The following data subject rights are found in the EU and UK GDPR. However, the privacy laws of other jurisdictions may provide different rights for individuals. Navitas will ensure individuals’ rights under the applicable privacy legislation are actioned accordingly in addition to the rights under this policy. These obligations are documented in divisional data subject rights procedures.

5.1 Right to be Informed

Individuals have the right to be informed about the collection and use of their personal data. Unlike other rights this does not need to be requested by the individual but instead requires an organisation to make a privacy notice available to the data subjects at the point of collecting their data. It explains why the personal data is being collected, and how it will be processed.

If a Navitas business is planning to collect and use new personal data, they must contact their Divisional Privacy Manager. The planned processing will be recorded on the Navitas RoPA, and from this information a privacy notice will be drafted. Advice on how that privacy notice is provided to the data subjects will also come from the Divisional Privacy Manager.

There are two types of privacy notices:

1. Privacy notice provided to data subject at the point information is collected directly from them. (Article 13 privacy notice under the GDPR)

2. Privacy notice provided to the data subject when the information is collected from a source other than them. (Article 14 privacy notice under the GDPR)

A significant amount of information is required to be provided in a privacy notice, and it must be in clear, plain language, so that it is easy to understand. Full details of how to fulfil the requirement of the right to be informed will be set out in a Data Subject Rights Procedure, along with a link to the privacy notice templates.

5.2 Data Subject Rights Requirements

The following requirements are legal obligations and will be covered in more detail in the Data Subject Rights Procedure. These will be adhered to with any request received.

Any other global privacy laws which require different action to the below will also be documented in the Data Subject Rights Procedures.

• Before responding to any data subject right request, the identity of the individual making the request must be confirmed.

• Where there is a need to identify the individual, a form of ID will be requested

• All communication with individuals will be concise, transparent, intelligible, using clear and plain language. This is especially important if that communication is with someone under the age of 18.

• There is no charge for a data subject rights request.

• Requests must be responded to within 1 calendar month, after identity of the individual has been confirmed.

Navitas will accept any request made by an individual, be it verbal, in writing, or via social media.

Where a request is made verbally or by social media, the privacy team will contact the individual and enquire about the best way to liaise to fulfil the request. Whilst verbal and social media requests are valid requests, any response will need to be made in writing, and to a direct email or postal address.

Further information on requirements and process to be found in the Divisional Data Subject Rights Procedures and Data Subject Rights Training.

All requests are to be managed by the Divisional Privacy Managers only. All requests are to be sent to the Privacy Team, immediately upon receipt, at privacy@navitas.com

5.3 Right of Access (commonly known as a “SAR”)

Individuals have the right to access the personal data that Navitas collects and processes about them. This means they have the right to ask us for confirmation of the personal data Navitas uses and to request a copy of that personal data. Navitas will also provide the following information along with that copy, as required by the GDPR.

• the purposes of the processing - why was it collected and how it is used

• the categories of personal data collected and used

• who it is shared with, internally and externally. This can be provided in categories of companies, rather than a list of company names. Specific details provided where those companies are in third countries or international organisations

• the retention period for which the personal data will be stored

• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing

• the right to lodge a complaint with a supervisory authority

• the source of the personal data, especially if not collected directly from the individual.

• the existence of automated decision-making, including profiling, the logic involved, as well as the significance and the envisaged consequences of such processing

• where personal data are transferred to a third country or to an international organisation, the individual will be told of the appropriate safeguards for the transfer.

5.4 Right to Rectification

Individuals have the right to request that Navitas corrects inaccurate personal data about them, or complete personal data that is incomplete. This right ensures that personal data is kept accurate and up-to-date. It also ensures that any decisions that Navitas might make about an individual, especially where it has an impact on them, is done with accurate and complete personal data.

5.5 Right to Erasure

Individuals have a right to request that Navitas deletes their personal data. However, this is a right to request erasure, not a guarantee that Navitas will be able to fulfil that request. The decision to delete personal data upon the request of individual is dependent on the following.

• The data is no longer necessary for the purpose it was collected

• The individual withdraws consent, or there are no lawful grounds for processing

• The individual objects and there are no overriding legitimate reasons for processing

• The personal data has been unlawfully processed

• The data may be erased and is not required to be retained under law

• The data has been collected in relation to the offer of information society services.

5.6 Right to Restriction of Processing

Individuals have the right to ask Navitas to restrict processing of their personal data under the following circumstances.

• The accuracy of the personal data is queried by the individual

• The processing is unlawful and the individual opposes the erasure of the personal data and requests restriction instead

• Navitas no longer needs the personal data but the individual requests it is kept but restricted or for the exercise or defence of a legal claim

• The individual has objected to us processing their personal data and whilst that is being looked into can request the restriction of processing

5.7 Right to Data Portability

This is a right to request personal data be electronically transferred to the individual, or somewhere else of their choice, electronically. It is dependent on the following.

• The processing is based on consent or contract as the lawful basis

• The processing is carried out by automated means (electronic)

• It is information that has been provided to Navitas by the individual

5.8 Right to Object

Individuals have the right to object to processing that is carried out using their personal data.

Unless Navitas can demonstrate a compelling reason to continue using the personal data, the use of the personal data must stop.

If the personal data is being used for direct marketing under legitimate interests, the right is absolute.

5.9 Automated Decision Making, including Profiling

Automated decision-making is the process of making a decision about individuals by automated (electronic) means without any human involvement.

Individuals have a right not to be subject to such decisions, and request a human intervention is involved in those decisions.

5.10 Exemptions

In some limited circumstances there are legal exemptions to data subject rights requests. It is the responsibility of the Divisional Privacy Managers to see if an exemption needs to be applied. This process is documented, in more detail, in the Data Subject Rights Procedures.

5.11 Reviews & complaints

If an individual is unhappy about Navitas’ response to their request, they are entitled to complain and ask for a review. Divisional Privacy Managers are responsible for logging the review/complaint and passing it onto the Global Privacy Team to investigate.

Reviews, like the requests themselves, are to be logged in ProvePrivacy, and a full account of the response kept on file. Should the requester be unhappy with the outcome of the review, they will be informed by the Navitas Privacy Team and this policy that they can escalate the matter to the relevant Data Protection Regulator with a complaint.

Global GDPR & Privacy Policy