Data Subject Access Request
Under the General Data Protection Regulation (“GDPR”) data subject’s (individuals) have the right to make a Data Subject Access Request (“DSAR”).
Who can make a Data Subject Access Request?
DSARs are usually made directly by the data subject about whom the personal data relates. However, third parties may make requests on your behalf, if they are:
- a parent/guardian of a data subject who is a child;
- an attorney or responsible person for a data subject who does not have mental capacity; or
- a legal or other representative acting on behalf of the data subject.
In the above cases and before the request is processed, Apex will request the third party to provide sufficient documentation demonstrating the right and entitlement to make such request to act on your behalf.
What can be requested in a DSAR?
Under GDPR data subjects can exercise the following rights:
- You are able to request:
- a copy of your personal information processed by Apex;
- details of how Apex legally processes your personal information, including details of any data transfers and retention periods;
- that we rectify your personal data;
- that we erase your personal data, under certain circumstances;
- that we restrict the processing of your personal data, under certain circumstances;
- that we transfer your personal data to another organisation, electronically, under certain circumstances;
- You are able to Object to:
- the processing of your personal data, under certain circumstances.
In respect of a DSAR:
- In most circumstances, the information requested will be provided free of charge.
- Apex will have the right to charge a “reasonable fee” where a request is manifestly unfounded, excessive or repetitive. This fee will be based on the administrative cost of providing the information.
- Apex will reject the DSAR in cases where the request is considered unfounded, excessive or not in scope of the GDPR data subject rights.
- The DSAR will be reviewed, assessed and processed without delay and in any event within a month of receipt.
- Where requests are complex or numerous, Apex may extend the timeframe for responding to three months. However, an acknowledgment of the received DSAR will be provided to you within one month of receipt.
In order to make a formal, valid Data Subject Access Request, you will be required to:
- make the request in writing (letter or email);
- provide a suitable contact postal address and/or email address ;
- provide two forms of identification, such as a photocopy of your passport or national Identification card [and a recent bill (water supply, electricity bill, phone landline, etc.) not older than 3 months].
Apex will not be able to process your request if the above information is not provided. To help simplify this process, Apex has produced a Data Subject Access Request Form (below).
Once you have completed the form, please send your request to the following email address and mark it for the attention of the Data Protection Officer:
Email: [email protected]
Subject: Data Protection Officer – DSAR Form
If you have difficulties completing the form or wish to enquire further about any of the above mentioned processes and/or rights, please contact us on: [email protected]