Data Subject Request Received
Log Data Subject Request
Confirm Data Subject’s Identity
Evaluate Validity of Request
Charge For Request
Compile Requested Information
Take Requested Action/Provide Information
Close Data Subject Request
The data subject submits a request via one of a number of methods, including electronically (via email or via our website), by letter or on the telephone. This may be received by any part of the organization but should ideally be channelled through People Operations (Human Resources). A Data Subject Request Form is available for this purpose.
Log data subject request The fact that the request has been received is logged in the Data Subject Request Register and the date of the request recorded.
The identity of the data subject is confirmed via an approved method. More information may be requested to confirm identity if required. If the identity of the data subject cannot be confirmed, the request is rejected and the reason for this communicated
to the data subject.
Evaluate validity of request. The test of whether the request is “manifestly unfounded or excessive” is applied. A decision is made whether to reject the request or apply a charge to it. If the request is for rectification, erasure, restriction of or is an objection to processing, a decision is made about whether the request is reasonable and lawful. If not, the request is rejected, and the data subject informed of the decision and their right to complain to the supervisory authority.
Charge for request. If a charge is applied, the data subject is informed of the charge and has an opportunity to decide whether or not to proceed. If the data subject decides not to proceed, the request is rejected and the reasons communicated to the data subject.
The relevant information is compiled according to the type of request. This may involve planning how the requested action (e.g., erasure or restriction of processing) will be achieved. A maximum of one month is permitted to address the request; if the request will take more time, then a maximum of two further months are allowed, and the data subject must be informed of the delay and the reasons for it within one month of the request being submitted.
The requested action is carried out (if applicable) and the information requested is provided to the data subject electronically, if that is the preferred method, or via other means.
The fact that the request has been responded to is logged in the Data Subject Request Register together with the date of closure.