GDPR: SUBJECT ACCESS REQUEST POLICY

Introduction

Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).

Upon receipt of a request for information our internal policy is as follows:

Responsibility

Clifford Hickton and Joanna Gray are responsible for the handling of Subject Access Requests (SAR) in our business.

The duties of Clifford Hickton and Joanna Gray include but are not limited to:

  • Log the receipt and fulfilment of all requests received from a data subject/the person making the request/ requestor to see his or her personal information.
  • Acknowledge the subject access request (SAR).
  • Verify the identity of any person making a SAR.
  • Maintain a database on the volume of requests and compliance against the statutory timescale.
  • Verify whether if we are the controller of the data subject’s personal data.
  • Check if we are not a controller, but rather a processor. If so, inform the data subject and refer them to the actual controller. This needs to be recorded in writing.
  • Where applicable, decide if a request is excessive, unfounded or repetitive and communicate this to the requestor.
  • Decide if an exemption applies.
  • If a SAR is submitted in electronic form, any information should preferably be provided by electronic means as well.

Oral or written requests

Subject access requests can be made in writing, electronically or verbally.

If a member of staff is in any doubt if a certain situation has given rise to a SAR, contact Clifford Hickton by email providing full details of the incident. Staff should do this without delay and certainly within [TWO] business days to admin@optimumforklifttrainingservices.co.uk.

Where a member of staff receives a subject access request, they must email the relevant information to Clifford Hickton at admin@optimumforklifttrainingservices.co.uk without delay and certainly within [two] business days.

How do we verify the requestor’s identity?

The requestor must supply valid evidence to prove their identity.

We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.

We accept the following forms of identification:

 

 

 

[Examples include:

  • Current UK/EEA Passport
  • UK Driving Licence
  • Financial Statement issued by bank, building society or credit card company
  • Utility bill for supply of gas, electric, water or telephone landline]

How to process the request

Our aim is to determine what information the requestor is asking for. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.

We must verify whether we process the data requested. If we do not process any such data, we must inform the data subject accordingly.

We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.

Any employee, who receives a request from Clifford Hickton to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or owns. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.

Clifford Hickton should check whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the requestor; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.

All the information that has been requested must be provided unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we will explain acronyms, codes or complex terms.

No charge to comply with the request (with exceptions)

We will provide a copy of the information free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information. We understand that this does not mean that we can charge for all subsequent access requests.

Where applicable, Clifford Hickton will determine the ‘reasonable fee’ that must be based on our administrative cost of providing the information.

 

 

Excessive, manifestly unfounded or repetitive requests

Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. Clifford Hickton will make a decision on this.

Clifford Hickton must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.

Complex requests

As stated we have to respond to a SAR within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days.

Where we decide not take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.

Our response to the requestor

After processing the SAR, our response to the requestor should include:

  • The purpose(s) the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data;
  • The envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • The right to lodge a complaint with the ICO;
  • If the data has not been collected from the data subject: the source of such data;
  • The existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the requestor.

How to handle exemptions?

If a member of staff believes that we have a valid business reason for an exemption, please inform Clifford Hickton without delay by email to admin@optimumforklifttrainingservices.co.uk.

Exempt information must be redacted from the released documents with an explanation of why that information is being withheld.

Complaints

Where a requestor is not satisfied with a response to a SAR, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.

 

Breach statement

Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.

Leave a Message

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt

We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.


Cookies are small pieces of text used to store information on web browsers. Cookies are used to store and receive identifiers and other information on computers, phones and other devices. Other technologies, including data we store on your web browser or device, identifiers associated with your device, and other software, are used for similar purposes. In this policy, we refer to all of these technologies as "cookies." We use cookies if you have a Facebook account, use the Facebook Products, including our website and apps, or visit other websites and apps that use the Facebook Products (including the Like button or other Facebook Technologies). Cookies enable Facebook to offer the Facebook Products to you and to understand the information we receive about you, including information about your use of other websites and apps, whether or not you are registered or logged in. This policy explains how we use cookies and the choices you have. Except as otherwise stated in this policy, the Data Policy will apply to our processing of the data that we collect via cookies.

Why do we use cookies?

