1.1 To comply with the Data Subject rights under the GDPR, SRS Group Holdings Ltd needs to ensure that all access requests are dealt with consistently and in accordance with the timeframes stipulated under the GDPR.
1.2 Infringements of any of the basic principles for processing and a failure to comply with the rights of Data Subjects under the GDPR will attract maximum penalties of €20,000,000 or 4% of the organisation’s total worldwide annual turnover, whichever is greater.
1.3 This policy is designed to enable the Employees of SRS Group Holdings Ltd to deal promptly with requests from Customers and staff, including former employees of SRS Group Holdings Ltd The GDPR provides the following rights for individuals: the right to obtain information regarding processing of data the right of access – Data Subject Access Requests (DSARs or SARs) the right to rectification the right to erasure, also known as ‘the right to be forgotten’ the right to restrict processing the right to data portability the right to object the right not to be subject to a decision evaluating personal aspects, based solely on automated processing.
2. Policy Statement
2.2 This policy is designed to reflect best practice in adhering to the fair and transparent principle of the GDPR, ensuring that information is provided in a concise, transparent, intelligible and easily accessible way, in clear and plain English or any other applicable language. Full implementation of this policy will enable SRS Group Holdings Ltd to:
.comply with the legal obligations under the GDPR
.enable Data Subjects to verify that information held about them is accurate and up to date .increase levels of confidence and trust by remaining open and honest with Data Subjects regarding the information held by SRS Group Holdings Ltd
3. Territorial Scope Of The GDPR And This Policy
3.1 The GDPR comes into effect on 25 May 2018 and replaces the Data Protection Directive 95/46/EC. The new regulation is designed to harmonise data privacy laws across Europe, enabling the protection and empowerment of all European citizens and realigning the way organisations approach data protection.
3.2 The UK implementation of GDPR creates an offence for organisations altering records with the intention of preventing the disclosure of information in response to a DSAR made by an individual. This offence will apply to all Data Controllers and Processors and carry a maximum penalty of an unlimited fine.
4. What Is Personal Data?
4.1 The GDPR expands on the Data Protection Act (DPA). Under Article 4(1) of the GDPR, Personal Data means any information relating to an identified or identifiable natural person (Data Subject); an identifiable person is one who can be identified, directly or indirectly.
4.2 The definition includes reference to an identifier such as a name, identification number, location, online identifier or to one or more factors specific to the physical, physiological, genetic, biometric, mental, economic, cultural or social identity of that natural person.
4.3 Unique identifiers that enable Data Subjects to be singled out for the purpose of tracking user behaviour while browsing on different websites are Personal Data. In certain circumstances, IP addresses and mobile device IDs may also be classed as Personal Data.
5. Responsibilities And Definitions
Customer(s) Include(s) any of SRS Group Holdings Ltd’s past, current or prospective donors, supporters, and contacts.
Data Controller Data Controller is an entity that determines the purposes, conditions and means of the processing of Personal Data. Controllers have a legal obligation to give effect to the rights of Data Subjects. This includes the obligation to ensure that the rights of the individual are upheld at all times.
Data Processor A natural or legal person, public authority, agency or any other body which processes Personal Data on behalf of the Controller organisation.
Data Processors are obliged to act only under the instructions of the Data Controller, comply with the Controller’s obligations and assist Data Controllers with regard to Data Subjects’ rights and handling requests.
Data Subject The Data Subject is a living individual who is the subject of the Personal Data.
If the Controller cannot identify the Data Subject from the data which is in its possession, the Controller is exempt from the application of certain rights of that Data Subject.
Employee(s) An individual who works part-time or full-time for SRS Group Holdings Ltd under a contract of employment, whether oral or written, express or implied, and has recognised rights and duties. Includes temporary employees, interns and independent contractors.
Relevant Storage System Information about a Data Subject which is held in a sufficiently systematic, structured way as to allow ready access to specific information about those Data Subjects.
Third Country Any country not recognised as having afforded an adequate level of legal protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
6. The Right Of Access: Data Subject Access Request (DSAR)
6.1 A DSAR is a request for personal information that SRS Group Holdings Ltd may hold about a Data Subject.
6.2 Data Subjects have rights under the GDPR to establish whether SRS Group Holdings Ltd processes information relating to him/her, and to access and obtain a copy of that data and certain additional information in relation to the Processing in an amenable timeframe.
