About This Procedure

This Subject Access Request Procedure sets out Company’s procedures in relation to any Subject Access Request which 3R Holdings and Associated Companiesmay receive from a Data Subject.

The Christopher Powell (DPM) is responsible for overseeing this procedure. Any questions about the operation of this procedure should be submitted to the DPM.

Receiving A Request

Data Subjects have the right to request access to their personal data processed by Company. Such requests are called subject access requests (SARs).

When a Data Subject makes an SAR, Company shall take the following steps:

  1. log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the request is met);
  2. confirm the identity of the Data Subject who is the subject of the personal data. For example, Company may request additional information from the Data Subject to confirm their identity;
  3. search databases, systems, applications and other places where the personal data which are the subject of the request may be held; and
  4. confirm to the Data Subject whether or not personal data of the Data Subject making the SAR are being processed.

Charges

Company shall not usually charge a fee to the Data Subject for carrying out a SAR (i.e. as the previous statutory £10 fee is no longer in force.)

If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, Company may charge a reasonable fee, taking into account the administrative costs of providing the personal data.

Provision of Information

If personal data of the Data Subject are being processed, Company shall provide the Data Subject with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic) means:

  1. the purposes of the processing;
  2. the categories of personal data concerned (for example, contact details, bank account information and details of sales activity);
  3. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients overseas (for example, US-based service providers);
  4. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
  6. the right to lodge a complaint with the Information Commissioner’s Office (ICO);
  7. where the personal data are not collected from the Data Subject, any available information as to their source;
  8. the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject; and
  9. where personal data are transferred outside the EU, details of the appropriate safeguards to protect the personal data.

Company shall also, unless there is an exemption, provide the Data Subject with a copy of the personal data processed by Company in a commonly used electronic form e.g. PDF documents, unless the Data Subject either did not make the request by electronic means or has specifically requested not to be provided with the copy in electronic form. Company shall usually submit the data to the Data Subject within one month of receipt of the request.

Before providing the personal data to the Data Subject making the SAR, Company shall review the personal data requested to see if they contain the personal data of other Data Subjects. If they do, Company may redact the personal data of those other Data Subjects prior to providing the Data Subject with their personal data, unless those other Data Subjects have consented to the disclosure of their personal data.

Extending the Time to Respond

If the request is complex, or there are a number of requests, Company may extend the period for responding by a further two months. If Company extend the period for responding Company shall inform the Data Subject within one month of receipt of the request and explain the reason(s) for the delay.

Refusing A Request

If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, Company may refuse to act on the request.

If Company is not going to respond to the SAR, Company shall inform the Data Subject of the reason(s) for not taking action and of the possibility of lodging a complaint with the ICO.