Data Subject Access Request Procedure

• General Data Protection Regulation (GDPR): the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union, and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside of the EU.
• Data Controller: the entity that determines the purposes, conditions, and means of the processing of personal data.
• Data Processor: the entity that processes data on behalf of the Data Controller.
• Data Protection Authority: national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the EU.
• Data Protection Officer (DPO): an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR.
• Data Subject: a natural person whose personal data is processed by a controller or processor.
• DSAR: data subject access request.
• Personal Data: any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify a person.
• Processing: any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
• Profiling: any automated processing of personal data intended to evaluate, analyses, or predict data subject behavior.
• Regulation: a binding legislative act.
• Subject Access Right: also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.

This procedure establishes an effective, accountable, and transparent framework for ensuring compliance with the requirements for Computools LLC (further: “Company”) by the GDPR.
The GDPR entitles individuals to request access to any personal data that the Company is holding about them. This is known as a Data Subject Access Request (DSAR).
A DSAR is where an individual, using their rights under GDPR, makes a request for a copy of the personal data (email, post, corporate website, or any other method) the Company holds on them, or details of what data is held and its source.
This procedure defines the process to be followed when a request for access to personal data is received and responding to a DSAR.

This procedure can be submitted by anyone whose personal data the Company is processing. This applies to anyone, including employees, customers, clients, partners, contractors, etc. The Company is obligated to provide confirmation that they are processing personal data, a copy of personal data, and other information including:

• Purpose of personal data processing;
• Third-parties with whom the organization is sharing personal data, if any;
• Categories of personal data the organization is processing;
• Source of data, (if the data is not collected from the individual);
• Data retention period or for how long the Company will keep data;
• Information about automated decision-making (including profiling);
• Information about their GDPR rights.

Under the GDPR, the Company is required to respond to subject access requests within 30 calendar days. That deadline may be extended by two further months where necessary if the request is complex or if the Company has received more than one request from an individual.

3.1. Request

Upon receipt of a DSAR, the DPO will acknowledge the request. The requestor may be asked to complete a DSAR Form to better enable the Company to locate the relevant information.

• Requests must be made in writing.
• The statutory response time is 30 calendar days.
• Requests should include the full name, date of birth, and address of the person seeking access to their information. To comply with GDPR, information relating to the individual must only be disclosed to them or someone with their written consent to receive it.
• No fee can be charged for providing information in response to a DSAR, unless the request is ‘manifestly unfounded or excessive, in particular, because it is repetitive. If the Company receives a request that is manifestly unfounded or excessive, it will charge a reasonable fee taking into account the administrative costs of responding to the request.

3.2. Identity verification

The DPO needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address.
If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.

3.3. Information for DSAR

Upon receipt of the required documents, the person receiving the request will provide the DPO with all relevant information in support of the DSAR. Where the DPO is reasonably satisfied with the information presented by the person who received the request, the DPO will notify the requestor that his/her DSAR will be responded to within 30 calendar days. The 30 day period begins from the date that the required documents are received. The requestor will be informed by the DPO in writing if there will be any deviation from the 30-day timeframe due to other intervening events.

3.4. Review of Information

The DPO will contact and ask the relevant department(s) for the required information as requested in the DSAR. This may also involve an initial meeting with the relevant department to go through the request if required. The department which holds the information must return the required information by the deadline imposed by the DPO and/or a further meeting is arranged with the department to review the information. The DPO will determine whether there is any information that may be subject to an exemption and/or if consent is required to be provided from a third party.

3.5. Response to Access Requests

The DPO will provide the finalized response together with the information retrieved from the department(s) and/or a statement that the Company does not hold the information requested, or that an exemption applies. The DPO will ensure that a written response will be sent back to the requestor. This will be via email unless the requestor has specified another method by which they wish to receive the response (e.g. physical mail). The Company will only provide information via channels that are secure. When hard copies of information are sent physically, they will be sealed securely and sent by recorded delivery.

3.6. Archiving

After the response has been sent to the requestor, the DSAR will be considered closed and archived by the DPO.
Records of communications relating to a subject access request will be retained by the Company.

3.7. Exemptions

An individual does not have the right to access information recorded about someone else, unless they are an authorized representative, or have parental responsibility.
The Company is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified and to satisfy itself as to the identity of the data subject making the request.
The Company will not normally disclose the following types of information in response to a DSAR:

• Information about other people – a DSAR may cover information that relates to an individual or individuals other than the data subject. Access to such data will not be granted unless the individuals involved consent to the disclosure of their data.
• Repeat requests – where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request, and the Company will not normally provide a further copy of the same data.
• Publicly available information – The Company is not required to provide copies of documents that are already in the public domain.
• Opinions given in confidence or protected by law – The Company does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by law. Privileged documents – Any privileged information held by the Company need not be disclosed in response to a DSAR. In general, privileged information includes any document which is confidential (e.g. a direct communication between a client and their lawyer) and is created for the purpose of obtaining or giving legal advice.
• If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved. Requests made for other, non-data protection, purposes.
• Vexatious requests.

If the DPO refuses a DSAR, the reasons for the rejection must be clearly set out in writing. Any individual dissatisfied with the outcome of their DSAR is entitled to make a request to the Company to review the outcome or to the Data Protection Regulator.

4.1 Compliance, monitoring, and review

The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing subject access rights at the Company rests with the DPO.
If the Company acts as a data controller towards the data subject making the request then the DSAR will be forwarded by a Protection Officer to the appropriate data controller who processes personal data related to the data subject making the request on the Company’s behalf.
All operating units’ staff that deal with personal data are responsible for processing this data in full compliance with the relevant Company policies and procedures.

4.2 Records management

The Company has to maintain all records relevant to administering this policy and procedure in electronic form in a recognized Company recordkeeping system.

Any individual may provide feedback and suggestions about this document by contacting the Company.

This document is valid as of December 2021. The owner of this document is the Company.