• Privacy
• >
• Subject Access Request

Subject Access Request

Scope

The following procedure describes Individual’s rights and how to make a Subject Access Request under the Data Protection act 1998 (DPA), the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA).

Definition of Personal Data

Personal data is information which relates to an individual or refers to the individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

Examples of Personal Data and/or Information

• Names, plus one or more of the following pieces of information
• Physical addresses and/or zip codes 
• Telephone and fax numbers
• Email addresses
• Dates and places of birth
• Social Security numbers
• Driver’s license numbers
• Passport numbers
• Taxpayer ID numbers
• Mother’s maiden names
• Employment information/personnel files
• Racial and ethnic information
• Gender
• Sexual orientation
• Religious and political beliefs
• Banking and financial information
• Payment card information
• Biometric data (such as fingerprints, retina and scans, voice signature, facial geometry, height and weight)
• Identifying photographic images
• Handwriting/signature samples
• Digital signature
• Educational information
• Medical information and records
• Health insurance information
• IP addresses
• Screen/user names and passwords (with or without formal name)
• Information collected from children
• Product purchase or order history
• Commercial information
• Geolocation data

Definition of Data Subject Under GDPR

A data subject is a natural person about whom a controller holds personal data and who can be identified, directly or indirectly, by reference to that personal data.

Definition of Consumer Under CCPA

The CCPA applies only to information about a consumer. ‘A consumer’ is defined as including a natural person who is a California resident. 

Rights Under GGPR

An individual has the right to know what information is held about them. GDPR in the EU provides a framework to ensure that Personal Information is handled properly. This information must be:

• Processed fairly, lawfully and in a transparent manner
• Processed for specific, legitimate and lawful purposes
• Adequate, relevant and not excessive
• Accurate and up to date
• Not kept for longer than necessary
• Processed in line with an individual’s rights
• Secure
• Not transferred other than in accordance with agreed terms and conditions

An individual also has the right to request that their information not be transferred to particular countries. If you would like to submit this request please contact compliance@clements.com and/or follow the same process below.

Rights Under CCPA

The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. They have the right to request that we disclose certain information to them about our collection and use of their Personal Information over the past 12 months. Once we receive and confirm their request, we can disclose:

• right to notice
• right to access
• right to opt out (or right to opt in)
• right to request deletion
• right to equal services and prices

Policy on Making a Request

Clements is committed to meeting all reasonable requests for access in accordance with the regulations, while protecting Clements’ intellectual property and respecting the ethos of honest, confidential feedback which forms part of our reputation.

How to Make a Request

A subject access request is a written request for Personal Information held about you by Clements. You have the right to see what Personal Information we hold about you. You are entitled to be given confirmation as to whether we hold or process your Personal Information, and if so, you are entitled to access all your Personal Information as well as details of:

You can make a Subject Access Request or request to erase your information by submitting the SAR form below. If you are unable or would like to send a SAR by email please send your request to compliance@clements.com. If you prefer emailing, please see Contacting Clements below for a request template you can use.

What Does Clements Do When We Receive Your Request?

Verify your identity. If we have cause to doubt your identity, we will ask for information to verify it. For example, we may ask you for a piece of information held in your records that you might reasonably be expected to know. We cannot disclose Personal Information to anyone other than the individual in question.

Collate information. We will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party. Third parties – before sharing information that relates to third parties, we will, where possible, anonymize or edit information that might affect another party’s privacy. We may also summarize information rather than provide a copy of the whole document.

Providing a Response

Once any queries around the information requested have been resolved, copies of the information will be sent to you electronically wherever possible or, if this is not technically possible, by post.

Will We Charge a Fee?

We will normally comply with your request at no cost. However, If your data Subject Access Requests are excessive or manifestly unfounded we will charge £10 to cover the administrative costs involved in dealing with your request. In extreme circumstances, we reserve the right to refuse your requests.

Circumstances in Which Your Request May Be Refused

We may refuse to deal with your Subject Access Request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.

What is the Timeframe for Responding to a SAR?

We have one month (30 calendar days) starting from when we received the information necessary to identify you, to identify the information you requested, and provide you with the information (or explain why we were unable to provide the information). Wherever possible, we will aim to complete the request in advance of the deadline.

Contacting Clements

If you are unable to use the form on this page, or would prefer to send a SAR by email please send your request to compliance@clements.com. If you prefer, you can submit a subject access request using the template below. Please add in your specific information in the bolded sections below before emailing it to us:

Dear Sir or Madam  

Subject access request  

[Your full name and address and any other details to help identify you and the information you want.]  

Please supply the information about me I am entitled to under the Privacy Regulations relating to:

[give specific details of the information you want, and for what period you require the information for example and/or whether you are requesting deleting of your information]  

f you need any more information from me please let me know as soon as possible.  

It may be helpful for you to know that a request for information should be responded to within one month.  

If you do not normally deal with these requests, please pass this letter/email to your Privacy manager.   

Yours faithfully

[Signature]  

Ongoing Access to Privacy Policy

We will provide a notice of our privacy policy annually, as long as you have a continuing customer relationship with us. This policy may change from time to time, but you can always review our current policy by visiting our Web site at clements.com or request a copy of your information by contacting us at our offices below:

Washington, DC

1220 L Street NW, Suite 1200
Washington, DC 20005

+1.202.872.0060

+1.800.872.0067 info@clements.com

London, UK

The Walbrook Building
25 Walbrook
London, UK EC4N 8AW

+44(0) 33.0099.0100 europe@clements.com

Gibraltar

Unit 243.01
World Trade Center
6 Bayside Road
Gibraltar, GX11 1AA

+00350 57826000

+00350 54716000 europe@clements.com

Dublin, Ireland

Alexandra House
3 Ballsbridge Park
Ballsbridge, Dublin 4
Dublin, D04 C7H2, Ireland

International: +353 1 9645098

In Ireland: +1800 44 99 33 ireland@clements.com

Insights & Resources

Find tips, trends, and perspectives to help you confidently make decisions and navigate challenges internationally with peace of mind. Read how you can live, operate, and manage risks abroad.

View More Resources

International NGO Recruitment Strategies: Attract & Retain the Top Nonprofit Employees

How NGOs Can Hire for Impact and Build a Committed Workforce

Minimizing Risk, Maximizing Impact: Critical Insurance Coverages for NGOs

When you’re running an international nonprofit or NGO of any size, the nonprofit

An Expat’s One-Stop Guide to Driving in Ireland

Steering Through Spuds and Sheep: Tips for Driving, Requirements, Traffic Rules,