Overview

This procedure has been developed to enable effective responses to requests to realise the ‘right to portability’. This refers to the transfer of personal data we hold to other organisations, or us receiving personal data, both at the request of the Data Subject.

Individuals have the right to ask for:

  • A copy of the personal data they have provided to us previously

  • Us to transmit the data to another Data Controller

Where SharpStream are Transferring Data

  • Individuals will raise requests for portability with the Data Protection Representative;

  • The DPR will log the request, and assess whether further identification is required (e.g. driver’s license) and will assess the level of risk to privacy posed by meeting the request;

  • If the request is to be met, the specific personal data requested is identified by the DPR, extracted and sent to the relevant organisation via password protected email – personal data will be provided in a structured, commonly used, electronic file format (e.g. CSV file). This is logged for audit trail purposes;

  • The DPR will notify the requester of the data transfer via email, along with a password protected copy of the data provided. This is logged for audit trail purposes;

  • If the request is not to be met (e.g. identification is not sufficient or the risk is deemed too high), the DPR will email the requestor explaining why this is the case and highlighting their right to complain to the ICO/supervisory authority – this will be logged;

  • All requests will be completed within one month of receipt, however where there are particular complexities this can be extended to three months. The DPR will inform the data subject of the reasons for the delay within one month of the original request;

Where SharpStream are Receiving Personal Data

  • We receive the data along with the stated purpose from a third party;

  • The DPR will log receipt of the data;

  • The DPO will assess the data and make sure:

    • It is what is needed to carry out requested processing activity; and

    • It does not represent undue risk to the Data Subject.

  • Where 3a and b are satisfied, the DPO/relevant data contact will contact the Data Subject and confirm receipt of their personal data, along with details of:

    • The specific purpose for processing it;

    • Where it will be held, any sharing with third parties;

    • Who will be responsible for the data; and 

    • How long it will be held.

  • Where 3a and b are not met, reject the data and contact the Data Subject to explain why.