This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).
The purposes for which we are processing your personal data are to:
- record and respond to any request that you make under the Freedom of Information
Act 2000 (FOIA).
- record and respond to any request that you make for your own personal data, or any
other request under data protection legislation.
- find out whether the department holds any personal information about you
We will also need to process your personal data if you ask us to review the way that we have handled your request for information or if you make an appeal to the Information Commissioner’s Office (ICO).
We may also process your personal data internally to help us improve the way that we respond to requests for information under the Freedom of Information Act 2000 (FOIA) or data protection legislation.
We will process the following personal data:
- Your name
- Your address
- Your email address
- Your request
We may also process other personal data if you volunteer it.
In responding to subject access requests we may process any data held on you by the department and we will also process your personal data to verify your identity.
Legal basis of processing
The legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller.
Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Although we do not collect any sensitive personal data, we may process this in responding to a subject access request. We may also process data about criminal convictions in responding to a subject access request.
The legal basis for processing your sensitive personal data, or data about criminal convictions, is that processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department.
The function is meeting our legal obligations to answer subject access requests.
As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage.
Your personal data will be kept by us for up to three years since your last contact with us. We may keep your personal data for longer than this if your request goes through an appeal process.
Copies of identity verification documents will be destroyed after we have verified your
You have the right to:
- request information about how your personal data are processed, and to request a copy of that personal data
- request that any inaccuracies in your personal data are rectified without delay
- request that any incomplete personal data are completed, including by means of a supplementary statement
- request that your personal data are erased if there is no longer a justification for them to be processed
- in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
- object to the processing of your personal data where it is processed for direct marketing purposes
As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Information Commissioner's Office
Telephone: 0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.
The data controller for your personal data is the Department for Exiting the European Union.
The contact details for the data controller are:
Department for Exiting the European Union
Telephone: 0207 276 1234
The contact details for the data controller’s Data Protection Officer (DPO) are:
Data Protection Officer
Cabinet Office (DExEU)
The Data Protection Officer provides independent advice and monitoring of the Department for Exiting the European Union’s use of personal information.