- Scope of the Policy
- Individuals have the right to access their personal data and supplementary information.
- The right of access allows individuals to be aware of and verify the lawfulness of the processing.
- What information is an individual entitled to under the GDPR?
Under the GDPR, individuals will have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information – this corresponds to the information provided in the privacy notice.
They must apply in writing to the nominated person specifying what data or information they wish to see, have removed or information regarding. They must also state the reason why.
- Can I charge a fee for dealing with a subject access request?
We provide a copy of the information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that you can charge for all subsequent access requests. The fee must be based on the administrative cost of providing the information.
- How long do I have to comply?
Information must be provided without delay and at the latest within one month of receipt.
We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, you must inform the individual within one month of the receipt of the request and explain why the extension is necessary.
- What if the request is manifestly unfounded or excessive?
Where requests are manifestly unfounded or excessive, in particular because they are repetitive, you can refuse to respond.
Where you refuse to respond to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
- How should the information be provided?
You must verify the identity of the person making the request, using ‘reasonable means’.If the request is made electronically, you should provide the information in a commonly used electronic format.