Subject access requests

Subject access requests

Individuals have the right to get a copy of the information that is held about them. This is known as a subject access request (SAR).

This right of subject access means that individuals can make a request under the GDPR to any organisation processing their personal data. The regulation calls these organisations ‘data controllers’.

Individuals can ask the organisation they think is holding, using or sharing the personal information they want, to supply them with copies of both paper and computer records and related information.

There are five different types of SARs that can be made:

  1. Access
  2. Rectification (correction)
  3. Erasure
  4. Data portability (export)
  5. Objection

You can read more about these at the bottom of this page.

When not to send us a request

Do not send us a request if the information held on you, or the person you are representing, is held by a client or supplier of Storm ID Ltd. Data held by our clients and suppliers is their responsibility as the data controller. In these situations, please contact them directly. We will not process requests for data held by our clients or suppliers without a request from the client or supplier being made to Storm ID Ltd

Do not send us a request if the information held on you, or the person you are representing, is held by online tools used by Storm ID Ltd such as Mailchimp, Google or Facebook. You should make your request directly to them. You can find out more about this in our privacy policy.

If you are a client or supplier of Storm ID Ltd, and you’ve received a SAR from an individual where you are the data controller, that pertains to information that we process on your behalf as the data processor, then you can make a SAR to us.

Please note that manifestly unfounded or excessive requests can be charged for or refused.

Making a request

SARs can be made in any format, but usually by email or post. You can email dataprotection@stormid.com to request a SAR form and send your SAR.

Processing requests

We follow the following process when we a receive a SAR.

Log request

All requests received need to be logged, and the logs maintained, so that we have a clear audit trail.

For access requests, the log contains:

  • Reference number
  • Title for the request
  • Data subject name
  • Data subject email
  • Verified data subject from supplied ID
  • Request assigned to name
  • Request insertion date
  • Request due date
  • Additional notes
  • Delivery method for response

For correction requests, the log contains:

  • Reference number
  • Title for the request
  • Data subject name
  • Data subject email
  • Verified data subject from supplied ID
  • Request assigned to name
  • Request insertion date
  • Request due date
  • Additional notes
  • Correction definition

For export requests, the log contains:

  • Reference number
  • Title for the request
  • Data subject name
  • Data subject email
  • Verified data subject from supplied ID
  • Request assigned to name
  • Request insertion date
  • Request due date
  • Additional notes
  • Delivery method
  • Delivery format

For objection requests, the log contains:

  • Reference number
  • Title for the request
  • Data subject name
  • Data subject email
  • Verified data subject from supplied ID
  • Request assigned to name
  • Request insertion date
  • Request due date
  • Additional notes
  • Personal data
  • Processing type
  • Reason

For erasure requests, the log contains:

  • Reference number
  • Title for the request
  • Data subject name
  • Data subject email
  • Verified data subject from supplied ID
  • Request assigned to name
  • Request insertion date
  • Request due date
  • Additional notes
  • Notify applicable controllers, processors and sub processors
  • Reason

This information is kept for audit and legal purposes, should there be a dispute.

We also keep SAR documents such as the form and supplied personal ID throughout the request process, but these are destroyed when the request has been completed.

Store information in a secure location

All information received from people making SARs will be kept in a secure location. If the information is in electronic format, it will be encrypted and stored in a location with restricted access. If the information is paper based, it will be stored in a locked location with restricted access.

Review request

All requests will be reviewed with a view to determine the nature of the request and estimate the work involved.

If the request is complex we can inform the individual that we will need more time, and we should provide them with an estimate for completing the work.

If the request is for a client or supplier, or is manifestly unfounded or excessive, or if insufficient information is provided, we can refuse it.

Review personal ID

All requests must be accompanied by sufficient personal ID so that we can be satisfied that the originator of the request is who they say they are.

To confirm an individual’s identity, we need to see copies of two pieces of identification – one from List A and one from List B.

List A, photocopy or scan from one of:

  • Passport
  • Photo driving license
  • National Identity card
  • Child under 16: full Birth Certificate
  • Child under 16: Court Order(s)

List B, photocopy or scan from one of:

  • A letter sent to you by Storm ID Ltd
  • Utility bill showing current home address
  • Bank statement showing current home address

If insufficient personal ID is provided, we must refuse the request.

Acceptance or refusal

Acceptance

If the decision is taken to accept the request the following process must be followed.

Provide estimate for completion: An initial review of the request should be made without delay and at least within two weeks of the request, and an acknowledgement sent back to the originator outlining our estimate for completing the work and giving them a reference number. Estimates must be provided within two weeks of receiving the request, and the work should be completed within one month.

Provide revised timelines: If the work is going to be excessive or complex, we should inform the originator of our requirement for more time.

Request payment for excessive or complex requests: If the work is going to be excessive or complex, we should inform the originator of our fee for completing the work.

Refusal

If we are refusing a request we must provide a response, outlining our reasons for refusing the request.

Close the request

Once the request has been completed, or has been refused, we must inform the originator of the request that we now consider the request closed, and that if they want to make another request they can do so, but we will consider it a new request.

