DSAR Policy
Please be sure to read the Data Subject Access Request Policy to understand how we will process your request. A Data Subject Access Request (DSAR) is a written request made by or on behalf of an individual for the Personally Identifiable Information which is held by the Company. GDPR entitles all individuals to make requests for their own personal data to enable them to verify the lawfulness of how their information is being processed.
How to make a request?
The request does not have to be in any particular form other than in writing and it may not include the words ‘subject access’ or reference data protection / GDPR.
The request should be submitted to our HR team.
What is our process?
Upon receipt of a DSAR, we will contact you with a Data Subject Access Request form for you to complete. Please complete this and return at your earliest convenience.
We must confirm your identity. Two forms of valid ID must be presented at one of our office locations. The ID must include 1 form of photographic ID and 1 form of ID that details a current address. Documents that are invalid will not be accepted. Examples of invalid documents include expired passports / driving licences or documents that do not detail a current address. Copies of the identification will be taken and stored with the Subject Access Request form.
Once your identity has been verified, Drees & Sommer UK have 30 days to compile all personal data stored on our systems. Should the collation of your personal data be extensive we may extend the 30-day timeframe. The Company can extend this period by up to 3 months of the request being actioned.
Subject Access Requests are normally free of charge, however, where the Company finds the request to be manifestly unfounded or excessive we may charge you a reasonable fee for the administrative costs of complying with your request. Upon the completion of the collation of personal data we will present the information in your requested format. It is your responsibility to collect the requested personal data from our offices. You will be required to sign a receipt upon collection of the data.
Retention Periods
The data provided on a Subject Access Request form will be transferred onto the Subject Access Request register, where it will be held indefinitely. Drees & Sommer UK will also take copies of identification documents which will be stored on our secure network along with the request form for a period of 12 months. This data is held as evidence of compliance should an enquiry be raised with the Information Commissioner’s Office.
Exceptions
Not all DSAR’s can be actioned. Personal Data may be exempt because of its nature or because the effect its disclosure is likely to have (e.g. legal proceedings). There are also other restrictions on disclosing information in response to a DSAR, for example where this would involve disclosing information about another individual. (e.g. CCTV footage that clearly reveals another person’s identity).
Complaints
If it is believed that the Company has not complied with data protection rights, a complaint can be raised to the Information Commissioner’s Office.
Further information regarding Data Subject Access Requests can be found on the ICO’s website.