Subject Access Request
The following procedure describes Individual’s rights and how to make a Subject Access Request under the Data Protection act 1998 (DPA), the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).
Definition of Personal Data
Personal data is information which relates to an individual or refers to the individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
Examples of Personal Data and/or Information
- Names, plus one or more of the following pieces of information
- Physical addresses and/or zip codes
- Telephone and fax numbers
- Email addresses
- Dates and places of birth
- Social Security numbers
- Driver’s license numbers
- Passport numbers
- Taxpayer ID numbers
- Mother’s maiden names
- Employment information/personnel files
- Racial and ethnic information
- Sexual orientation
- Religious and political beliefs
- Banking and financial information
- Payment card information
- Biometric data (such as fingerprints, retina and scans, voice signature, facial geometry, height and weight)
- Identifying photographic images
- Handwriting/signature samples
- Digital signature
- Educational information
- Medical information and records
- Health insurance information
- IP addresses
- Screen/user names and passwords (with or without formal name)
- Information collected from children
- Product purchase or order history
- Commercial information
- Geolocation data
Definition of Data Subject Under GDPR
Definition of Consumer Under CCPA
The CCPA applies only to information about a consumer. ‘A consumer’ is defined as including a natural person who is a California resident.
Rights Under GGPR
An individual has the right to know what information is held about them. GDPR in the EU provides a framework to ensure that Personal Information is handled properly. This information must be:
- Processed fairly, lawfully and in a transparent manner
- Processed for specific, legitimate and lawful purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed in line with an individual’s rights
- Not transferred other than in accordance with agreed terms and conditions
An individual also has the right to request that their information not be transferred to particular countries. If you would like to submit this request please contact email@example.com and/or follow the same process below.
Rights Under CCPA
The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. They have the right to request that we disclose certain information to them about our collection and use of their Personal Information over the past 12 months. Once we receive and confirm their request, we can disclose:
- right to notice
- right to access
- right to opt out (or right to opt in)
- right to request deletion
- right to equal services and prices
Policy on Making a Request
Clements is committed to meeting all reasonable requests for access in accordance with the regulations, while protecting Clements’ intellectual property and respecting the ethos of honest, confidential feedback which forms part of our reputation.
A subject access request is a written request for Personal Information held about you by Clements. You have the right to see what Personal Information we hold about you. You are entitled to be given confirmation as to whether we hold or process your Personal Information, and if so, you are entitled to access all your Personal Information as well as details of:
You can make a Subject Access Request or request to erase your information by submitting the SAR form below. If you are unable or would like to send a SAR by email please send your request to firstname.lastname@example.org. If you prefer emailing, please see Contacting Clements below for a request template you can use.
What Does Clements Do When We Receive Your Request?
Verify your identity. If we have cause to doubt your identity, we will ask for information to verify it. For example, we may ask you for a piece of information held in your records that you might reasonably be expected to know. We cannot disclose Personal Information to anyone other than the individual in question.
Collate information. We will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party. Third parties – before sharing information that relates to third parties, we will, where possible, anonymize or edit information that might affect another party’s privacy. We may also summarize information rather than provide a copy of the whole document.
Providing a Response
Once any queries around the information requested have been resolved, copies of the information will be sent to you electronically wherever possible or, if this is not technically possible, by post.
Will We Charge a Fee?
We will normally comply with your request at no cost. However, If your data Subject Access Requests are excessive or manifestly unfounded we will charge £10 to cover the administrative costs involved in dealing with your request. In extreme circumstances, we reserve the right to refuse your requests.
Circumstances in Which Your Request May Be Refused
We may refuse to deal with your Subject Access Request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.
What is the Timeframe for Responding to a SAR?
We have one month (30 calendar days) starting from when we received the information necessary to identify you, to identify the information you requested, and provide you with the information (or explain why we were unable to provide the information). Wherever possible, we will aim to complete the request in advance of the deadline.
If you are unable to use the form on this page, or would prefer to send a SAR by email please send your request to email@example.com. If you prefer, you can submit a subject access request using the template below. Please add in your specific information in the bolded sections below before emailing it to us:
Dear Sir or Madam
Subject access request
[Your full name and address and any other details to help identify you and the information you want.]
Please supply the information about me I am entitled to under the Privacy Regulations relating to:
[give specific details of the information you want, and for what period you require the information for example and/or whether you are requesting deleting of your information]
f you need any more information from me please let me know as soon as possible.
It may be helpful for you to know that a request for information should be responded to within one month.
If you do not normally deal with these requests, please pass this letter/email to your Privacy manager.