We must also:

  • return any paper-based correspondence received
  • destroy any electronic information received
  • update the log

Helping the processing of subject access requests

You do not have to tell us your reason for making the request or what you intend to do with the information requested, although it may help us to find the relevant information if you do explain the purpose of the request.

Identifying relevant records for the data subject will we easier if you can provide us with specific information about your relationship (employee, supplier, client) with Storm ID Ltd and the names of any applications or subjects of any communications you have had with Storm ID Ltd.

What information do we hold?

Storm ID Ltd holds information relevant to the conduct of its business and functions which will include, but is not limited to, personal information about employees, job applicants, suppliers, clients and marketing targets. However, some data may have been reviewed and destroyed where appropriate in accordance with our information retention policies.

Data belonging to a spouse, child or via power of attorney

For a spouse and any children from 16 years of age they should each complete their own application form and enclose their own Form of Authority/ID.

If making a request for a child under 16 years of age or if you have a power of attorney from a friend or relative or you are a litigation friend, you must sign the form as the representative. Proof of parental responsibility, for example, a birth certificate or proof of the power of attorney/litigation friend must be provided in addition to the subject’s own identification. We may ask for further documentation if necessary.

Using a representative

A representative is usually a legal company who has been employed by you to deal with your legal matters. Organisations such as charities and advice centres can also be considered as representatives. In addition, anyone helping a friend or relative make a SAR because they are unable to take care of their own matters is also considered to be their representative.

In all these instances, except if the applicant is a child or you have power of attorney, Section 4 of the form must be signed by the person whose information is being requested. Please note that the date the authority is signed must be no more than six months older than the date the SAR is submitted.

Identification

We must verify the identity of the individual, and in some cases, the individual’s representative making the request, using “reasonable means”.

A SAR must include a copy of photo identification. This must be certified by a solicitor; barrister; legal executive; any other commissioner for oaths; or a registered charity. This should be certified with the words: “I certify that this is a true likeness of Mr/Mrs/Miss/Ms (full name)” and include the name, date and signature of the person certifying the photo.

To confirm people’s identities, we need to see copies of two pieces of identification – one from List A and one from List B.

List A, photocopy or scan from one of:

  • Passport
  • Photo driving license
  • National Identity card
  • Child under 16: full Birth Certificate
  • Child under 16: Court Order(s)

For a child under 16 years of age we’ll need to see copies of all Court Orders.

List B, photocopy or scan from one of:

  • A letter sent to the individual by Storm ID Ltd
  • Utility bill showing current home address
  • Bank statement showing current home address

Please advise us if the request relates to a person who is currently in detention, and/or if s/he is considered to be a vulnerable person, and if, as a result of those particular circumstances, any difficulties are anticipated in providing the above.

Processing time

Once we are satisfied that you meet the criteria for disclosure of data under the General Data Protection Regulations, and have provided sufficient information, you should receive a response within 28 days from the date that we accept your application for processing. However, we aim to provide you with an initial response and time estimate within 14 days of receiving your request.

Records may be held in several different locations in paper and electronic formats. If you only require specific information and you clearly state what that is – for example a specific document or application user data – then you are likely to get a quicker disclosure.

The form for making SARs includes a section for giving details if you need a disclosure by a certain date. No guarantee can be given that a disclosure will be completed by that date, but we will endeavour to comply with reasonable requests for expedited action.

Where to send requests

Please send your request and proof of identity by email to dataprotection@stormid.com.

You can also send requests by post to:

Data Protection Officer
Storm ID Ltd
Leith Assembly Rooms
43 Constitution Street
Edinburgh
EH6 7BG

What happens next?

If your request is valid we will acknowledge your request in writing and provide you with a reference number relating to your SAR and start processing your records.

If your request is valid but we are unable to identify you, we will advise you of this and close your request. We will also return your request along with any enclosures.

If you have sent us an invalid request - e.g. because you have not provided an original signature - then we will return your request along with any enclosures and advise you why your application has been rejected.

General notes

  • If a request does not mention the GDPR specifically or even say that it is a SAR, it is nevertheless valid if it is clear that you are asking for your own personal data, or the data of a person who you are representing
  • We will not acknowledge your application in writing, but we will provide you with a reference number when we write to you
  • When we process information requests for children aged 16 or over and spouses, we require their signature of authority before disclosing data - a separate application form should be completed for each individual
  • The documents that you receive may have data redacted (blacked-out) or contain rough notes that may lack clarity
    • This is because we aim to supply copies of the original records whenever possible
    • As some records may also include third party information that we cannot release to you under the General Data Protection Regulation, e.g. another person’s data, this is removed
  • The portable format for any data you wish to copy or transfer from us will be in encrypted CSV format
  • We will not disclose information by fax or telephone
  • Disclosure by post is usually made by first class post to the address you provide or, if appropriate, to your representative

Types of SAR

There are five types of SAR:

  1. Access
  2. Rectification (correction)
  3. Erasure
  4. Data portability (export)
  5. Objection

Each of these has its own requirements and rules for dealing with that particular type of request.

