Subject Access Procedure
About This Procedure
This Subject Access Request Procedure sets out Capital IT Resourcing’s procedures in relation to any Subject Access Request which Capital IT Resourcing’s may receive from a Data Subject.
The Data Protection Manager is responsible for overseeing this procedure. Any questions about the operation of this procedure should be submitted to the DPM.
Receiving A Request
Data Subjects have the right to request access to their personal data processed by Martin and Conley. Such requests are called subject access requests (SARs).
When a Data Subject makes an SAR, Capital IT Resourcing shall take the following steps:
(a) log the date on which the request was received (to ensure that the relevant timeframe of one month for responding to the request is met);
(b) confirm the identity of the Data Subject who is the subject of the personal data. For example, Martin and Conley may request additional information from the Data Subject to confirm their identity;
(c) search databases, systems, applications and other places where the personal data which are the subject of the request may be held; and
(d) confirm to the Data Subject whether or not personal data of the Data Subject making the SAR are being processed.
Capital IT Resourcing shall not usually charge a fee to the Data Subject for carrying out a SAR.
If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, Capital IT Resourcing may charge a reasonable fee, taking into account the administrative costs of providing the personal data.
Provision of Information
If personal data of the Data Subject are being processed, Capital IT Resourcing shall provide the Data Subject with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic) means:
(a) the purposes of the processing;
(b) the categories of personal data concerned (for example, contact details, bank account information and details of sales activity);
(c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients overseas (for example, US-based service providers);
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
(e) the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
(f) the right to lodge a complaint with the Information Commissioner's Office (ICO);
(g) where the personal data are not collected from the Data Subject, any available information as to their source;
(h) the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject; and
(i) where personal data are transferred outside the EU, details of the appropriate safeguards to protect the personal data.
Capital IT Resourcing shall also, unless there is an exemption, provide the Data Subject with a copy of the personal data processed by Capital IT Resourcing in a commonly used electronic form e.g. PDF documents, unless the Data Subject either did not make the request by electronic means or has specifically requested not to be provided with the copy in electronic form. Capital IT Resourcing shall usually submit the data to the Data Subject within one month of receipt of the request.
Before providing the personal data to the Data Subject making the SAR, Capital IT Resourcing shall review the personal data requested to see if they contain the personal data of other Data Subjects. If they do, Capital IT Resourcing may redact the personal data of those other Data Subjects prior to providing the Data Subject with their personal data, unless those other Data Subjects have consented to the disclosure of their personal data.
Extending the Time to Respond
If the request is complex, or there are a number of requests, Capital IT Resourcing may extend the period for responding by a further two months. If Capital IT Resourcing extend the period for responding Capital IT Resourcing shall inform the Data Subject within one month of receipt of the request and explain the reason(s) for the delay.
Refusing A Request
If the SAR is manifestly unfounded or excessive, for example, because of its repetitive character, Capital IT Resourcing may refuse to act on the request.
If Capital IT Resourcing is not going to respond to the SAR, Capital IT Resourcing shall inform the Data Subject of the reason(s) for not taking action and of the possibility of lodging a complaint with the ICO.