Subject Access Requests Policy

These guidance notes cover the procedures for handling “ Subject Access Requests” and should be read in conjunction with the company’s Privacy Policy
o Section 1: What is a subject access request?
o Section 2: What is an individual entitled to?
o Section 3: Making a subject access request.
o Section 4: How long do we have to comply?
o Section 6: Costs of making a request
o Section 7: Exemptions

Section 1: General – What is a Subject Access Request
The Data Protection Act gives individuals (data subjects) a number of rights including the right to access personal data that an organisation holds about them.
This right of access is commonly referred to as a ‘subject access’ and is designed to give individuals the right to obtain a copy of their personal data as well as other supplementary information.
Its aim is to help individuals understand how and why we are using their data and check that we are doing it lawfully.
It extends to all information held on an individual and includes personnel files, data-bases, interview notes and emails referring to the individual.
If an individual makes a request to view their information, it is known as a “Subject Access Request “.

Section 2: What is an individual entitled to?
Individuals have the right to obtain the following;
• confirmation that we are processing their personal data;
• a copy of their personal data; and
• other supplementary information ~ this largely corresponds to the information that you should provide in a privacy notice.
• An individual is only entitled to their own personal data, and not any information relating to other people
(unless you have permission to do so, the information is also about them or they are acting on behalf of someone).

Section 3 – Making a subject access request
The GDPR does not specify how to make a valid request.
• An individual can make a subject access request to you verbally or in writing. We will provide a standard template document for any requests, but it is not compulsory to use this.
• It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
• A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
• Where there are doubts about the identity of the person making the request you can ask for more information.
However, we will only request information that is necessary to confirm their identity. The key to this is proportionality.

How long do we have to comply?
• We will action the subject access request without undue delay and at the latest within one month of receipt, where the request for data is simple.
• We can extend the time to respond by a further two months if the request is complex or if we have received a number of requests from the individual.
We must let the individual know within one month of receiving their request and explain why the extension is necessary.

Section 6: Cost of making a Subject Access Requests
As a rule, we will not charge for completion of a subject access request. We can charge in some circumstances however;
• Where the request is manifestly unfounded or excessive we may charge a “reasonable fee” for the administrative costs of complying with the request.
• We can also charge a reasonable fee if an individual requests further copies of their data following a request. This fee would be nominal to cover the administration costs of providing further data.

There are certain situations where the Company may not be obliged to release information in response to a Subject Access Request.
Examples include:
• Data containing information relating to a third party for which consent to release the information cannot be obtained
• Management forecasts such as plans for redeployment, restructuring, promotions (if they would prejudice conduct of business/activity)
• Information relating to legal proceedings being taken by the company against an individual

The full-service vehicle repair management network
you can count on

Flexible, responsive, innovative - we deliver top-quality repairs FAST