Your privacy rights
This page was updated on: 21 September 2022
The General Data Protection Regulation (GDPR for short) is one of the biggest changes to data privacy law in recent years. It is designed to put you in control of how your information is collected and used by organisations. We want to help you to understand these rights and exercise them as easily as possible.
The GLA Data Protection Officer
The GLA Data Protection Officer (DPO) is responsible for advising the Authority about the collection, handling and use of personal data; informing and advising the GLA about compliance with GDPR and other data protection legislation. The DPO is also responsible for helping promote awareness of data protection issues, training employees and advise on, and monitor, data protection impact assessments.
The GLA's Data Protection Officer works for the GLA, London Assembly Members and the Greater London Returning Officer (GLRO). You can contact the Data Protection Officer by email at [email protected] or by writing to:
Data Protection Officer
Information Governance
City Hall
Kamal Chunchie Way
London
E16 1ZE
Your rights
Your Right of Access
You have a right to ask to see any personal information that we hold about you and is often referred to as making a Subject Access Request.
If you would like to make a subject access request, please contact the GLA DPO using the contact details above.
Where possible, please provide some background information about how you have engaged with the GLA, what personal data you think we might hold about you, or what data you might have an interest in. While this is not a requirement of making a Subject Access Request, it will help us conduct more focused searches and provide a prompt response.
Please note, the GLA does not automatically hold information on behalf of Borough Councils or the GLA Functional Bodies or partners.
We may contact you to ask you to provide a form of identification - for example, driving license, utility bill or passport – so that we can be sure we do not provide personal data to the wrong person.
We will aim to provide you with our response within one calendar month following the date of receipt and we will tell you if it is necessary to extend this time period.
Your Right of Rectification
You have the right to ask us to correct anything that you think is wrong with the personal information we hold about you – eg if you think it it’s inaccurate or incomplete.
You will need to give us details of what needs updating and why you believe it's not right. We’ll take reasonable steps to check this for you and correct it. If we find that the information should not be changed, we will contact you within one month to explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Your Right to be Informed
There must be a clear reason - a legal basis - for why the GLA needs to collect or use any personal data and what we are going to do with that data. We will usually provide a summary of these reasons at the point at which you provide, or we collect your data. More detailed explanations will be made available on these privacy pages on the GLA website, or in another appropriate medium depending on the manner in which we collect or process the data.
Your Right to object
The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.
You can exercise this right to object to our use of your personal information when:
- we have told you we use as part of our statutory and public function (also known as our public task), in the public interest
- we have advised you we are using your personal information in support of our legitimate interests
You can also ask us to stop sending you direct marketing or, in limited circumstances, using your personal information for scientific or historical research and statistics.
We must stop using your personal information for direct marketing when you ask us to.
However, in other cases, this is not an absolute right. The GLA may continue to use your personal information if we can demonstrate compelling grounds to do so, or if it is necessary in connection with legal claims.
We will contact you within one month to explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Your Right to Restrict Processing
GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances.
You can ask us to restrict or stop using your personal data whilst we are considering an objection or rectification request, or if it has been used unlawfully. You may also ask us to retain data required to establish, exercise or defend a legal claim. We will contact you within one month to explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Your Right to Erasure
We take steps to make sure that your information is not kept for longer than necessary, and you can also ask us to delete it if any of the following circumstances apply:
- the information is no longer necessary for the purpose which we originally used it for
- we asked you for permission to use your personal information and you have changed your mind
- we told you we were using your personal information for 'legitimate interests' and there is not a good reason to keep your personal information
- you want us to stop sending you direct marketing information
- you believe we have used your personal information unlawfully
- you believe that we have a legal obligation to stop holding your personal data
- the information relates to use of online services by a child
The right to erasure doesn't apply to all information, such as information that we are legally obliged to hold, information that we need to keep for our official duties or information relating to legal claims.
We may also refuse to delete information if there is no clear reason to do so or if it would be an excessive task. If we have passed the information on to others, we will take steps to tell them it has been deleted.
Requests for deletion will normally be answered within one month. If we do not agree that we should delete your information we will explain our decision and provide details about how you can challenge the decision if you are dissatisfied with the outcome.
Please note in cases where we do comply with a request, we may still be obliged to keep some information about you - for example the fact that you made, and we acted on, a deletion request. We may also have to keep your contact details on a 'suppression list' to ensure that don't send you direct marketing messages by mistake in future.
Your Right to Data Portability
You also have the right to get certain personal information from us as a digital file, so you can keep and use it yourself, and give it to other organisations if you choose to. If you wish, we will provide it to you in an electronic format that can be easily re-used, or you can ask us to pass it on to other organisations for you.
The right to data portability only applies when:
- we are processing this information on your consent or for the performance of a contract
- we are processing the data by automated means (eg excluding paper files)
Requests will normally be answered within one month, and we will tell you if it is necessary to extend this time period for any reason.
Rights related to automated decision making including profiling
Data protection legislation protects you against decisions taken by machines that could have a significant impact on you. Automated decision making involves making a decision only by automated means without any human involvement. Profiling is a term used in data protection legislation to describe a form of automated processing of personal data to analyse or predict things about an individual. If the automated decision making (including profiling), would have a legal, or similarly significant effect on you, it can only be carried out if it is:
- necessary for entering into or performance of a contract between an organisation and yourself
- authorised by law (for example, for the purposes of preventing fraud or tax evasion)
- based on your explicit consent
We are required to tell you if we are using automated decision making to make decisions that would have a legal, or similarly significant effect on you. We will explain what information we use, why we use it and what the effects might be. You can ask us to reconsider the decision with human involvement.
How to exercise your rights under data protection legislation
You should email [email protected] if you have a concern about the accuracy of personal information we hold about you, if you want us to erase or restrict use of your personal information, if you object to use of your personal data or if you wish to exercise rights in relation to automated decision making.
Your Right of Complaint
Please contact [email protected] if you are unhappy with how we have used your personal information.
You are also entitled to raise a concern with the Information Commissioner's Office (ICO), the UK's independent body set up to uphold information rights.
Need a document on this page in an accessible format?
If you use assistive technology (such as a screen reader) and need a version of a PDF or other document on this page in a more accessible format, please get in touch via our online form and tell us which format you need.
It will also help us if you tell us which assistive technology you use. We’ll consider your request and get back to you in 5 working days.