Tap a region to visit the official Facebook page.
Effective date: December 2025
This Data Subject Rights, Requests, Objections and Erasure Handling Policy (“Rights Policy”) sets out the comprehensive internal and external framework adopted by Red Rose UK for the receipt, verification, assessment, response, documentation, restriction, refusal, and ongoing governance of requests made by individuals (“data subjects”) under Chapter III of the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
This Policy is designed to demonstrate compliance with Articles 5, 6, 9, 10, and 12–23 UK GDPR, including the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. It further provides a structured, auditable decision-making framework capable of withstanding regulatory, judicial, and public scrutiny.
Red Rose UK operates a safeguarding-focused platform which processes personal data relating to serious criminal offending, patterns of harm, and public protection concerns. As such, this Policy explicitly recognises the heightened risks associated with the processing of criminal offence data under Article 10 UK GDPR and, where applicable, special category and biometric data under Article 9 UK GDPR. Requests are therefore assessed with particular regard to safeguarding necessity, substantial public interest, and the rights and freedoms of others.
This Policy applies to:
Nothing in this Policy creates an automatic entitlement to erasure, restriction, or cessation of processing. Each request is assessed on its individual merits, taking into account statutory exemptions, lawful bases for processing, competing rights, and proportionality.
Where ambiguity arises, interpretation shall favour the construction most consistent with UK GDPR principles, subject to lawful restrictions, exemptions, and safeguarding necessity.
Red Rose UK acts as a data controller in respect of the processing activities covered by this Policy.
All rights requests must be submitted by email to:
Red Rose UK operates a written-correspondence-only model for rights requests to ensure auditability, evidential integrity, consistent verification, and secure record-keeping.
The Data Protection Officer (DPO) is Oliver Fulleylove, Founder & Data Protection Officer, who has responsibility for oversight of this Policy, complex decision-making, escalation handling, and regulatory engagement.
Red Rose UK processes personal data primarily on the basis of:
Processing is not generally based on consent. Accordingly, withdrawal of consent is not typically applicable, and rights are assessed within the legitimate-interest and public-interest balancing framework required by law.
The existence of a right does not guarantee a particular outcome. Each right is subject to lawful limitations, exemptions, and competing considerations.
A communication will be treated as a rights request where it seeks confirmation, access, correction, removal, restriction, objection, or explanation relating to personal data processing. Requests need not cite legislation or use legal terminology.
All requests are logged in Red Rose UK’s rights register, which records:
Receipt is acknowledged promptly. The acknowledgement explains verification requirements, statutory timescales, scope clarification (if required), and the possibility of extensions.
Red Rose UK distinguishes between forceful legal assertions and abusive conduct. Threatening, harassing, or intimidatory language does not invalidate a request but may affect how communications are managed. Repetitive or bad-faith requests may be treated as manifestly unfounded or excessive.
Identity verification is mandatory before disclosure or substantive action. This protects data subjects, third parties, and the integrity of safeguarding systems.
Verification materials are processed solely for verification, minimised, and retained only as necessary to evidence compliance.
Requests via representatives require proof of authority. Where identity cannot be verified, processing is paused and no disclosure occurs.
Responses are provided within one calendar month of receipt of a valid, verified request.
Where verification or clarification is outstanding, the response clock is paused. Extensions of up to two additional months may be applied for complex or multiple requests, with reasons communicated to the requester.
Urgent safeguarding concerns may be prioritised internally without bypassing lawful assessment standards.
Transparency information is provided via published policies. Where data is obtained indirectly from public sources, individual notification may be dispensed with where disproportionate or prejudicial to safeguarding objectives.
DSARs may cover confirmation, copies of personal data, and supplementary information. Searches are proportionate and may include profile data, account data, submission history, and moderation records.
Information may be redacted or withheld where disclosure would adversely affect the rights and freedoms of others, reveal safeguarding mechanisms, or expose reporter identities.
Responses are provided electronically unless otherwise required.
Rectification requires credible evidence of inaccuracy. Disagreement with lawful publication does not constitute inaccuracy.
Where justified, updates are made, logged, and contextualised.
The right to erasure is not absolute. Requests are assessed against Article 17 UK GDPR and relevant exemptions.
Erasure may be granted where data is wholly inaccurate, relates to the wrong individual, or is no longer necessary and cannot be proportionately mitigated.
Erasure may be refused where processing is necessary for freedom of expression, safeguarding, substantial public interest, legal claims, or historical accuracy.
Spent convictions do not automatically justify erasure, particularly where safeguarding relevance persists.