1. Access - accessing the data we hold

Under the GDPR, individuals will have the right to obtain:

  • confirmation that their data is being processed
  • access to their personal data
  • other supplementary information – this largely corresponds to the information we provide in our privacy notice (see Article 15)

Purpose

The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing (Recital 63).

Charging a fee

We must provide a copy of the information free of charge. However, we can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.

We may also charge a reasonable fee to comply with requests for further copies of the same information.

The fee will be based on the administrative cost of providing the information.

Compliance time

Information will be provided without delay and at the latest within one month of receipt.

We will be able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Manifestly unfounded or excessive requests

Where requests are manifestly unfounded or excessive, in particular because they are repetitive, we can either:

  • charge a reasonable fee taking into account the administrative costs of providing the information
  • refuse to respond.

Where we refuse to respond to a request, we will explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

How the information should be provided

If the request is made electronically, we will provide the information in a commonly used electronic format.

Requests for large amounts of personal data

Where we process a large quantity of information about an individual, we will ask the individual to specify the information the request relates to (Recital 63).

There is no exemption for requests that relate to large amounts of data, but we may be able to consider whether the request is manifestly unfounded or excessive.

Summary

  • We will respond without delay and within one month of a request being made
  • We will not charge a fee for responding to a request, unless it is deemed to be manifestly unfounded or excessive, or it is a request for further copies
  • We will provide information in a commonly used electronic format

2. Rectification (correction) - correcting the information we hold

Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.

If we have disclosed the personal data in question to third parties, we must inform them of the rectification where possible. We must also inform the individuals about the third parties to whom the data has been disclosed where appropriate.

Compliance time

We must respond within one month.

This can be extended by two months where the request for rectification is complex.

Where we are not taking action in response to a request for rectification, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.

3. Erasure - destroying all or part of the information we hold

The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

When the right to erasure applies

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation
  • The personal data is processed in relation to the offer of information society services to a child

There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request.

Refusing to comply with a request for erasure

We can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation or for the performance of a public interest task or exercise of official authority;
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims

Children’s personal data

There are extra requirements when the request for erasure relates to children’s personal data.

If we process the personal data of children, we will pay special attention to existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent (Recital 65).

Telling other organisations about the erasure of personal data

If we have disclosed the personal data in question to third parties, we must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

There may be instances where we may not be required to comply with this provision because an exemption applies.

Summary

  • Individuals can request this in specific circumstances, such as when consent is withdrawn
  • Erasure can be refused in specific circumstances, such as when the data would be required for legal or compliance purposes
  • There are extra requirements when the request for erasure relates to children’s personal data
  • We must inform third parties that we have shared the subject’s information with, so that they can make erasures
  • We must do this free of charge

4. Data portability (export) - copying data so it can be used across different services

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.

When the right to data portability applies

The right to data portability only applies:

  • to personal data an individual has provided to a controller
  • where the processing is based on the individual’s consent or for the performance of a contract
  • when processing is carried out by automated means

How we comply

We must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.

The information must be provided free of charge.

If the individual requests it, we may be required to transmit the data directly to another organisation if this is technically feasible. However, we are not required to adopt or maintain processing systems that are technically compatible with other organisations.

If the personal data concerns more than one individual, we must consider whether providing the information would prejudice the rights of any other individual.

Compliance time

We will respond without undue delay, and within one month.

This can be extended by two months where the request is complex or we receive a number of requests. We must inform the individual within one month of the receipt of the request and explain why the extension is necessary.

Where we are not taking action in response to a request, we must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.

Summary

  • We must provide information in a structured, commonly used machine-readable format
  • We must provide this information free of charge and within one month
  • If the request is complex or excessive and we need more time, we must inform the individual of the extension within one month
  • We must consider if the information we are providing might prejudice the rights of another individual

5. Objection - objecting to the processing of data

Individuals have the right to object to:

  1. processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling)
  2. direct marketing (including profiling)
  3. processing for purposes of scientific and historical research and statistics

How we comply

1. Processing personal data for the performance of a legal task or our legitimate interests

Individuals must have an objection on “grounds relating to his or her particular situation”.

We must stop processing the personal data unless:

  • we can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
  • the processing is for the establishment, exercise or defence of legal claims.

We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.

2. Processing personal data for direct marketing purposes

We must stop processing personal data for direct marketing purposes as soon as we receive an objection. There are no exemptions or grounds to refuse.

We must deal with an objection to processing for direct marketing at any time and free of charge.

We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.

3. Processing personal data for research purposes

Individuals must have “grounds relating to his or her particular situation” in order to exercise their right to object to processing for research purposes.

If we are conducting research where the processing of personal data is necessary for the performance of a public interest task, we are not required to comply with an objection to the processing.

4. Processing activities that fall into any of the above categories and are carried out online

We must offer a way for individuals to object online. Please email dataprotection@stormid.com to request a form.

Summary

  • We must stop processing personal data for direct marketing purposes as soon as we receive an objection
  • There are no exemptions or grounds to refuse
  • We must deal with an objection to processing for direct marketing at any time and free of charge
  • We must inform individuals of their right to object “at the point of first communication” and in our privacy notice.