Red Rose UK - Sex Offenders Database & UK Offender Search

Data Subject Rights, Requests, Objections and Erasure Handling Policy

Effective date: December 2025

This Data Subject Rights, Requests, Objections and Erasure Handling Policy (“Rights Policy”) sets out the comprehensive internal and external framework adopted by Red Rose UK for the receipt, verification, assessment, response, documentation, restriction, refusal, and ongoing governance of requests made by individuals (“data subjects”) under Chapter III of the United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

This Policy is designed to demonstrate compliance with Articles 5, 6, 9, 10, and 12–23 UK GDPR, including the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. It further provides a structured, auditable decision-making framework capable of withstanding regulatory, judicial, and public scrutiny.

Red Rose UK operates a safeguarding-focused platform which processes personal data relating to serious criminal offending, patterns of harm, and public protection concerns. As such, this Policy explicitly recognises the heightened risks associated with the processing of criminal offence data under Article 10 UK GDPR and, where applicable, special category and biometric data under Article 9 UK GDPR. Requests are therefore assessed with particular regard to safeguarding necessity, substantial public interest, and the rights and freedoms of others.

This Policy applies to:

Nothing in this Policy creates an automatic entitlement to erasure, restriction, or cessation of processing. Each request is assessed on its individual merits, taking into account statutory exemptions, lawful bases for processing, competing rights, and proportionality.


1. Definitions and Interpretation

Where ambiguity arises, interpretation shall favour the construction most consistent with UK GDPR principles, subject to lawful restrictions, exemptions, and safeguarding necessity.


2. Controller Details and Contact Point

Red Rose UK acts as a data controller in respect of the processing activities covered by this Policy.

All rights requests must be submitted by email to:

[email protected]

Red Rose UK operates a written-correspondence-only model for rights requests to ensure auditability, evidential integrity, consistent verification, and secure record-keeping.

The Data Protection Officer (DPO) is Oliver Fulleylove, Founder & Data Protection Officer, who has responsibility for oversight of this Policy, complex decision-making, escalation handling, and regulatory engagement.


2A. Lawful Bases and Rights Interaction

Red Rose UK processes personal data primarily on the basis of:

Processing is not generally based on consent. Accordingly, withdrawal of consent is not typically applicable, and rights are assessed within the legitimate-interest and public-interest balancing framework required by law.


3. Rights Covered by this Policy

The existence of a right does not guarantee a particular outcome. Each right is subject to lawful limitations, exemptions, and competing considerations.


4. Intake, Logging, and Acknowledgement

4.1 Valid request threshold

A communication will be treated as a rights request where it seeks confirmation, access, correction, removal, restriction, objection, or explanation relating to personal data processing. Requests need not cite legislation or use legal terminology.

4.2 Logging and case creation

All requests are logged in Red Rose UK’s rights register, which records:

4.3 Acknowledgement

Receipt is acknowledged promptly. The acknowledgement explains verification requirements, statutory timescales, scope clarification (if required), and the possibility of extensions.

4.4 Abusive, hostile, or vexatious communications

Red Rose UK distinguishes between forceful legal assertions and abusive conduct. Threatening, harassing, or intimidatory language does not invalidate a request but may affect how communications are managed. Repetitive or bad-faith requests may be treated as manifestly unfounded or excessive.


5. Identity Verification and Authority

Identity verification is mandatory before disclosure or substantive action. This protects data subjects, third parties, and the integrity of safeguarding systems.

Verification materials are processed solely for verification, minimised, and retained only as necessary to evidence compliance.

Requests via representatives require proof of authority. Where identity cannot be verified, processing is paused and no disclosure occurs.


6. Time Limits, Extensions, and Pausing

Responses are provided within one calendar month of receipt of a valid, verified request.

Where verification or clarification is outstanding, the response clock is paused. Extensions of up to two additional months may be applied for complex or multiple requests, with reasons communicated to the requester.

Urgent safeguarding concerns may be prioritised internally without bypassing lawful assessment standards.


7. Right to be Informed

Transparency information is provided via published policies. Where data is obtained indirectly from public sources, individual notification may be dispensed with where disproportionate or prejudicial to safeguarding objectives.


8. Right of Access (DSAR)

DSARs may cover confirmation, copies of personal data, and supplementary information. Searches are proportionate and may include profile data, account data, submission history, and moderation records.

Information may be redacted or withheld where disclosure would adversely affect the rights and freedoms of others, reveal safeguarding mechanisms, or expose reporter identities.

Responses are provided electronically unless otherwise required.


9. Right to Rectification

Rectification requires credible evidence of inaccuracy. Disagreement with lawful publication does not constitute inaccuracy.

Where justified, updates are made, logged, and contextualised.


10. Right to Erasure

The right to erasure is not absolute. Requests are assessed against Article 17 UK GDPR and relevant exemptions.

Erasure may be granted where data is wholly inaccurate, relates to the wrong individual, or is no longer necessary and cannot be proportionately mitigated.

Erasure may be refused where processing is necessary for freedom of expression, safeguarding, substantial public interest, legal claims, or historical accuracy.

Spent convictions do not automatically justify erasure, particularly where safeguarding relevance persists.

Alternative outcomes include rectification, restriction, contextual updates, or targeted removal of unverified user-submitted elements.



