SUBJECT ACCESS REQUEST PROCEDURE
About This Procedure
This Subject Access Request Procedure sets out Company’s procedures in relation to any Subject Access Request which 3R Holdings and Associated Companiesmay receive from a Data Subject.
The Christopher Powell (DPM) is responsible for overseeing this procedure. Any questions about the operation of this procedure should be submitted to the DPM. dpo@3r.co.uk
Receiving A Request
Data Subjects have the right to request access to their personal data processed by Company. Such requests are called subject access requests (SARs).
When a Data Subject makes an SAR, Company shall take the following steps:
- log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the request is met);
- confirm the identity of the Data Subject who is the subject of the personal data. For example, Company may request additional information from the Data Subject to confirm their identity;
- search databases, systems, applications and other places where the personal data which are the subject of the request may be held; and
- confirm to the Data Subject whether or not personal data of the Data Subject making the SAR are being processed.
Charges
Provision of Information
- the purposes of the processing;
- the categories of personal data concerned (for example, contact details, bank account information and details of sales activity);
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients overseas (for example, US-based service providers);
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
- the right to lodge a complaint with the Information Commissioner’s Office (ICO);
- where the personal data are not collected from the Data Subject, any available information as to their source;
- the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject; and
- where personal data are transferred outside the EU, details of the appropriate safeguards to protect the personal data.
Extending the Time to Respond
If the request is complex, or there are a number of requests, Company may extend the period for responding by a further two months. If Company extend the period for responding Company shall inform the Data Subject within one month of receipt of the request and explain the reason(s) for the delay.
Refusing A Request
If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, Company may refuse to act on the request.
If Company is not going to respond to the SAR, Company shall inform the Data Subject of the reason(s) for not taking action and of the possibility of lodging a complaint with the ICO.