26. Subject access requests
Making a request: If you wish to make a subject access request to verify the lawfulness and accuracy of the personal data we hold about you, then you are encouraged to put your request in writing (letter or email) and submit it to a member of the senior management team.
Your request should be specific about the nature and the type of data you require. Every attempt will be made to comply with your request in a timely manner and without undue delay.
Upon receipt of the information you are encouraged to check the accuracy of the information and to advise the Company of any updates that may need to be made.
A fee will not be charged for an access request, except where a request is deemed to be ‘manifestly excessive’ or you have already been provided with the information.
Receiving a request: If you receive a request, you should pass it to one of the senior management team immediately. Requests must be acknowledged upon receipt.
Requests must be complied with in a timely manner and without undue delay. If it is anticipated that compliance with a request is not going to be immediate then the Controller should be notified and informed of the legitimate reasons for this. The information requested must be provided within one month of receipt of the request.
If an extension to the time line is absolutely necessary under exceptional circumstances, then any extension must be agreed by the data subject and signed off by the Controller within one month of the request. If an extension is agreed, then the information must be provided within a maximum of three months from the receipt of the request.
If a request is received electronically (e.g. via email) then the request must be responded to electronically.
The data must be provided in a common format (e.g. a paper file, a PDF document etc).
Only personal data pertaining to the individual who made the request should be released.
If there is any doubt over the identity of the individual making the access request, then reasonable steps must be taken to verify their identity, before complying with the request.
When the personal data is provided, the individual must be informed of the right to lodge a complaint with the relevant supervisory authority and the existence of the right to objection, rectification, erasure and restriction of the data.
The data subject may be directed to the relevant privacy/fair processing notice which will provide advice on the conditions for processing.