11. Right to Restrict Processing – Article 18 UK GDPR

The right to restrict processing under Article 18 UK GDPR allows a data subject, in defined circumstances, to require that personal data continues to be stored but is not otherwise actively processed. Restriction is a distinct measure from erasure and is used as an interim or mitigating control where outright removal would be premature, unlawful, or disproportionate.

Red Rose UK treats restriction as an important procedural safeguard, particularly in circumstances where the accuracy of data is contested or where complex safeguarding considerations are still under active assessment.

11.1 Circumstances in which restriction may apply

Restriction may be applied where one or more of the following conditions are met:

11.2 Operational effect of restriction

Where restriction is applied, Red Rose UK may:

Restriction does not imply acceptance that the data is inaccurate or unlawfully processed. It is a neutral procedural measure pending resolution.

11.3 Lifting of restriction

Restriction will be lifted where the underlying issue is resolved. The data subject will be informed before restriction is removed, unless doing so would undermine safeguarding or legal objectives.


12. Right to Object – Article 21 UK GDPR

Where Red Rose UK processes personal data on the basis of Article 6(1)(f) UK GDPR (legitimate interests), data subjects have the right to object to such processing. Objections are assessed on a case-by-case basis and are not automatically upheld.

12.1 Nature of objections received

Objections commonly rely on assertions of:

12.2 Balancing test

In assessing objections, Red Rose UK conducts a structured balancing test which considers:

Where compelling legitimate grounds for continued processing exist, the objection may be refused in accordance with Article 21(1) UK GDPR.

12.3 Distress-based objections

Red Rose UK recognises that processing criminal offence data may cause distress. However, subjective discomfort alone does not override lawful safeguarding processing. The assessment focuses on objective harm and proportionality, not mere disagreement with publication.

12.4 Outcomes

Possible outcomes include:


13. Right to Data Portability – Article 20 UK GDPR

The right to data portability applies only where processing is based on consent or contract and carried out by automated means. Red Rose UK’s core safeguarding and publication activities are not based on consent or contract and therefore generally fall outside the scope of Article 20.

Where portability does apply (for example, in relation to limited account-related data), Red Rose UK will provide the data in a structured, commonly used, and machine-readable format where technically feasible.

Portability does not apply to inferred data, safeguarding assessments, moderation decisions, or data relating to third parties.


14. Automated Decision-Making and Profiling – Article 22 UK GDPR

Red Rose UK does not carry out decision-making that produces legal effects or similarly significant effects solely by automated means within the meaning of Article 22 UK GDPR.

Where algorithmic or AI-assisted tools are used (including facial comparison, pattern recognition, or risk indicators), these tools:

Accordingly, Article 22 rights are not generally engaged. Nevertheless, Red Rose UK remains committed to transparency and proportionality in the use of such tools.


15. User-Generated Content and High-Risk Data Fields

15.1 Nature of user-generated submissions

Red Rose UK permits registered users to submit supplementary information, including telephone numbers, social media identifiers, images, and full addresses. Such content may not be capable of immediate verification and is not automatically treated as verified platform data.

15.2 Risk-based moderation approach

Given the volume of submissions and decentralised nature of reporting, Red Rose UK applies a risk-based moderation model. Priority is given to content that:

15.3 Targeted mitigation

Where a data subject credibly disputes user-generated elements, Red Rose UK may remove, restrict, or annotate those specific elements without removing verified safeguarding data. This ensures proportionality while reducing unnecessary risk.


16. Internal Decision-Making and Safeguarding Override

All rights requests are assessed using a structured internal framework designed to ensure consistency, accountability, and defensibility.

16.1 Core assessment factors

16.2 Safeguarding override principle

Where continued processing is necessary to protect the public, prevent harm, or support safeguarding objectives, these considerations may override individual objections or erasure requests, provided processing remains lawful, proportionate, and documented.

Safeguarding necessity is assessed objectively and is not displaced by reputational inconvenience or discomfort.


17. Record-Keeping, Audit Trails, and Litigation Hold

Red Rose UK maintains comprehensive records of rights requests, decisions, and outcomes to evidence compliance and accountability.

17.1 Audit trails

17.2 Litigation and regulatory hold

Where a dispute, complaint, regulatory inquiry, or legal claim is anticipated or ongoing, Red Rose UK may retain relevant data notwithstanding a rights request. This is necessary for the establishment, exercise, or defence of legal claims and is expressly permitted under UK GDPR.


18. Refusal of Requests, Fees, and Manifestly Unfounded or Excessive Requests

Red Rose UK may refuse to act on a request, or charge a reasonable fee, where it is manifestly unfounded or excessive, including where requests are repetitive and do not raise new substantive issues.

In determining whether a request is manifestly unfounded or excessive, Red Rose UK considers:

Any refusal or fee decision is documented and communicated with reasons and ICO complaint rights.


19. Complaints, Escalation, and ICO Engagement

Data subjects may lodge complaints with the Information Commissioner’s Office. Red Rose UK encourages individuals to engage directly first to allow resolution without regulatory escalation.

Red Rose UK cooperates fully with the ICO under Article 31 UK GDPR and maintains documentation sufficient to demonstrate compliance, proportionality, and good faith decision-making.


20. Policy Review, Governance, and Continuous Improvement

This Policy is reviewed periodically to reflect:

Where risks are identified, Red Rose UK may implement enhanced controls, additional mitigations, or revised procedures to ensure ongoing compliance and safeguarding effectiveness.