GDPR Data Subject Rights Request (Previous ECU Employees, Students, Research Study Participants, and Others)

What is a Subject Rights Request?

Under the EU General Data Protection Regulation (GDPR), individuals can make requests to organizations to exercise various rights around the use and collection of personal data as listed below.

Definition of Personal Data Under GDPR

Personal data means data which relate to a living individual who can be identified –

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Subject Rights Request Types

  1. Right of Access – you shall have the right to obtain from ECU confirmation as to if personal data concerning him or her is being processed
  2. Right to Rectification - you shall have the right to obtain from ECU without undue delay the rectification of inaccurate personal data concerning him or her
  3. Right to Erasure - you shall have the right to obtain from ECU the erasure of personal data concerning him or her without undue delay and ECU shall have the obligation to erase personal data without undue delay
  4. Right to Restrict Processing - you shall have the right to request ECU restrict or suppress the processing of him or her personal data
  5. Right to Be Informed - you shall have the right to be informed about the collection and use of your personal data
  6. Right to Data Portability - you shall have the right to receive the personal data concerning him or her, which he or she has provided to ECU a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from ECU to which the personal data has been provided
  7. Right to Object - you shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her

Data Protection Officer (DPO) is also available at (252) 328-9225 to answer questions about the University's obligations under the EU General Data Protection Regulation (GDPR).

How can I get the most out of my subject rights request?

When submitting a Subject Rights Request, you are advised to make your request for information as specific as possible to include, details of dates, type of information (e.g. memos, letters, reports, emails etc.), department and the names of authors and recipients, where appropriate. If you know which departments in the University hold information on you, please state this on your request. If you are requesting correspondence, it will help greatly if you can let us know who the correspondence will be from and during which time period.

Under the Data Protection Act 1998, if the request is not clear, the University reserves the right to seek additional information from the data subject before processing the request. The statutory period for requests to be fulfilled is 30 calendar days, but you will be advised of the reasons why it may be necessary to extend this period, e.g. if the original request is not clear and further clarification is required.

What are the time-frames for my subject rights request?

Subject rights requests will be handled within one calendar month of receipt of your request and payment. Requests under article 12 will be handled urgently and dealt with as soon as possible.

How will I receive my information?

We will normally provide you with a hard copy of the information you have requested. Once we have prepared a file for you, we will ask if you would prefer us to send this to you via U.S. mail, or if you would like to collect it from our office. We prefer if you can collect information from our offices as this is more secure and minimizes the risk that information may be lost or delayed.

What should I do if I am unhappy with the response I receive?

If you have concerns about the response you have received, or are unhappy with the response, you should contact the Data Protection Officer, via dpo@ecu.edu. If you have reason to believe that there are specific documents missing from your disclosure, it will help us investigate if you can list them or provide us with more information about the location of those documents.

Please note that some historic data may no longer be held due to our normal data retention policies. We will have only searched for information held in structured file systems - if the information required is found in an unstructured or partly structured system you will need to give us additional information in order that we can carry out a thorough search.

If you are submitting a subject access request relating to an ongoing appeals process, or another kind of ongoing review, some of this data may be considered exempt from disclosure under the EU General Data Protection Regulation (GDPR). If this is data that you have directly requested, we will ordinarily inform you that we have considered that document exempt from disclosure. We will normally be able to disclose these documents once the appeals process is over.

If you are still unhappy with the response you have received, you may go through the university complaints procedure.

REMINDER: This request only applies to data captured or processed while a subject is physically in the EEA.