The General Data Protection Regulation (GDPR) gives individuals a range of rights in relation to personal data. This guide aims to explain those rights to you and let you know how you can make use of them if North East Scotland College processes your personal data.

Your personal data

This is any information about you that means you can be identified. As a college we gather lots of personal data — about students, staff and members of the public — so we can deliver our services.

When we use (process) personal data we will make sure abide by the GDPR principles (Article 5), which mean we must:

One of the main aims of GDPR is to empower individuals by giving more control over their personal data and to help you understand if we are meeting the principles of the data protection legislation. To do this, GDPR gives you the following rights:

Right to be informed

You have the right to know how the college is processing your personal data, including:

We publish this information in our privacy notices, which we make available at the time of collecting information from you. They are also in the Data Protection section of our website.

Right of access

You have the right to ask for a copy of the personal data we hold about you, along with information on why and how it is processed. This will help you understand what data is being used for and to verify the lawfulness of that use.

This is generally known as making a ‘subject access request’. A subject access request is free of charge, unless it is excessive or repetitive. If this is the case, we may charge a reasonable fee to cover the costs of providing the information.

We will require verification of your identity before responding to the request, to make sure we have the right person and the right information.

We will provide you with the information you have requested within 1 month, although if the request is complex we may extend the deadline by a further 2 months. If this is the case we will discuss it with you.

There are some exemptions which may apply and might mean not all of the information you request will be available, for example if providing the information would also disclose the personal data of another person. In such circumstances we will redact (withhold) some or all of the information. We will explain our reasons for doing this when we provide the response.

Help and advice on making a subject access request will be available in our Guide to Making a Subject Access Request (coming soon).

Right to rectification

You have the right to have your personal data rectified if it is inaccurate or incomplete.

If we are unable to correct your data and have a legitimate reason for this, we will keep your statement requesting rectification on your record(s). We will also explain our reasons for this to you.

If we have passed your personal data on to any other organisations (in accordance with lawful processing and as described in our privacy notices) we will ask them to update the personal data they hold.

If the personal data held by us is correct we will not make any changes and will advise you of this.

Right to erasure (the right to be forgotten)

You have the right to ask us to delete or remove personal data we process when there is no compelling reason for us to process it. For example:

This is not an absolute right, which means we can refuse a request for erasure if the processing of personal data is:

When this right is exercised we will stop any further processing, delete all your personal data and advise any other organisations we may have passed your data to (in accordance with lawful processing and as described in our privacy notices) to do the same.

Right to restrict processing

You have the right to ask us to stop processing your personal data if:

We will retain enough personal data to meet the needs for keeping it and will make sure it is not processed for any of the purposes for which you have asked us to stop.

Right to portability

You have the right to ask for a digital copy of personal data held about you. This allows you to move, copy or transfer your data from one IT system to another in a safe and secure manner.

This right only applies to personal data:

We will provide the information requested in a machine-readable format so that it can be reused by any other organisation you choose to pass it to.

Right to object

You have the right to object to our processing of your personal information when the college is processing your personal data:

We will stop processing your personal data unless there is a compelling reason that is greater than your individual rights.

Rights relating to automated decision making and profiling

Automated decision making is where a decision is made solely by automated means, without any human intervention e.g. by a computer algorithm. Profiling is the automated process of using personal data to evaluate certain things about an individual.

You have the right to:

NESCol does not currently use any automated processes or profiling activities without human intervention.

Contact us

If you would like to exercise any of these rights, or ask for more information or explanation, please contact our Data Protection Officer:

Jacqueline Gillanders
North East Scotland College
Aberdeen AB25 1BN


Information Commissioner

You also have the right to complain to the Information Commissioner who is the regulator for data protection in the UK:

Helpline: 0303 123 1113