Security & Compliance

< Back to Article List

GDPR > Data Subject Access Request Policy and Procedure

Last updated: 21 November 2023 at 11:11:48 UTC by Russell Briggs

 

  1. Purpose

This policy sets out the Company’s policy for responding to subject access request under the GDPR. This policy explains the rights of the data subject in relation to a data subject access request and Recycly Ltd’s (Company number 05683385) responsibilities when dealing with that request.

 

  1. Scope

This policy and procedure applies across all entities or subsidiaries owned, controlled, or operated by Recycly Ltd and to all employees, including part-time, temporary, or contract employees.

 

  1. Policy Statement

 

The GDPR details rights of access to both manual data (which is recorded in a relevant filing system) and electronic data for the data subject. This is known as a Data Subject Access Request (DSAR).

Under the GDPR, organisations are required to respond to subject access requests within one month. Failure to do so is a breach of the GDPR and could lead to a complaint being made to the Data Protection Regulator.

This policy informs staff of the process for supplying individuals with the right of access to personal data and the right of access to staff information under the General Data Protection Regulation (hereinafter called GDPR).

 

Specifically:

 

  • All staff need to be aware of their responsibilities to provide information when a data subject access request is received. When a subject access request is received, it should immediately be reported to the Data Protection Officer to log and track each request.

 

  • Requests must be made in writing (template form is provided, but not mandatory).

 

  • The statutory response time is one month.

 

  • Requests should include the full name, date of birth and address of the person seeking access to their information. To comply with the GDPR, information relating to the individual must only be disclosed to them or someone with their written consent to receive it.

 

  • No fee can be charged for initial DSAR for all types of records, whether manual or electronic format.

 

Recycly Ltd is committed to meeting all reasonable requests for access in accordance with GDPR whilst protecting Recycly Ltd’s intellectual property and respecting the ethos of honest, confidential feedback.

 

 

  1. Procedure

 

  1. How should DSARs be processed after receiving

 

When a subject access request is received from a data subject it should immediately be reported to the Information Controller Officer who will log and track each request. If you are asked to provide information, you will need to consider the following before deciding how to respond:

 

 

 

    • Under GDPR Articles 7(3), 12, 13, 15-22 data subjects have the following rights:
  • to be informed;

 

  • to access their own data;

 

  • to rectification;

 

  • to erasure (Right to be Forgotten);

 

  • to restriction of processing;

 

  • to be notified;

 

  • to data portability;

 

  • to object;

 

  • to object to automated decision making.

 

    • Requests must be made in writing (template form is attached but is not mandatory). All DSARs received by email, mail, fax, social media, etc. must be processed.
    • The type of access you must provide and the fee you are allowed to charge may vary depending on how the records are held. It does not have to state ‘subject access request’ or ‘data protection’ to constitute a request under the GDPR.
    • If a request has already been complied with and an identical or similar request is received from the same individual a fee can be charged for the second request unless a reasonable interval has elapsed.
    • The statutory response time is one month.
    • Requests should include the full name, date of birth and address of the person seeking access to their information. To comply with the GDPR, information relating to the individual must only be disclosed to them or someone with their written consent to receive it.
    • Before processing a request, the requestor’s identity must be verified. Examples of suitable documentation include:
  • Valid Passport

 

  • Valid Identity Card

 

  • Valid Driving Licence

 

  • Birth Certificate along with some other proof of address, e.g. a named utility bill (no longer than 3 months old)

 

  1. Individual rights

 

An individual has the right to know what information is held about them. GDPR in the UK provides a framework to ensure that personal information is handled properly.

 

 

 

 

This information must be:

 

  • Processed fairly, lawfully and in transparent manner

 

  • Processed for specific, legitimate and lawful purposes

 

  • Adequate, relevant and not excessive

 

  • Accurate and kept up to date

 

  • Not kept longer than necessary

 

  • Processed in line with an individual’s rights

 

  • Secure

 

  • Not transferred other than in accordance with agreed terms and conditions

  1. Subject access requests made by a representative or third party

 

Anyone with full mental capacity can authorise a representative/third party to help them make a data subject access request. Before disclosing any information, Recycly Ltd must be satisfied that the third party has the authority to make the request on behalf of the requestor and that the appropriate authorisation to act on their behalf is included (see Data Request Form).

 

  1. Complaints

 

If an individual is dissatisfied with the way Recycly Ltd have dealt with their subject access request, they should be advised to invoke the Recycly Ltd’s complaints process. If they are still dissatisfied, they can complain to the Data Protection Regulator.

 

  1. Responsibilities

 

  1. Compliance, monitoring and review

 

The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing subject access rights at Recycly Ltd rests with the Information Controller Officer.

 

All of Recycly Ltd’s employees that deal with personal data are responsible for processing this data in full compliance with the relevant Recycly Ltd policies and procedures.

 

  1. Records management

 

Staff must maintain all records relevant to administering this policy and procedure in electronic form in a recognised   Recycly Ltd record-keeping system.

 

All records relevant to administering this policy and procedure will be maintained for a period of 5 years.

 

 

 

 

 

  1. Terms and Definitions

General Data Protection Regulation (GDPR): the General Data Protection Act 2018 (DPA 2018) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

 

Data Controller: the entity that determines the purposes, conditions and means of the processing of personal data

 

Data Processor: the entity that processes data on behalf of the Data Controller

 

Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

 

Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

 

Data Subject: a natural person whose personal data is processed by a controller or processor

 

DSAR: data subject access request

 

Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

 

Privacy Impact Assessment: a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data

 

Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

 

Profiling: any automated processing of personal data intended to evaluate, analyse, or predict data subject behaviour

 

Regulation: a binding legislative act that must be applied in its entirety across the Union

 

Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them

 

 

  1. Related Legislation and Documents

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access

 

 

  1. Feedback and Suggestions

 

Recycly Ltd’s employees may provide feedback and suggestions about this document by emailing dominic.tyler@Recycly.com

 

 

  1. Approval and Review Details

 

This policy must be reviewed and updated annually.

 

The following matters must be considered as pan of each review of this policy:

 

  • changes to the legal and regulatory environment;

 

  • changes to any codes of conduct to which the company subscribes;

 

  • developments in industry best practice;

 

  • any new data collected by the company;

 

  • any new data processing activities are undertaken by the company, and

 

  • any security incidents affecting the company.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  1. Appendix

 

Data Request Form

 

Letter template


[Your full address]

[Phone number]

[The date]


[Name and address of the organisation]

Dear Sir or Madam

Subject access request

[Your full name and address and any other details to help identify you and the data you want.]

Please supply the data about me that I am entitled to under data protection law relating to: [give specific details of the data you want, for example:

  • my personnel file
  • emails between ‘person A’ and ‘person B’ (from date to date)
  • copies of statements (between date and date) held in account number xxxxx.]

If you need any more data from me, or a fee, please let me know as soon as possible. It may be helpful for you to know that data protection law requires you to respond to a request for data within one calendar month.

If you do not normally deal with these requests, please pass this letter to your Information Controller Officer dominic.tyler@Recycly.com, or relevant staff member. If you need advice on dealing with this request, the Information Commissioner’s Office can assist you. Its website is ico.org.uk or it can be contacted on 0303 123 1113.

Yours faithfully


[Signature]