Guidance

Department for Exiting the European Freedom of Information and Subject Access Request Privacy Notice

This privacy notice explains how the Department for Exiting the European Union will process your personal data related to Freedom of Information Requests and Subject Access Requests it receives.

Documents

Personal Information Charter

Details

This notice sets out how we will use your personal data, and your rights. It is made under Articles 13 and/or 14 of the General Data Protection Regulation (GDPR).

Purpose

The purposes for which we are processing your personal data are to:

  • record and respond to any request that you make under the Freedom of Information Act 2000 (FOIA).
  • record and respond to any request that you make for your own personal data, or any other request under data protection legislation.
  • find out whether the department holds any personal information about you

We will also need to process your personal data if you ask us to review the way that we have handled your request for information or if you make an appeal to the Information Commissioner’s Office (ICO).

We may also process your personal data internally to help us improve the way that we respond to requests for information under the Freedom of Information Act 2000 (FOIA) or data protection legislation.

The data

We will process the following personal data:

  • Your name
  • Your address
  • Your email address
  • Your request

We may also process other personal data if you volunteer it.

In responding to subject access requests we may process any data held on you by the department and we will also process your personal data to verify your identity.

The legal basis for processing your personal data is that it is necessary to comply with a legal obligation placed on us as the data controller.

Sensitive personal data is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Although we do not collect any sensitive personal data, we may process this in responding to a subject access request. We may also process data about criminal convictions in responding to a subject access request.

The legal basis for processing your sensitive personal data, or data about criminal convictions, is that processing is necessary for reasons of substantial public interest for the exercise of a function of the Crown, a Minister of the Crown, or a government department. The function is meeting our legal obligations to answer subject access requests.

Recipients

As your personal data will be stored on our IT infrastructure it will also be shared with our data processors who provide email, and document management and storage.

Retention

Your personal data will be kept by us for up to three years since your last contact with us. We may keep your personal data for longer than this if your request goes through an appeal process.

Copies of identity verification documents will be destroyed after we have verified your identity.

Your rights

You have the right to:

  • request information about how your personal data are processed, and to request a copy of that personal data
  • request that any inaccuracies in your personal data are rectified without delay
  • request that any incomplete personal data are completed, including by means of a supplementary statement
  • request that your personal data are erased if there is no longer a justification for them to be processed
  • in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted
  • object to the processing of your personal data where it is processed for direct marketing purposes

International transfers

As your personal data is stored on our IT infrastructure, and shared with our data processors, it may be transferred and stored securely outside the European Union. Where that is the case it will be subject to equivalent legal protection through the use of Model Contract Clauses.

Complaints

If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

Email: casework@ico.org.uk

Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.

Contact details

The data controller for your personal data is the Department for Exiting the European Union. The contact details for the data controller are:

Department for Exiting the European Union
70 Whitehall
London
SW1A 2AS

Telephone: 0207 276 1234

Email: dataprotection@dexeu.gov.uk

The contact details for the data controller’s Data Protection Officer (DPO) are:

Stephen Jones
Data Protection Officer
Cabinet Office (DExEU)
70 Whitehall
London
SW1A 2AS

Email: dataprotection@dexeu.gov.uk

The Data Protection Officer provides independent advice and monitoring of the Department for Exiting the European Union’s use of personal information.

Published 21 June 2019

Transition period

Find out what it means for you