6.3 Data Subjects have the right to: obtain confirmation as to whether their Personal Data is being processed if so, access to the Personal Data and information provided in article 15.1 of the GDPR.
6.4 Supplemental information that must be supplied by SRS Group Holdings Ltd includes the following: the purposes of the Processing (e.g. processing a donation) data attributes being Processed (e.g. name, address etc.) whom the data may be shared with retention periods, how long the data will be stored (or the criteria used to determine that period) any external recipients of the data (in particular, details of disclosure to recipients in Third Countries or to international organisations, bodies governed by public international law or set up by agreement between countries) the existence of any additional rights to erasure, rectification, restriction of Processing and object to Processing the right to complain to the Information Commissioner’s Office (ICO) should the Data Subject be dissatisfied with the handling of their request details of the source of the data if it was not collected from the Data Subject the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on Data Subjects.
6.5 SRS Group Holdings Ltd is not obliged to supply any information in response to a request unless: the request is in writing SRS Group Holdings Ltd is reasonably satisfied as to the identity of the person making the request upon providing sufficient evidence. Although a DSAR must be made in writing, Data Subjects need not mention the DPA/GDPR, or state that they are making a DSAR.
6.6 A DSAR can be made via any of, but not exclusively, the following methods: post email fax online forms.
6.7 Data Subjects can request both electronic and paper files from an organisation, including handwritten notes, emails, reports, print outs, photographs, DVDs and sound recordings which refer to or identify a Data Subject.
6.8 Any data that is anonymous or does not concern the Data Subject will not be in scope and therefore is non-disclosable.
6.9 If the request is made in electronic form, the information should be provided in a commonly used electronic form (unless the Data Subject requests otherwise). Recital 63 of the GDPR provides for remote access to be allowed.
6.10 If SRS Group Holdings Ltd holds a large quantity of data, it may ask the Data Subject to specify the information or Processing activities to which the request relates. Please note that there is no exemption due to large volumes of relevant data being requested. The GDPR does, however, encourage Data Subjects to be as specific as possible.
6.11 SRS Group Holdings Ltd can refuse to action a DSAR should the request be manifestly unfounded or excessive. Excessive requests can be subject to a charge allowable as admin costs under GDPR. The standard recommendation for such admin costs is £30+VAT.
7. The Right To Data Portability
7.1 The primary aim of data portability is to facilitate switching from one service provider to another, thus enhancing competition between services. Data portability should not automatically trigger the erasure of the data from an organisation’s systems.
7.2 This right will permit Data Subjects to: receive a copy of their Personal Data they have provided to SRS Group Holdings Ltd in a commonly used machine-readable format; in this regard, data portability complements the right of access transfer their Personal Data from SRS Group Holdings Ltd to another company.
7.3 In order to fall under the scope of data portability, Processing operations must be based on: the Data Subject’s consent or a contract to which the Data Subject is a party.
7.4 The right of portability only extends to data ‘provided by’ the Data Subject and ‘observed’ data. The term ‘provided by’ includes Personal Data that relates to the Data Subject’s activity or results from the observation of a Data Subject’s behaviour but not subsequent analysis of that behaviour.
Data provided by the Data Subject would include account data (e.g. mailing address, user name, age) submitted via online forms.
Observed data is provided by the Data Subject by virtue of the use of the service or the device. SRS Group Holdings Ltd must also include the Personal Data that is generated by and collected from the activities of users in response to a data portability request. This may include, for example, a person’s search history, traffic data and location data.
7.5 This right is therefore not limited to forms completed by an individual, but to information gathered by SRS Group Holdings Ltd during its dealings with a Data Subject or generated from observation of his or her activity.
7.6 Examples of the type of data where data portability will apply include: activity logs history of website usage, search activities email communication sent to the individual.
Paper Files- : the right to data portability only applies if the data processing is ‘carried out by automated means’, so does not cover paper files.
Inferred Data- inferred data and derived data is created by the Data Controller based on the data ‘provided by the Data Subject’. These Personal Data do not fall within the scope of the right to data portability. For example, a credit score or the outcome of an assessment regarding the health of a user is a typical example of inferred data. Even though such data may be part of a profile kept by a Data Controller and are inferred or derived from the analysis of data provided by the Data Subject (through his or her actions for example), this data will typically not be considered as ‘provided by the Data Subject’ and thus will not be within scope of this new right.
