Policies and Procedures

Subject Access Requests Policy

 

SUBJECT ACCESS REQUESTS POLICY 

 

All Subject Access Requests (SAR’s) must be received in writing and should be forwarded immediately to the Data Control Officer and Clerk. 

 

  1. Upon receipt of a SAR 
    The Data Control Officer will:  

  1. Verify whether Grimoldby and Manby Parish Council are the controller of the data subject’s personal data.  If Grimoldby and Manby Parish Council is not the controller, but merely a processor, Grimoldby and Manby Parish Council will inform the data subject and refer them to the actual controller. 

  1. Verify the identity of the data subject; if needed, request any further evidence on the identity of the data subject. 

  1. Verify the access request; is it sufficiently substantiated? Is it clear to the data controller what personal data is requested? If not: request additional information. 

  1. Verify whether requests are unfounded or excessive (in particular because of their repetitive character); if so, you may refuse to act on the request or charge a reasonable fee. 

  1. Promptly acknowledge receipt of the SAR and inform the data subject of any costs involved in the processing of the SAR. 

  1. Verify whether Grimoldby and Manby Parish Council process the data requested. If it does not process any data, inform the data subject accordingly.  

  1. At all times make sure the internal SAR policy is followed and progress can be monitored. 

  1. Ensure data will not be changed as a result of the SAR. Routine changes as part of the processing activities concerned are permitted. 

  1. Verify whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the data subject; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR. 
     

  1. Responding to a SAR 
    The Data Control Officer will:  

  1. Respond to a SAR within one month after receipt of the request. 

  1. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within the first month; 

  1. If the council cannot provide the information requested, it should inform the data subject on this decision without delay and at the latest within one month of receipt of the request. 

  1. If a SAR is submitted in electronic form, any personal data should preferably be provided by electronic means as well. 

  1. If data on the data subject is processed, make sure to include as a minimum the following information in the SAR response: 

  1. the purposes of the processing; 

  1. the categories of personal data concerned; 

  1. the recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third countries or international organisations, including any appropriate safeguards for transfer of data, such as Binding Corporate Rules or EU model clauses; 

  1. where possible, the envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period; 

  1. the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 

  1. the right to lodge a complaint with the Information Commissioners Office (“ICO”); 

  1. if the data has not been collected from the data subject: the source of such data; 

  1. the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject. 

  1. Provide a copy of the personal data undergoing processing.  

Last Reviewed June 2024