Data Subject Access Request Policy

Our Data Subject Access Request Policy ensures GDPR compliance and efficient handling of data access requests. It provides guidance on identifying, verifying, and promptly responding to such requests.

We prioritise data privacy and offer a comprehensive policy to streamline data access inquiries from individuals, representatives, and interested parties. With our internal policy, staff members are guided in handling requests for personal data access, including verification and response procedures.

Learn about identification, verification, response time, and information disclosure to process data access requests efficiently. Stay compliant with GDPR by exploring our policy, which provides guidelines for responding to inquiries from data subjects.

Our policy emphasises transparency and GDPR compliance, outlining how we handle requests, verify identities, and provide relevant information to individuals. Empower your staff with Company's Data Subject Access Request Policy, ensuring accurate and efficient handling of data access requests.

Discover our internal policy, follow GDPR guidelines, and promptly respond to requests for personal data access. Efficiently manage data subject access requests using our internal policy, which includes procedures and responsibilities for handling data access requests. By implementing our Data Subject Access Request Policy, you can ensure compliance and protect privacy rights. Gain insights into the processes involved in handling data access requests and understand the procedures and responsibilities associated with our policy.

How to use this Document?

Steps to Use the Data Subject Access Request Policy:

1. Understand the Purpose: The policy aims to ensure compliance with GDPR and relevant legislation when handling data subject access requests. It outlines procedures for staff members authorised to handle such requests.

2. Scope of Policy: The policy is for internal use and not routinely shared with third parties. It provides guidance to staff on handling data subject access requests and identification procedures.

3. Identifying a Data Subject Access Request: Requests can be made through a direct link provided in the Privacy Policy or via email/letter. Staff not authorised to handle such requests should forward them to the designated person.

4. Receiving a Request: Authorised staff may receive direct requests. In case of a large amount of data, clarification may be sought from the individual regarding the information or processing activities required.

5. Fee Assessment: Normally, there is no fee for responding to a data subject access request. However, fees may be charged for manifestly unfounded/excessive requests or additional copies of the same information.

6. Verifying Identity: Before responding, reasonable steps must be taken to verify the requester's identity. Additional information like driving license, passport, or utility bill may be requested.

7. Refusing to Respond: If unable to identify the requester or if the request is manifestly unfounded or excessive, the company may refuse to act. The requester must be informed of the refusal and their right to complain or seek a judicial remedy.

8. Time Limit for Response: The company must provide the requested information within one month of receiving the request. If the request is complex, an extension of up to 15 days may be allowed, with notification to the requester.

9. Information to Provide: The company must provide access to personal data and additional information, such as the purpose of processing, recipients of data, storage period, rights of rectification/erasure, and the right to lodge a complaint.

10. Automated Decision-Making: If requested, the company must describe the logic behind automated decisions, allowing for human intervention, expressing the individual's views, or contesting the decision.

11. Locating Information: Various electronic and manual filing systems may contain the requested personal data. A targeted search using relevant identifiers like name or employee/customer numbers should be conducted.

12. Selecting Personal Data: Only information constituting the requester's personal data should be provided in response to the access request.

13. Third-Party Requests: Third parties acting on behalf of individuals must provide sufficient evidence of authorisation to make requests.

14. Exemptions: In certain circumstances, the company may be exempt from providing requested personal data. Staff members should inform the designated person if they believe an exemption applies.

15. Deleting Personal Data: The data supplied in response should match the data at the time of the request. Regular data maintenance activities may continue even after receiving a request.

16. Policy Violations: Failure to comply with the policy may result in a breach of GDPR and relevant legislation. Promptly contact the designated person for guidance.

17. Revision and Explanation: The policy may be revised periodically, and any questions or further guidance should be directed to the appropriate contact. The last update date and authority responsible for interpretation are provided for reference.