Data subject access request procedure
Last revision on March 26, 2024
1. Purpose
This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects to Random Team in the context of the EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
2. Scope
This procedure applies to employees of Random Team that handle data subject access requests.
3. Data Subject Access Request
A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by Random Team about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request copies of the data.
A Data Subject Access Request must be made in writing, and can be made via any of the following methods: email, post, corporate website or any other method.
4. The Rights of a Data Subject
The rights to data subject access include the following:
Know whether a data controller holds any personal data about them.
Receive a description of the data held about them and, if permissible and practical, a copy of the data.
Be informed of the purpose(s) for which that data is being processed, and from where it was received.
Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (Word, PDF, etc.). However, such requests can only be fulfilled if the data in question is: 1) provided by the data subject to Random Team, 2) is processed automatically and 3) is processed based on consent or fulfilment of a contract.
If the data is being used to make automated decisions about the data subject, to be told what logic the system uses to make those decisions and to be able to request human intervention.
Random Team must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the Data Subject Access Request unless local legislation dictates otherwise.
5. Requirements for a valid DSAR
In order to be able to respond to the Data Subject Access Requests in a timely manner, the data subject should provide Random Team with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
6. DSAR Process
Upon receipt of a DSAR, Random Team staff will acknowledge the request. The requestor may be asked to complete a Data Subject Access Request Form to better enable Random Team to locate the relevant information.
Random Team staff needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it. If the identity of a DSAR requestor has not already been provided, the person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address.
If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.
Upon receipt of the required documents, if Random Team staff is reasonably satisfied with the information presented, the requestor will be notified in writing that his/her DSAR will be responded to within 30 calendar days. The 30 day period begins from the date that the required documents are received.
Relevant department(s) will be asked for the required information as requested in the DSAR. This may also involve an initial meeting with the relevant department to go through the request, if required.
The Data Protection Officer will provide the finalized response together with the information retrieved from the department(s), and will ensure that a written response will be sent back to the requestor. This will be via email, unless the requestor has specified another method by which they wish to receive the response (e.g. post).
After the response has been sent to the requestor, the DSAR will be considered closed and archived by the Data Protection Officer.
7. Responsibility
The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer.
If Random Team acts as a data controller towards the data subject making the request then the DSAR will be addressed based on the provisions of this procedure.
If Random Team acts as a data processor the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request
Last updated