’s files.

6.8 An organization can respond to a request for portability through the provision of a file

containing all portable data, or by providing automated tools and APIs that allow the

extraction of relevant data.

6.9 Whatever the means of provision proposed, it must be easy to use, accessible, allow the

reception of data in a secure manner and minimize the risk of violation of the data

processed by the organisation. The organisation must therefore research and analyse

each of the methods intended to be used to remove any obstacle and facilitate the access

of the right to portability to the data subject concerned. Outsourcing of this is

recommended.

 

 

 

What are the controller’s responsibilities after transmitting the Data?

6.10 Optique Opticians responding to a person exercising the portability right is not

responsible for the data subject's processing of their own data once it has been received

by the data subject. It is also not responsible for the processing carried out by the

recipient controller receiving said data at the request of the person exercising his right to

portability.

What if Optique Opticians is receiving data from a Portability Request ?

6.11 If Optique Opticians is receiving data at the request of a data subject as part of

their right to portability, Optique Opticians is required to ensure that such data is

relevant and not excessive in view of the purpose of the new processing of the data that

the data subject wishes to be transferred to Optique Opticians. Insert name of

company must also clearly inform the data subject concerned of the purpose of the new

processing and, more generally, the principles of data protection of the personal data

applicable to this new processing .

 

 

FORM NO. 6

 

PORTABILITY REQUEST FORM

 

As described in the AOI Code of Conduct, where we use your personal information to fulfill

our contractual obligations to you, or where you have consented to our use of your personal

information, you have the right to 'port' any such personal information you provide to us.

This means you have the right to receive a copy of it in a machine readable format and to

have it transmitted to another company. We ask that you complete this form so we can

determine the details of your request and implement your request.

This process will provide you with certain personal information that you have provided to us in a

format that can be read electronically, and, if you wish this, can be sent to another data controller.

Please complete your details below and sign where indicated.  Send the completed form and

proof of identity (by way of proof of your name and your address) to Insert name of the Privacy

Compliance Co-ordinator at insert address/email address

Agents of requestor:  Please note that you must provide your own contact details and you

must provide proof of your entitlement to act on the data subject’s behalf.

 

Please complete as much of the following information as you can:

Full name of data subject:

 (First)                                  (Surname)

Present Address:

 

Street

 

Town

 

County

 

Postcode

 

Other contact details:

 

Telephone

 

Email

 

Mobile

 

 

 

 

 

Details of the Agent or Requestor (if any)

 

Name:

 

Address:

 

Phone Number:

 

Email address

 

Proof of entitlement to act (enclose

authorisiation)

 

 

To help us to respond to your request as

quickly as possible, please provide as

much detail as possible regarding the

personal information you seek. If you

wish to 'port' all applicable personal

information, please write 'all' below

Names and contact details of companies

to which that data should be transmitted

e.g. all information I have uploaded to the

website; payment details; or billing and

delivery addresses.

 

 

 

 

 

 

 

 

We will make every effort to respond to you within 1 calendar month of the receipt of your

request and valid identification documentation, but please note that this time may be

extended to 3 months, when necessary, taking into account the complexity and number

of requests.

 

 

Signature   ____________________

 

Date   _____________________

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

ADDITIONAL FORMS

 

 

 

Appendix A

 

FORM

DESCRIPTION

PAGE

7

Request For Further Information

 

8

Acknowledgement of Rights Request

 

9

Rejection of Rights Request – Unable to comply

 

10

Request to Third Party

 

11

Letter advising Delayed Response

 

12

Completion of Rights Request

 

 

 

 

 

 

 

FORM NO. 7

REQUEST FOR FURTHER INFORMATION

Date:

To:  Data Subject’s address or email

Bcc: Insert Responder’s Address or email

Subject: Your request to exercise your rights – further information required.

 

Dear Data Subject’s name

We have received your request to exercise your right to insert right being exercised, dated date

and received by us on date However, to determine whether this request is valid, we require

further information from you.

 

If identification is in doubt

Please provide a copy of your passport or driving licence or other form of official identification so

that we can confirm your identity. This is a legal requirement to ensure we do not comply with a

request about you from somebody posing as you.

 

Clarification of Request Needed

We require further information about the precise details of your request in order to be able to

comply with it appropriately. Please could you provide us:

 

Here advise the Data Subject as precisely as possible what it is that you need to clarify

Please do not hesitate to contact us if you have any queries about the progress of your request.