8. The Right to Ratification
8.1 Data Subjects have the right to request SRS Group Holdings Ltd to rectify inaccurate data held about them. In the event that the data is incomplete, the Data Subject can request SRS Group Holdings Ltd to complete it, or to record a supplementary statement.
9. The Right To Erasure
9.1 Under Article 17 of the GDPR, Data Subjects have the right to have their Personal Data erased in situations where the processing fails to satisfy GDPR requirements.
9.2 Personal Data must be deleted without undue delay in the event that one of the following situations can be satisfied:
. the data is no longer necessary for the purpose for which it was originally collected or otherwise processed
. where a Data Subject withdraws consent
.Personal Data has been unlawfully Processed (otherwise in breach of GDPR)
. when the Data Subject objects to the Processing and there is no overriding legitimate interest for continuing the processing
.erasure is required for compliance with a legal requirement
. data has been collected in relation to the offering of online services to a child.
9.3 In practical terms, the right involves locating and erasing all of the Data Subject’s Personal Data — files, records in a database, replicated copies, backup copies, including data hosted by cloud service providers and any copies that may have been moved into an archive.
10. The Right To Restrict Processing
10.1 Where there is a disagreement over whether a right to erasure applies, Data Subjects can request that their Personal Data be restricted, to prevent further Processing for the time needed to verify whether information is accurate if he or she contests its accuracy.
10.2 Under this right, SRS Group Holdings Ltd may only continue the Processing of data for legal claims purposes or with the consent of the Data Subject.
The right to restrict processing applies when:
.a Data Subject disputes data accuracy, then Personal Data will be restricted for the period during which this is verified
.a Data Subject has objected to Processing (based on legitimate interests), then the Data Subject can require the data to be restricted while SRS Group Holdings Ltd verifies the grounds for Processing
.the Processing is unlawful but the Data Subject objects to erasure and requests restriction instead
.SRS Group Holdings Ltd has no further need for the data but the Data Subject requires the Personal Data to establish, exercise, or defend legal claims.
10.3 When a Data Subject requests the restriction of Processing, SRS Group Holdings Ltd should temporarily remove the data from a general filing system or from a public website to avoid further Processing. SRS Group Holdings Ltd should flag the restricted data in a way that makes clear that Processing is restricted.
10.4 SRS Group Holdings Ltd must notify the Data Subject before lifting a restriction.
11. The Right To Object
11.1 Data Subjects have the right to object to the Processing of Personal Data, where the basis for that processing is: legitimate interests grounds – the Data Subject can object at any time on compelling legitimate grounds relating to his or her particular situation to the Processing of data relating to them, save where otherwise provided by national legislation necessary for a public interest task/official authority for purposes of direct marketing activities.
12. Profiling And Automated Decision-making
12.1 The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. Automated decision-making is widely used for marketing and to some extent for HR purposes, and is where organisations take and assess known elements about someone and analyse or predict something about their behaviour in order to make a decision about them.
12.2 Under the GDPR, individuals have the right not to be subject to decisions based solely on automated processing (including profiling), if the decision produces legal effects concerning the Data Subject or similarly significantly affects the individual. Examples of such decisions include e-recruiting or e-evaluation of performance without any human intervention.
12.3 A legal effect is something that adversely affects someone’s legal rights. Recital 71 of the GDPR gives the example of online credit decisions and e-recruiting.
12.4 Any processing covered by this provision should be subject to suitable safeguards, which include specific information to the Data Subject, the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision.
The right does not apply if the decision:
.is necessary for entering into or performance of a contract between SRS Group Holdings Ltd and the Data Subject
.is authorised by law (e.g. for the purposes of fraud or tax evasion prevention)
.is based on explicit consent (Article 9(2))
.does not have a legal or similarly significant effect on someone.
13. Procedure For Responding To Requests
13.1 Receiving a request for information A request for information can be made via any of, but not exclusively, the following methods: post email fax online forms.
13.2 Identity of Data Subject SRS Group Holdings Ltd must verify the identity of the person making the request, using ‘reasonable means’. When a person submits an application, the requestor should provide SRS Group Holdings Ltd with such information as it may reasonably require.
It may need to confirm the identity of the Data Subject, in which case two forms of ID will normally be required: one must be name identification and the other a form of address identification.
