Data Protection and The General Data Protection Regulation (GDPR)
The National Assembly for Wales Commission ('the Assembly') is the data controller for all personal data that it holds. This includes the UK Data Protection Act 2018 ('DPA 18') and the General Data Protection Regulation ('GDPR').
What rights do individuals have under GDPR?
GDPR strengthens some of the rights already afforded to individuals under the previous law, and also introduces some new rights. These rights are listed below, although they do not apply in all cases. The rights are dependent on which 'legal basis' is being relied upon for our use of that information. Individual privacy notices will provide further details in relation to which of the rights apply.
The different rights available to you include:
The right of access: Also known as 'subject access.' You have the right to request a copy of the personal information about you that we hold, subject to some exemptions.
The right to rectification: We want to make sure that your personal information is accurate, complete and up to date and you may ask us to correct any personal information about you that you believe does not meet these standards.
The right to erasure: This is not a blanket right, and only applies in certain circumstances.
The right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. This is not an absolute right and only applies in certain circumstances;
The right to data portability: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format;
The right to object: GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing; and,
Rights in relation to automated decision making and profiling: The time limit for compliance with each of the following rights is within one month of receipt of the request. However, that period may be extended by two further months depending on the complexity and number of requests. You will be informed of any such extension within one month, outlining the reasons for delay
Further details about the rights available to you is available from the ICO's website.
How to engage your rights
You can ask the Assembly to engage any of these rights in the following ways:
Data Protection Officer
The National Assembly for Wales
When making a request remember to include contact details (name and address for correspondence) so we can send the information to you. Please add as much detail to the request as possible so we can see exactly what information you want. We will use your personal data to respond to your request and locate the information you asked for. If we need further details we will contact you – and we may ask you to confirm you identity, so that we can be sure that personal data is being shared with the appropriate individual.
If you think that we have misunderstood what you want or have missed something out, please contact the official who dealt with your request and discuss it with them. Most mistakes and misunderstandings are easily cleared up.
If you believe that we have not applied the Code of Practice on Public Access to Information correctly, or not followed the relevant laws, you may request a first stage internal review by the official who dealt with your request. If, after that, you are still not satisfied you may request a second formal review. When dealing with any concerns, we will follow the Assembly Commission Code of Practice on Complaints (which is also available by post).
You also have the right to complain to the Information Commissioner. Normally, however, you should pursue the matter through our internal procedure before you complain to the Information Commissioner. The Information Commissioner can be contacted at:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745
Fax: (01625) 524 510
A full overview of the GDPR is also available on the Information Commissioner's Office website.