Alternative outcomes include rectification, restriction, contextual updates, or targeted removal of unverified user-submitted elements.
The right to restrict processing under Article 18 UK GDPR allows a data subject, in defined circumstances, to require that personal data continues to be stored but is not otherwise actively processed. Restriction is a distinct measure from erasure and is used as an interim or mitigating control where outright removal would be premature, unlawful, or disproportionate.
Red Rose UK treats restriction as an important procedural safeguard, particularly in circumstances where the accuracy of data is contested or where complex safeguarding considerations are still under active assessment.
Restriction may be applied where one or more of the following conditions are met:
Where restriction is applied, Red Rose UK may:
Restriction does not imply acceptance that the data is inaccurate or unlawfully processed. It is a neutral procedural measure pending resolution.
Restriction will be lifted where the underlying issue is resolved. The data subject will be informed before restriction is removed, unless doing so would undermine safeguarding or legal objectives.
Where Red Rose UK processes personal data on the basis of Article 6(1)(f) UK GDPR (legitimate interests), data subjects have the right to object to such processing. Objections are assessed on a case-by-case basis and are not automatically upheld.
Objections commonly rely on assertions of:
In assessing objections, Red Rose UK conducts a structured balancing test which considers:
Where compelling legitimate grounds for continued processing exist, the objection may be refused in accordance with Article 21(1) UK GDPR.
Red Rose UK recognises that processing criminal offence data may cause distress. However, subjective discomfort alone does not override lawful safeguarding processing. The assessment focuses on objective harm and proportionality, not mere disagreement with publication.
Possible outcomes include:
The right to data portability applies only where processing is based on consent or contract and carried out by automated means. Red Rose UK’s core safeguarding and publication activities are not based on consent or contract and therefore generally fall outside the scope of Article 20.
Where portability does apply (for example, in relation to limited account-related data), Red Rose UK will provide the data in a structured, commonly used, and machine-readable format where technically feasible.
Portability does not apply to inferred data, safeguarding assessments, moderation decisions, or data relating to third parties.
Red Rose UK does not carry out decision-making that produces legal effects or similarly significant effects solely by automated means within the meaning of Article 22 UK GDPR.
Where algorithmic or AI-assisted tools are used (including facial comparison, pattern recognition, or risk indicators), these tools:
Accordingly, Article 22 rights are not generally engaged. Nevertheless, Red Rose UK remains committed to transparency and proportionality in the use of such tools.
Red Rose UK permits registered users to submit supplementary information, including telephone numbers, social media identifiers, images, and full addresses. Such content may not be capable of immediate verification and is not automatically treated as verified platform data.
Given the volume of submissions and decentralised nature of reporting, Red Rose UK applies a risk-based moderation model. Priority is given to content that:
Where a data subject credibly disputes user-generated elements, Red Rose UK may remove, restrict, or annotate those specific elements without removing verified safeguarding data. This ensures proportionality while reducing unnecessary risk.
All rights requests are assessed using a structured internal framework designed to ensure consistency, accountability, and defensibility.
Where continued processing is necessary to protect the public, prevent harm, or support safeguarding objectives, these considerations may override individual objections or erasure requests, provided processing remains lawful, proportionate, and documented.
Safeguarding necessity is assessed objectively and is not displaced by reputational inconvenience or discomfort.
Red Rose UK maintains comprehensive records of rights requests, decisions, and outcomes to evidence compliance and accountability.
Where a dispute, complaint, regulatory inquiry, or legal claim is anticipated or ongoing, Red Rose UK may retain relevant data notwithstanding a rights request. This is necessary for the establishment, exercise, or defence of legal claims and is expressly permitted under UK GDPR.
Red Rose UK may refuse to act on a request, or charge a reasonable fee, where it is manifestly unfounded or excessive, including where requests are repetitive and do not raise new substantive issues.
In determining whether a request is manifestly unfounded or excessive, Red Rose UK considers:
Any refusal or fee decision is documented and communicated with reasons and ICO complaint rights.
Data subjects may lodge complaints with the Information Commissioner’s Office. Red Rose UK encourages individuals to engage directly first to allow resolution without regulatory escalation.
Red Rose UK cooperates fully with the ICO under Article 31 UK GDPR and maintains documentation sufficient to demonstrate compliance, proportionality, and good faith decision-making.
This Policy is reviewed periodically to reflect:
Where risks are identified, Red Rose UK may implement enhanced controls, additional mitigations, or revised procedures to ensure ongoing compliance and safeguarding effectiveness.