Data Subject Access Request Policy

The 'Data Subject Access Request Policy' is a document that outlines the procedures and guidelines for handling requests from individuals to access their personal data. The policy is designed to ensure compliance with the General Data Protection Regulation (GDPR) and other relevant legislation and guidance. The document begins with a general purpose statement, emphasizing the importance of privacy and the rights of individuals to access their personal data. It then provides a scope section, clarifying that the policy is for internal use and provides guidance for staff members who handle data subject access requests.

 

The policy outlines a step-by-step procedure for handling data subject access requests. It starts with the identification of a data subject access request, which is a request from an individual or their representative for confirmation of whether the company processes their personal data and for access to that data. The policy specifies that requests can be made through a direct link provided in the company's privacy policy or by email or letter.

 

The policy provides instructions for staff members who receive data subject access requests. It explains that requests received by staff members who are not authorized to handle such requests should be forwarded to the appropriate personnel. For authorized staff members, the policy advises them to ask the individual to specify the information or processing activities to which the request relates if the company processes a large quantity of information about the individual.

 

The policy also addresses the verification of the individual's identity before responding to a request. It states that reasonable steps should be taken to verify the identity of the person making the request, and additional information may be requested, such as a driving license or passport. The policy outlines situations where the company can refuse to respond to a request, such as when the identity of the individual cannot be confirmed or when the request is manifestly unfounded or excessive.

 

The time limit for responding to a request is specified as one month from the receipt of the request, with a possible extension of 15 days for complex requests or multiple requests from the same individual. The policy details the information that should be provided in response to a request, including the purpose for processing the data, recipients of the data, storage period, and the individual's rights regarding rectification, erasure, restriction, and objection to processing. It also addresses automated decision-making and the right to request information about the logic behind such decisions.

 

The policy provides guidance on how to locate the requested information within the company's electronic and manual filing systems. It emphasizes the importance of selecting only the information that constitutes the individual's personal data. The policy also covers requests made by third parties on behalf of the individual and exemptions to the right of access. It concludes with information on deleting personal data in the normal course of business and the consequences of policy violations.

 

Overall, the 'Data Subject Access Request Policy' is a comprehensive document that ensures compliance with data protection regulations and provides clear instructions for handling data subject access requests.

How to use this document?

1. Identify data subject access request:

- Determine if a request is a data subject access request, which is a request from an individual or their representative for confirmation of whether the company processes their personal data and for access to that data.

2. Receiving a data subject access request:

- If you are not authorized to handle such requests, forward any requests received by email or letter to the appropriate personnel.

- If you are authorized, ask the individual to specify the information or processing activities to which the request relates if the company processes a large quantity of information about the individual.

3. Verify the identity of the individual:

- Take reasonable steps to verify the identity of the person making the request.

- Request additional information, such as a driving license or passport, to confirm their identity.

4. Refusing to respond to a request:

- Refuse to act on a request if the identity of the individual cannot be confirmed or if the request is manifestly unfounded or excessive.

- Inform the individual of the reasons for not taking action and their right to complain to the regulatory body.

5. Time limit for responding to a request:

- Provide the requested information without delay and within one month of receiving the request.

- If the request is complex or multiple requests are made, inform the individual of a possible extension of 15 days.

6. Information to be provided in response to a request:

- Provide access to personal data and include information on the purpose of processing, recipients of the data, storage period, and the individual's rights.

- Use the company's standard form response to data subject requests.

7. Automated decision-making:

- Provide a description of the logic behind any automated decision if specifically requested.

- Consider requests for human intervention, expression of the individual's point of view, and contesting the automated decision.

8. Locating information:

- Search electronic and manual filing systems using the individual's name or personal identifier.

- Focus the search based on the type of information requested.

9. Personal data selection:

- Select only the information that constitutes the individual's personal data.

10. Requests made by third parties:

- Verify that third parties are authorized to act on behalf of the individuals.

11. Exemptions to the right of access:

- Identify valid business reasons for exemptions and inform the appropriate personnel.

12. Deleting personal data:

- Supply the requested information based on the data at the time of the request.

- Consider any amendments or deletions made to the personal data after the request was received.

13. Policy violations:

- Ensure compliance with requests and respond within the specified time limit.

- Contact the appropriate personnel if there are breaches of the policy.

For more information or further guidance, contact the designated personnel responsible for handling data subject access requests.