Data Subject Access Request Response Policy 

Download
Download

1. ABOUT THIS PROCEDURES

1.1

Data subjects have certain rights in respect of their personal data. When we process data subjects’ personal data, we shall respect

those rights. These procedures provide a framework for responding to requests to exercise those rights. It is our policy to ensure

that requests by data subjects covered by these procedures to exercise their rights in respect of their personal data are handled in

accordance with applicable law.

1.2 Failure to comply with these procedures could lead us to be in breach of applicable law which could expose us to fines and

penalties, adverse publicity, difficulties in providing evidence when we need it and in running our business.

1.3

For the purposes of these procedures, “personal data” means any information relating to an identified or identifiable data subject.

An identifiable data subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name,

identification number or online identifier. “Processing” means any operation or set of operations that is performed on personal data,

such as collection, use, storage, dissemination and destruction.

1.4 These procedures only apply to data subjects whose personal data we process (although if we receive an access request from

someone whose personal data we do not process, we should confirm to them that we do not process their personal data).

2. GENERAL REQUIREMENTS, RECORD KEEPING AND WHERE TO GET FURTHER INFORMATION AND ADVICE

2.1 It is important that we keep accurate records of requests that we receive and how we handle them.

2.2 Requests can be made to in any form, including verbally, via email, social media or other method. Jason Tallamy shall be responsible

for responding to the request on behalf of Craftex Cleaning Systems Ltd

2.3 We will document requests received by Jason Tallamy.

2.4 When establishing whether we hold personal data, we will document what searches we have carried out.

2.5

When responding to requests, we will communicate in a concise, transparent, intelligible and easily accessible form, and use clear

and plain language and using the template letter that is attached at Appendix A to this policy. We should generally communicate in

writing (which can include email) but we can reply verbally if specifically requested by the data subject. In any case, we must be

satisfied with the identity of the data subject.

3. GENERAL REQUIREMENTS, RECORD KEEPING AND WHERE TO GET FURTHER INFORMATION AND ADVICE

3.1 Data subjects have the right to request access to their personal data processed by us. These requests are called data subject

access requests (SARs). When a data subject makes a SAR, we shall take the following steps:

a. log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the

request is met);

b. confirm the identity of the data subject who is the subject of the personal data by asking them to complete the SAR form

attached at Appendix B and provide relevant identification documents.

c. search databases, systems, applications and other places where the personal data which is the subject of the request may be

held; and

d. confirm to the data subject whether or not personal data of the data subject making the SAR is being processed.

3.2

If personal data of the data subject is being processed, we shall provide the data subject with the following information:

a. the purposes of the processing;

b the categories of personal data concerned (for example, contact details, bank account information and details of sales activity);

c. the recipients or categories of recipient to whom the personal data has been or will be disclosed;

d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine

that period;

e the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to

object to that processing;

f. the right to lodge a complaint with the Information Commissioner’s Office (ICO);

g. where the personal data is not collected from the data subject, any available information asto its source;

h. where personal data is transferred outside the UK, details of the appropriate safeguards to protect the personal data.

3.3

Unless there is an exemption, we shall provide the data subject with a copy of the personal data processed by us. If the request is

complex, or there are several requests, we may extend the period for responding by a further two months. If we extend the period for

responding, we shall inform the data subject within one month of receipt of the request and explain the reasons for the delay.

3.4

Before providing the personal data to the data subject making the SAR, we shall review the personal data requested to see if it

contains the personal data of other data subjects. If it does, we may redact the personal data of those other data subjects before

providing the data subject with their personal data, unless those other data subjects have consented to the disclosure of their

personal data or it is reasonable to disclose without their consent (taking into account, for example, the type of data and whether the

other person has expressly refused consent).

3.5

If we believe the SAR to be unreasonable because it is repetitive or a serious administrative burden upon us, we may decide to charge

a reasonable fee, taking into account the administrative costs of providing the personal data, or we may decide to refuse to act on the

request.

3.6 If we are not going to respond to the SAR we shall inform the data subject of the reasons for not taking action and of the possibility of

lodging a complaint with the ICO.

4. RESPONDING TO REQUESTS TO RECTIFY PERSONAL DATA

4.1

Data subjects have the right to have their inaccurate personal data rectified. Rectification can include having incomplete personal

data completed, for example, by a data subject providing a supplementary statement regarding the data. Where such a request is

made, we shall, unless there is an exemption rectify the personal data without undue delay.

4.2

We shall also communicate the rectification of the personal data to each recipient to whom the personal data have been disclosed,

this is impossible or involves disproportionate effort. We shall also inform the data subject about those recipients if the data subject

requests it.

5. RESPONDING TO REQUESTS FOR THE ERASURE OF PERSONAL DATA

5.1

Data subjects have the right, in certain circumstances, to request that we erase their personal data. Where such a request is made,

we shall, unless there is an exemption, erase the personal data without undue delay if:

a. the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed

b. the data subject withdraws their consent to the processing of their personal data and consent was the basis on which the

personal data was processed and there is no other legal basis for the processing;

c.

the data subject objects to the processing of their personal data on the basis of our performance of a task carried out in the

public interest or in the exercise of official authority vested in us, or on the basis of our legitimate interests which override the

data subject’s interests or fundamental rights and freedoms, unless we either can show compelling legitimate grounds for the

processing which override those interests, rights and freedoms, or we are processing the data for the establishment, exercise or

defence of legal claims;

d. the data subject objects to the processing of their personal data for direct marketing purposes;

e. the personal data has been unlawfully processed; or

f. the personal data has to be erased for compliance with a legal obligation to which we are subject.