Cookies help us provide, protect and improve the Facebook Products, such as by personalising content, tailoring and measuring ads, and providing a safer experience. While the cookies that we use may change from time to time as we improve and update the Facebook Products, we use them for the following purposes:
Authentication
We use cookies to verify your account and determine when you're logged in so we can make it easier for you to access the Facebook Products and show you the appropriate experience and features.
For example: We use cookies to keep you logged in as you navigate between Facebook Pages. Cookies also help us remember your browser so you do not have to keep logging in to Facebook and so you can more easily log in to Facebook via third-party apps and websites.
Security, site and product integrity
We use cookies to help us keep your account, data and the Facebook Products safe and secure.
For example: Cookies can help us identify and impose additional security measures when someone may be attempting to access a Facebook account without authorisation, for instance, by rapidly guessing different passwords. We also use cookies to store information that allows us to recover your account in the event that you forget your password or to require additional authentication if you tell us that your account has been hacked.
We also use cookies to combat activity that violates our policies or otherwise degrades our ability to provide the Facebook Products.
For example: Cookies help us fight spam and phishing attacks by enabling us to identify computers that are used to create large numbers of fake Facebook accounts. We also use cookies to detect computers infected with malware and to take steps to prevent them from causing further harm. Cookies also help us prevent underage people from registering for Facebook accounts.
Advertising, recommendations, insights and measurement
We use cookies to help us show ads and to make recommendations for businesses and other organisations to people who may be interested in the products, services or causes they promote.
For example: Cookies allow us to help deliver ads to people who have previously visited a business's website, purchased its products or used its apps and to recommend products and services based on that activity. Cookies also allow us to limit the number of times that you see an ad so you don't see the same ad over and over again.
We also use cookies to help measure the performance of ad campaigns for businesses that use the Facebook Products.
For example: We use cookies to count the number of times that an ad is shown and to calculate the cost of those ads. We also use cookies to measure how often people do things such as click on or view ads.
Cookies help us serve and measure ads across different browsers and devices used by the same person.
For example: We can use cookies to prevent you from seeing the same ad over and over again across the different devices that you use.
Cookies also allow us to provide insights about the people who use the Facebook Products, as well as the people who interact with the ads, websites and apps of our advertisers and the businesses that use the Facebook Products.
For example: We use cookies to help businesses understand the kinds of people who like their Facebook Page or use their apps so they can provide more relevant content and develop features that are likely to be interesting to their customers.
We also use cookies to help you opt out of seeing ads from Facebook based on your activity on third-party websites. Learn more about the information we receive, how we decide which ads to show you on and off the Facebook Products and the controls that are available to you.
Site features and services
We use cookies to enable the functionality that helps us provide the Facebook Products.
For example: Cookies help us store preferences, know when you've seen or interacted with Facebook Products' content and provide you with customised content and experiences. For instance, cookies allow us to make suggestions to you and others, and to customise content on third-party sites that integrate our social plugins. If you are a page administrator, cookies allow you to switch between posting from your personal Facebook account and the Page.
We also use cookies to help provide you with content relevant to your locale.
For example: We store information in a cookie that is placed on your browser or device so that you will see the site in your preferred language.
Performance
We use cookies to provide you with the best experience possible.
For example: Cookies help us route traffic between servers and understand how quickly Facebook Products load for different people. Cookies also help us record the ratio and dimensions of your screen and windows and know whether you've enabled high-contrast mode, so that we can render our sites and apps correctly.
Analytics and research
We use cookies to better understand how people use the Facebook Products so that we can improve them.
For example: Cookies can help us understand how people use the Facebook service, analyse which parts of the Facebook Products people find most useful and engaging, and identify features that could be improved.
Return to top

Where do we use cookies?

We may place cookies on your computer or device, and receive information stored in cookies, when you use or visit:
  • Products provided by other members of the Facebook Companies; and
  • Websites and apps provided by other companies that use the Facebook Products, including companies that incorporate the Facebook Technologies into their websites and apps. Facebook uses cookies and receives information when you visit those sites and apps, including device information and information about your activity, without any further action from you. This occurs whether or not you have a Facebook account or are logged in.
Return to top

Do other parties use cookies in connection with the Facebook Products?

Yes, other parties may use cookies on the Facebook Products to provide services to us and the businesses that advertise on Facebook. For example, our measurement partners use cookies on the Facebook Products to help advertisers understand the effectiveness of their Facebook advertising campaigns and to compare the performance of those campaigns to ads displayed on other websites and apps. Learn more about the companies that use cookies on the Facebook Products. Third parties also use cookies on their own sites and apps in connection with the Facebook Products. To understand how other parties use cookies, please review their policies.
Return to top

How can you control Facebook's use of cookies to show you ads?

One of the ways we use cookies is to show you useful and relevant ads on and off Facebook. You can control how we use data to show you ads by using the tools described below.
If you have a Facebook account:
  • You can use your ad preferences to learn why you're seeing a particular ad and control how we use information that we collect to show you ads.
  • To show you better ads, we use data that advertisers and other partners provide us about your activity off Facebook Company Products, including websites and apps. You can control whether we use this data to show you ads in your ad settings.
  • The Facebook Audience Network is a way for advertisers to show you ads in apps and websites off the Facebook Company Products. One of the ways Audience Network shows relevant ads is by using your ad preferences to determine which ads you may be interested in seeing. You can control this in your ad settings.
Everyone:
You can opt out of seeing online interest-based ads from Facebook and other participating companies through the Digital Advertising Alliancein the US, the Digital Advertising Alliance of Canada in Canada or the European Interactive Digital Advertising Alliance in Europe or through your mobile device settings. Please note that ad blockers and tools that restrict our cookie use may interfere with these controls.
More information about online advertising:
The advertising companies we work with generally use cookies and similar technologies as part of their services. To learn more about how advertisers generally use cookies and the choices they offer, you can review the following resources:
Browser cookie controls:
In addition, your browser or device may offer settings that allow you to choose whether browser cookies are set and to delete them. For more information about these controls, visit your browser or device's help material. Certain parts of the Facebook Products may not work properly if you have disabled browser cookie use.
Date of Last Revision: 4 April 2018

Decline all Services
Accept all Services