 

_____________________

Signature

 

 

_____________________

Date

 

 

 

 

FORM NO. 8

Acknowledgement of Rights Request

Date:

To: Data Subject’s Address/email address

Bcc: Responder’s address/email address

Subject: Acknowledgement of you request to exercise your rights

 

Dear Data Subject’s name

We have received your request to exercise your right to  insert right being exercised, dated

insert date.

 We aim to respond to this request within 1 calendar month, but please note that this time may be

extended to 3 months, when necessary, taking into account the complexity and number of

requests.

 

Please do not hesitate to get in touch if you have any questions about the progress of your

request.

 

 

_____________________

Signature

 

 

_____________________

Date

 

 

 

FORM NO. 9

REJECTION OF RIGHT REQUEST – UNABLE TO COMPLY

Date:

To: Data Subject’s Address/email address

Bcc: Responder’s address/email address

Subject: Your request to exercise your rights.

Dear Data Subject’s name

 

Dear Data Subject’s name

We have received your request to exercise your right to  insert right being exercised, dated

insert date.

 

Unfortunately, we are not able to comply with such request for the following reasons:

 

Set out the reason/s for refusal to comply, based on the reasons set out in Schedule 1

Please do not hesitate to get in touch with me if you have any further questions about the

reasons we were not able to comply with your request.

 

Please note that you also have the right to contact the Data Protection Commission, and we give

their contact details* below. Their website is at https://dataprotection.ie

Yours etc,

 

 

 

Signature   ____________________

 

Date   _____________________

 

 

 

 

 

*Contact Details :

Data Protection Commission.

Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.

Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757

email: info@dataprotection.ie

 

 

FORM NO. 10

REQUEST TO THIRD PARTY PROCESSOR

ACTING ON THE PRACTICE’S BEHALF

 

Date:

To: Third Party’s address or email address

Bcc: Responder’s address or email address

Subject: Request to exercise rights for Data Subject’s name

 

Dear Third Party

We received a request from Data Subject’s name and identifying features to exercise their right to

insert right being exercised.

Because of the services you provide to this Practice, relevant personal information is held in your

systems and you carry out relevant processing activities that are subject to this request. Please

action this request in accordance with our contract with you and with applicable law within 10

business days. Please complete the information requested below and return a copy to me at this

address.

If you should have any questions about this request, please contact me at Responder’s contact

information. We appreciate your prompt response.

 

Signature   ____________________

 

Date   _____________________

 

_____________________________________________________________________________

Third Party Notes:

0 The request has been implemented as requested.

0 The request has been complied with, but with the following exceptions:-

___     _____________________________________________________________________

____     ____________________________________________________________________

_____     ___________________________________________________________________

___

0A full Report has been sent to the Practice.

 

 

FORM NO. 11

LETTER ADVISING DELAYED RESPONSE

Date:

To: Data Subject’s address or email

Bcc: Responder’s address or email

Subject: Delay in our response to your request to exercise your rights

 

Dear Data Subject’s Name

We are still processing your request to exercise your right to  insert right being exercised,

dated insert date and expect to respond to this request by insert date.

The reason for this delay is that insert reason.

We appreciate your understanding as we work to process this request.

Please do not hesitate to get in touch if you have any questions about the progress of

your request.

 

 

Signature   ____________________

 

Date   _____________________

 

 

 

 

 

FORM NO. 12

COMPLETION OF RIGHTS REQUEST

Date:

To: Data Subject’s address or email

Bcc: Responder’s address or email

Subject: Your request to exercise your rights.

 

Dear Data Subject’s name

We have now implemented your request to exercise your right to insert right being

exercised, dated insert date. We have prepared the attached Report to provide details to

you of how this has been carried out.

We trust that this satisfies your request to exercise your rights, but if you have any further

questions please contact us at      .

Please note that you also have the right to contact the Data Protection Commission, and

we give their contact details* below. Their website is at https://dataprotection.ie

 

 

Signature   ____________________

 

Date   _____________________

 

 

 

Attached or Enclosed :

Report and any other information required.

 

*Contact Details :

Data Protection Commission.

Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.

Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757

email: info@dataprotection.ie

 

 

 

 

 

1

     © GDPR Ltd. 2018

 

 

 

 

ADDRESS:

Optique Opticians,

Level 1, 18 Briarhill Shopping Centre,

Ballybrit, Galway,

H91 E1XD.

 

View Map

OPENING HOURS:

Monday 9.30am to 6pm

Tuesday 9.30am to 6pm

Wednesday 9.30am to 6pm

Thursday 9.30am to 7pm

Friday 9.30am to 6pm

Saturday 9.30am to 5pm

Sunday Closed

CONTACT:

Tel: 091 386 669

Email: info@optique.ie

Facebook Logo Button Twitter Logo Button Instagram Logo Button