5.2

When a data subject makes a request for erasure in the circumstances set out above, we shall, unless there is an exemption, take the

following steps:

a. log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the

request is met);

b. confirm the identity of the data subject who is the subject of the personal data. We may request additional information from the

data subject to do this;

c.

search databases, systems, applications and other places where the personal data which is the subject of the request may be

held and erase that data within one month of receipt of the request. If the request is complex, or there are several requests, we

may extend the period for responding by a further two months. If we extend the period for responding, we shall inform the data

subject within one month of receipt of the request and explain the reasons for the delay;

d.

where we have made the personal data public, we must, taking reasonable steps, including technical measures, inform those

who are processing the personal data that the data subject has requested the erasure by them of any links to, or copies or

replications of, that personal data; and

e.

communicate the erasure of the personal data to each recipient to whom the personal data has been disclosed unless this is

impossible or involves disproportionate effort. We shall also inform the data subject about those recipients if the data subject

requests it.

5.3 If the request is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable

fee, taking into account the administrative costs of erasure, or refuse to act on the request.

5.4 If we are not going to respond to the request, we shall inform the data subject of the reasons for not taking action and of the

possibility of lodging a complaint with the ICO.

We can refuse to erase the personal data to the extent processing is necessary:

a. for exercising the right of freedom of expression and information;

b. for compliance with a legal obligation which requires processing by law and to which we are subject or for the performance of a

task carried out in the public interest or in the exercise of official authority vested in us;

c. for reasons of public interest in the area of public health;

d. for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes insofar as the right

to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e. for the establishment, exercise or defence of legal claims.

6. RESPONDING TO REQUESTS TO RESTRICT THE PROCESSING OF PERSONAL DATA

6.1

Data subjects have the right, unless there is an exemption.to restrict the processing of their personal data if:

a. the data subject contests the accuracy of the personal data, for a period to allow us to verify the accuracy of the personal data

b. the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of its use

instead;

c. we no longer need the personal data for the purposes we collected it, but it is required by the data subject for the establishment,

exercise or defence of legal claims; and

d. the data subject has objected to the processing, pending verification of whether we have legitimate grounds to override the data

subject’s objection.

6.2

Where processing has been restricted, we shall only process the personal data (excluding storing it):

a. with the data subject’s consent;

b. for the establishment, exercise or defence of legal claims;

c. for the protection of the rights of another person; or

d. for reasons of important public interest.

6.3 Before lifting the restriction, we shall inform the data subject of the lifting of the restriction.

6.4

We shall communicate the restriction of processing of the personal data to each recipient to whom the personal data has been

disclosed, unless this is impossible or involves disproportionate effort. We shall also inform the data subject about those recipients if

the data subject requests it.

7. RESPONDING TO REQUESTS FOR THE PORTABILITY OF PERSONAL DATA

7.1

Data subjects have the right, in certain circumstances, to receive their personal data that they have provided to us in a structured,

commonly used and machine-readable format that they can then transmit to another company. Where such a request is made, we

shall, unless there is an exemption provide the personal data without undue delay if:

a. the legal basis for the processing of the personal data is consent or pursuant to a contract; and

b. our processing of that data is automated.

7.2

When a data subject makes a request for portability in the circumstances set out above, we shall take the following steps:

a. log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the

request is met);

b. confirm the identity of the data subject who is the subject of the personal data. We may request additional information from the

data subject to confirm their identity; and

c.

search databases, systems, applications and other places where the personal data which is the subject of the request may be

held and provide the data subject with that data (or, at the data subject’s request, transmit the personal data directly to another

company, where technically feasible) within one month of receipt of the request. If the request is complex, or there are several

requests, we may extend the period for responding by a further two months. If we extend the period for responding, we shall

inform the data subject within one month of receipt of the request and explain the reason(s) for the delay.

7.3 If the request is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable

fee, taking into account the administrative costs of providing or transmitting the personal data, or refuse to act on the request.

7.4 If we are not going to respond to the request, we shall inform the data subject of the reasons for not taking action and of the

possibility of lodging a complaint with the ICO.

8. RESPONDING TO OBJECTIONS TO THE PROCESSING OF PERSONAL DATA

8.1

Data subjects have the right to object to the processing of their personal data where that processing is on the basis of our

performance of a task carried out in the public interest or in the exercise of official authority vested in us, or on the basis of our

legitimate interests which override the data subject’s interests or fundamental rights and freedoms, unless we either:

a. can show compelling legitimate grounds for the processing which override those interests, rights and freedoms; or

b. are processing the personal data for the establishment, exercise or defence of legal claims.

8.2 Data subjects also have the right to object to the processing of their personal data for scientific or historical research purposes, or

statistical purposes, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8.3 Where such an objection is made, we shall, unless there is an exemption, no longer process a data subject’s personal data.

8.4

Where personal data is processed for direct marketing purposes, data subjects have the right to object at any time to the processing

of their personal data for that marketing. If a data subject makes such a request, we shall stop processing the personal data for those

purposes and add details of the data subject to our marketing suppression list.

9. EXEMPTIONS

9.1

Before responding to any request, we shall check whether there are any exemptions that apply to the personal data that is the subject

of the request. Exemptions may apply where it is necessary and proportionate not to comply with the requests described above in

relation to matters such as national security and other important objectives of general national public interest. We will take legal

advice if we believe that an exemption may apply.