General Data Protection Regulations 2018

The General Data Protection Regulation (GDPR) is a new regulation which has been incorporated into the Data Protection Act (DPA) 2018.

It strengthens the previous Data Protection Act 1998 (DPA) and will give individuals more rights and protections. It sets out the requirements for how all organisations handle personal data and came into effect as of 25th May 2018.

The GDPR applies to personal data which covers any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

The GDPR requires personal data to be processed in a manner that ensures its security. This must include protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. 

The GDPR requires organisations to have a valid basis in order to process personal data. There is six lawful basis for processing data and the Parish Council will ensure that it uses the basis that is the most appropriate when processing such data.

Lawful Basis for Processing Data:

  1. Consent
  2. Contract
  3. Legal Obligation
  4. Vital Interests
  5. Public Task
  6. Legitimate Interests

For more details on the lawful basis used by Chelmondiston Parish Council please see below - Lawful Process for Processing Data Policy 2018.

The GDPR creates some new rights for individuals and strengthens several rights that currently exist under the DPA. The rights are as follows:  

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency required under the GDPR. To view details of the Parish Council's purposes for processing data and who it will be shared with please see the Privacy Notice that is contained at the bottom of this page.

For a copy of the retention periods for all data, including personal data, please see the Parish Council's Document and Electronic Data Retention Policy 2018 that is again located at the bottom of this page.

The GDPR introduces the ‘right of access’ for individuals and from 25 May 2018, data subjects will have the right to request:

The reasons why their data is being processed and also the description of the personal data concerning them. Also the identity of anyone who has received or will receive their personal data. Also, details of the origin of their data if it was not collect from them.

A Subject Access Request (SAR) is a request for personal information that the Parish Council may hold about an individual. If an individual wishes to exercise their subject access right, the request must be made in writing. The purpose of a SAR is to make individuals aware of and allow them to verify the lawfulness of processing of their personal data. Under the GDPR and the current Data Protection Act (DPA), individuals have the right to obtain confirmation as to whether personal data is being processed. The Parish Council's Subject Access Request Policy is available to view at the bottom of the page.

 Listed below are other policies that Chelmondiston Parish Council have recently adopted to ensure that your privacy and your right to privacy are adhered to in conjunction with the new regulations.

Should you wish to contact Chelmondiston Parish Council in relation to the new Data Protection Regulations, please contact the Parish Clerk: