You have specific rights under the GDPR, as set out below.
Access your information.
Most information we hold about you is in your patient record, accessible from the Platform. However, you have the right to submit what is known as a ‘data subject access request’, which enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Rectify incorrect information.
If you believe that any of your data is incorrect, you can ask us to rectify it. We make sure to do so if this is the case, however, we may need to verify the accuracy of the new data you provide to us.
Erase your information.
This enables you to ask us to delete or remove personal data where there is no lawful basis for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below). Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. In particular, our obligation under law to retain GP patient records means we cannot erase your medical record. If you have not created any medical information, your request will be reviewed and upheld where possible.
Object to our processing of your personal data.
You can do this where we are relying on legitimate interests to process your data and you wish to object to such processing as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
Restrict further processing of your data.
This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you would like us to verify it is accurate;
- where the data has been processed unlawfully, but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it to establish, exercise or defend legal claims;
- you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
Request transfer of your data to you or to a third party.
Your data will be provided in a structured, commonly used, machine-readable format. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Note that this right only applies to information you have provided to us.
Withdraw your consent at any time.
This is applicable where we are relying upon your consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Automated decision making
If we use your personal data for the purposes of automated decision-making (a decision solely by automated means without any human involvement) and those decisions have a legal (or similarly significant effect) on you, you have the right to challenge to such decisions under the GDPR. You may request human intervention, express your point of view, and obtain an explanation of the decision from us. This right does not apply in the following circumstances:
- where the decision is necessary for the entry into, or performance of, a contract between DCA and you;
- the decision is authorised by law; or
- you have given your explicit consent to such processing.
Where DCA uses your personal data for profiling purposes (automated processing of personal data to evaluate certain things about data subjects), the following shall apply:
- clear information explaining the profiling will be provided, including its significance and the likely consequences;
- appropriate mathematical or statistical procedures will be used;
- technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and
- all personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling.
Exercising your rights
If you wish to exercise any of the rights set out above, please contact us using the details set out in section 2.1 above.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month of receiving the request. Occasionally, it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.