Subject Access Request (SAR) Policy
1. Purpose
This document sets out our policy for responding to subject access requests under the GDPR (General Data Protection Regulation), which comes into force in May 2018. This document explains the rights of the data subject in relation to a data subject access request and EZYTRAC’s responsibilities when dealing with that request.
2. Individual Rights
An individual has the right to know what information is held about them. GDPR in the UK provides a framework to ensure that personal information is handled properly.
This information must be:
- dProcessed fairly, lawfully and in a transparent manner
- Processed for specific, legitimate and lawful purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed in line with an individual’s rights
- Secure
- Not transferred other than in accordance with agreed terms and conditions which are available on our website www.ezytrac.uk/privacy
3. EZYTRAC’s policy on providing information
EZYTRAC is committed to meeting all reasonable requests for access in accordance with GDPR, whilst protecting EZYTRAC’s intellectual property and respecting the ethos of honest, confidential feedback which forms part of EZYTRAC’s reputation.
4. How do you make a subject access request?
A subject access request is a written request for personal information held about you by EZYTRAC. You have the right to see what personal information we hold about you. You are entitled to be given confirmation as to whether we hold or process your personal information, and if so you are entitled to access all your personal information as well as details of:
- The purposes for which we process your personal data;
- The categories of your personal data we process;
- The recipients, or categories or recipient to whom personal data has been or will be disclosed, in particular recipients in third countries or who are international organisations;
- How long we expect to store your data;
- Where you did not give us the personal data, the source from which we collected the personal data; and
- Whether we use any automated decision making in relation to the processing of your personal data. You are entitled to have any mistakes in your personal data rectified, and to have the data deleted if you would no longer like us to store or process your personal data, or to request restriction of our processing of your personal data.
If you are not satisfied with how we have stored or processed your personal data, you have a right to lodge a complaint with us, by contacting privacy@ezytrac.uk and/or the ICO.
5. What is personal information?
Personal data is information which relates to an individual or refers to the individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
6. What do we do when we receive a subject access request?
Verifying your identity – if we have cause to doubt your identity, we will ask for information to verify it. For example, we may ask you for a piece of information held in your records that you might reasonably be expected to know. We cannot disclose personal information to anyone other than the individual in question.
Collating information – we will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party.
Third parties – before sharing information that relates to third parties, we will, where possible, anonymise or edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The GDPR requires us to provide information, not documents.
7. Issuing a response
Once any queries around the information requested have been resolved, copies of the information will be sent to you electronically wherever possible or, if this is not technically possible, by post.
8. Will we charge a fee?
If your data subject access requests are excessive or manifestly unfounded we will charge £10 to cover the administrative costs involved in dealing with your request. In extreme circumstances, we reserve the right to refuse your requests.
9. What is the timeframe for responding to subject access requests?
We have one month starting from the day after we received the information necessary to identify you, to identify the information you requested, and provide you with the information (or explain why we were unable to provide the information). Should your request be excessive or manifestly unfounded or be of a complex nature we may extend this time to 3 months. Wherever possible, we will aim to complete the request in advance of the deadline.
Updated 1st May 2018
LET'S GET STARTED
Chat to the Team
We're always ready to provide our thoughts. Enter your details and we'll return your call or simply call (+44) 01522 503 717