Under the GDPR, the Company is required to respond to subject access requests within 30 calendar days. That deadline may be extended by two further months where necessary if the request is complex or if the Company has received more than one request from an individual.
Upon receipt of a DSAR, the DPO will acknowledge the request. The requestor may be asked to complete a DSAR Form to better enable the Company to locate the relevant information.
- Requests must be made in writing.
- The statutory response time is 30 calendar days.
- Requests should include the full name, date of birth, and address of the person seeking access to their information. To comply with GDPR, information relating to the individual must only be disclosed to them or someone with their written consent to receive it.
- No fee can be charged for providing information in response to a DSAR, unless the request is ‘manifestly unfounded or excessive, in particular, because it is repetitive. If the Company receives a request that is manifestly unfounded or excessive, it will charge a reasonable fee taking into account the administrative costs of responding to the request.
3.2. Identity verification
The DPO needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address.
If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.
3.3. Information for DSAR
Upon receipt of the required documents, the person receiving the request will provide the DPO with all relevant information in support of the DSAR. Where the DPO is reasonably satisfied with the information presented by the person who received the request, the DPO will notify the requestor that his/her DSAR will be responded to within 30 calendar days. The 30 day period begins from the date that the required documents are received. The requestor will be informed by the DPO in writing if there will be any deviation from the 30-day timeframe due to other intervening events.
3.4. Review of Information
The DPO will contact and ask the relevant department(s) for the required information as requested in the DSAR. This may also involve an initial meeting with the relevant department to go through the request if required. The department which holds the information must return the required information by the deadline imposed by the DPO and/or a further meeting is arranged with the department to review the information. The DPO will determine whether there is any information that may be subject to an exemption and/or if consent is required to be provided from a third party.
3.5. Response to Access Requests
The DPO will provide the finalized response together with the information retrieved from the department(s) and/or a statement that the Company does not hold the information requested, or that an exemption applies. The DPO will ensure that a written response will be sent back to the requestor. This will be via email unless the requestor has specified another method by which they wish to receive the response (e.g. physical mail). The Company will only provide information via channels that are secure. When hard copies of information are sent physically, they will be sealed securely and sent by recorded delivery.
After the response has been sent to the requestor, the DSAR will be considered closed and archived by the DPO.
Records of communications relating to a subject access request will be retained by the Company.
An individual does not have the right to access information recorded about someone else, unless they are an authorized representative, or have parental responsibility.
The Company is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified and to satisfy itself as to the identity of the data subject making the request.
The Company will not normally disclose the following types of information in response to a DSAR:
- Information about other people – a DSAR may cover information that relates to an individual or individuals other than the data subject. Access to such data will not be granted unless the individuals involved consent to the disclosure of their data.
- Repeat requests – where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request, and the Company will not normally provide a further copy of the same data.
- Publicly available information – The Company is not required to provide copies of documents that are already in the public domain.
- Opinions given in confidence or protected by law – The Company does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by law.
Privileged documents – Any privileged information held by the Company need not be disclosed in response to a DSAR. In general, privileged information includes any document which is confidential (e.g. a direct communication between a client and their lawyer) and is created for the purpose of obtaining or giving legal advice.
- If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
Requests made for other, non-data protection, purposes.
- Vexatious requests.
If the DPO refuses a DSAR, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of their DSAR is entitled to make a request to the Company to review the outcome or to the Data Protection Regulator.