Purpose of the policy
The purpose of this document is to outline IJK International’s policy in relation to the management of data subject access requests. A subject access request enables a data subject to gain access to any personal information held about them by IJK. It promotes the right of data subjects to submit a subject access request in order to obtain a copy of such information held about them, in electronic or hard copy form, by IJK, as the data controller. It also outlines the procedure to be followed by data subjects when submitting a data access request to IJK.
Scope of this document
This policy outlines how IJK will meet its legal obligations under the European Union General Data Protection Regulation (GDPR) upon receipt of a data access request.
The Data Subject Access Request Policy is maintained by IJK’s Data Protection Officer (DPO), who is responsible for dealing with all subject access requests received by the organisation. All questions or comments related to this policy or a specific subject access request should be directed to the DPO.
What is personal information?
Personal information is any data, in both physical and electronical form, related to an identified or identifiable person. It includes anything that can be used to identify a person, directly or indirectly, by means of his or her physical, physiological, mental, economic, cultural or social identify.
What is a data subject access request?
A data subject access request is a written or verbal request for personal information (known as personal data) held about you by IJK. Under article 15 of the GDPR you have, as the data subject, the right to see if HOPE is processing your personal data and receive a copy of the data itself. In particular you have the right to the following information:
1.The data itself in a permanent and intelligible format
2.The purposes of the processing (what are we using your data for?)
3.The categories of personal data concerned (categories such as: name, address, emailaddress,date of birth etc)
4.The recipients or categories of recipient to whom the personal data have been or willbedisclosed (are wesharing yourinformation with anyone else?)
5.Where possible, the envisaged period for which the personal data will be stored, or, ifnotpossible, the criteria used to determine that period (how long are we keeping yourdata?)
6.The existence of the right to request from the controller rectification or erasure ofpersonaldata or restriction of processing of personal data concerning the data subjector to object tosuch processing (the right to object to having your data processed, andto have data erasedor corrected upon request)
7.The right to lodge a complaint with a supervisory authority (the Irish Data ProtectionCommissioner or the UK Information Commissioner’s Office)
8.Where the personal data is not collected from the data subject,any availableinformation asto their source (if we didn’t collect the data from you, where did weget it?)
9.The existence of automated decision-making, including profiling, and meaningfulinformationabout the logic involved, as well as the significance and the envisagedconsequences of suchprocessing for the data subject.
How do you make a subject access request?
To allow us torespond promptlyto any data subject access request we ask you to:
•Download the Access Request Form, available here.
•Please complete, sign and date the form and be specific as possible about theinformation you wish to access.
•Attach a photocopy of your proof of identity and address to the Access Request Form.
•Send the completed request form, along with the proof of identity and address eitherelectronically to firstname.lastname@example.org.
Use of the Data Subject Access Request Form is not mandatory. However, completing the form should enable us to process your request more efficiently.
What do we do when we receive a valid data subject access request?
We will first check that we have enough information to be sure of your identity. Usually we will have no reason t o doub t a person’s identity. However, in rare cases we may request additional evidence we reasonably need to confirm your identity. We do this to ensure that we only disclose information about personal data to the data subject. We will then check th at we have enough information to find the records you requested. If we feel we need more information, then we will promptly ask you for this. We will then conduct a full search of all our relevant databases and filing systems and collect all data relevant t o the subject access request. Provided that none of the restrictions specified in Article 23 of the GDPR apply, we will then share with you the data and the additional information that you are entitled to. The default position is that you will get a hard copy of the information in a permanent and intelligible format unless th e supply of such a copy is not possible or would involve a disproportionate effort, or you have agreed otherwise. Any terms which are not intelligible without an explanation will be accompanied by an explanation. The copy of the requested material will be dispatched by secure, registered delivery, and we will seek timely confirmation from you, as the data subject on receipt of the material.
Are there any fees payable?
While in most instances there is no charge we reserve th e right, in accordance with Article 12 of th e GDPR to charg e a fee or refuse th e requ est if it is considere d to be “manifestly unfounded or excessive”. Subsequent copies may incur a reasonable fee based on administrative costs.
How soon will my subject access request be dealt with?
All valid data subject access requests, accompanied by valid proof of identity, received by IJK will be dealt with within 30 days of the latest of the following:
•Our receipt of your request; or
•Our receipt of any further informationwe may ask you to provide to enableus to comply with your request.
This policy will be reviewed at least annually by the DPO to ensure alignment to appropriate riskmanagement requirements and its continued relevance to current and planned operations, orlegal developments and legislative obligations.