• Find us on:

Your rights under GDPR


Morrisons Supermarkets are breathing a sigh of relief since the Supreme Court ruling that they are not vicariously liable for a deliberate data breach by a disgruntled ex-employee which exposed personal data of almost 100,000 of its employees.  Vicarious liability is when an employer is held responsible for something done by an employee in the course of their employment. In WM Morrison Supermarkets plc v Various Claimants [2020] the Supreme Court considered the circumstances in which an employer is vicariously liable for the conduct of its employees and whether the Data Protection Act 1998 (DPA 1998) excluded vicarious liability for such  claims…..Read more

What is GDPR?

Your Employer keeps private information about you. Your home address, family and health details are just the tip of the iceberg. The EU General Data Protection Regulation (GDPR) supersedes the Data Protection Act 1998. GDPR is supplemented by the Data Protection Act 2018 (DPA 2018). Both provisions provide you with rights to the protection of your personal data that can be enforced on your employer. As an employee you are a  “data subject”. Personal information about you is called “personal data” and your employer is a “data controller”.

DPA 2018 applies to certain types of processing of personal data to which the GDPR does not apply. It therefore supplements, and must be read with, GDPR.

Personal Data

Personal data is any information relating to an identified or identifiable living individual (Article 4(1) GDPR, section 3  DPA 2018). Processing is an operation or set of operations which is performed on information, or on sets of information, such as—

(a)collection, recording, organisation, structuring or storage,

(b)adaptation or alteration,

(c)retrieval, consultation or use,

(d)disclosure by transmission, dissemination or otherwise making available,

(e)alignment or combination, or

(f)restriction, erasure or destruction (Section 3 DPA 2018)


GDPR gives you the right to; 

Information held about you (Recitals 58-62 & Articles 12-14)

Access your own personal data (Recital 63, Article 12 & 15)

Correct your personal data (Article 16)

Be forgotten (Recitals 65 & 66, Article 17).

Restrict processing of your personal data (Article 18)

Object to processing of your personal data (Recitals 69 & 70, Article 21)

Transfer your personal data to another data controller (Recital 68, Article 20)

Not be subjected to automated decision-making (Recital 71, Article 22)

Be informed about a data security breach (Recital 86, Article 34)

How long should information be kept for?

Article 5(1)(e) GDPR provides that personal data which is kept in a form which permits identification of data subjects must be kept for no longer than is necessary for the purposes for which the data is processed. The exceptions to this principle allow personal data to be stored for longer periods where it is processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (and then only if there are appropriate technical and organisational measures to safeguard the rights and freedoms of data subjects).

Updated: 07/04/2020


The information and content on this website is provided for general information purposes only and is not intended to constitute legal or other professional advice. Legal information or content on this website relates only to the laws of England and Wales. You should not take any actions based on information found on this website without first seeking appropriate legal advice with respect to your specific matter. No representations or warranties are made about the suitability, currentness, comprehensiveness and/or accuracy of the information and other content contained on this website. It should be noted that legal information and content can rapidly become out of date and we give no undertaking to keep this website up to date. All liability for any loss or damage of any kind which may be suffered as a result of accessing and using the information and/or content of this website is hereby excluded to the full extent permitted by law.