The GDPR allows for digital identification of a Data Subject, for example through authentication mechanisms such as the same credentials. Typically, this includes two pieces of information from the following categories: knowledge (e.g. PIN number) possession (e.g. credit card or physical token) inherence (e.g. biometric data like a fingerprint).
If this information is not contained in the original request, SRS Group Holdings Ltd should seek proof as required. Where requests are made on behalf of a Data Subject, SRS Group Holdings Ltd should be satisfied that the Data Subject has given consent to the release of their information and locate the information to which he or she is seeking access.
The time limits imposed by the GDPR only come into effect once the request is in writing and necessary ID documentation has been received.
13.3 Large or complex requests Where SRS Group Holdings Ltd processes a large quantity of information concerning the Data Subject, it is possible, before the information is delivered, to ask the Data Subject whether it is possible to narrow the scope of their request by specifying the information or Processing activities to which the request relates.
While the GDPR encourages such constructive dialogue, SRS Group Holdings Ltd cannot require the Data Subject to narrow the scope of their request, but merely to provide additional details that will help to locate the requested information. If the Data Subject insists on a copy of all their information, then SRS Group Holdings Ltd is obligated to respond to such a request.
13.4 Timescales and extensions SRS Group Holdings Ltd must respond to all Data Subject requests without undue delay and at the latest within one month.
Requests can be extended by a maximum of two months where necessary for complex cases or where there are numerous requests.
SRS Group Holdings Ltd must inform the Data Subject of any such extension within one month of receipt of the request, together with reasons for the delay.
Failing to respond within one month could result in the Data Subject complaining to the ICO or to the relevant supervisory authority. Following investigation, the ICO or the relevant supervisory authority may seek formal actions by way of an enforcement notice or monetary penalty.
Any damage, including distress, caused to Data Subjects as a result of SRS Group Holdings Ltd’s failure to comply with their request, could result in monetary fines.
13.5 Fee SRS Group Holdings Ltd must provide a copy of Personal Data undergoing Processing free of charge.
However, a ‘reasonable fee’ can be charged for further copies of the same information and when a request is manifestly unfounded or excessive, particularly if it is repetitive. The fee must be based on the administrative cost of providing the information.
13.6 Acknowledgement All written requests received must be directed to Operations Department.
A third-party representative, such as a solicitor, can make an application on behalf of the Data Subject, but verification of the third party (e.g. Power of Attorney or written consent from the Data Subject) will be required.
Once the application is received, SRS Group Holdings Ltd will acknowledge the request, indicate the time within which you will be responding fully and log the request on SRS Group Holdings Ltd’s relevant log. This is not obligatory, but it is good practice and can help prevent disputes later.
3.7 Searching records Data relevant to the request may be stored in multiple locations/systems. Steps should be taken to carry out adequate searches for the Personal Data requested. This should be undertaken without delay since the data will need to be reviewed (for example, to establish whether any exemptions apply or to be redacted where it is deemed unreasonable to disclose information which identifies a third party without consent). Searches should include, but not be limited to, the following:
.any information held or that will be held on an electronic database or repository records of correspondence, whether in the form of physical letters, emails, text messages or other formats. This includes deleted documents/emails that are easily recoverable.The contents of an email should not be regarded as deleted merely because it has been moved to a user’s ‘Deleted items’ folder
. records held in a manual filing system which is highly structured so that information can be retrieved easily (e.g. network folders)
. data that has been electronically archived or backed up.
Mechanisms should be implemented to find and retrieve Personal Data that has been electronically archived or backed up.
13.8 Backed-up data The process of accessing electronically archived or backed-up data may be more complicated than the process of accessing ‘live’ data. There is no requirement to restore ‘permanently deleted’ data where there is no intention of ever attempting to access it again and where ‘extreme measures are required’ to recreate previously deleted data.
For the avoidance of doubt, the contents of an email should not be regarded as deleted merely because the email in question has been moved to a user’s ‘Deleted items’ folder.
13.9 Scope of DSAR The DSAR applies to all Personal Data about the Data Subject Processed by SRS Group Holdings Ltd regardless of the format it is held in and regardless of the difficulty entailed to locate the data. Notes or letters written by hand that are held in a relevant filing system (see Section 5) count as ‘data’ and are disclosable in response to DSAR. S
13.10 Scope of data portability Unlike the subject access right, the data portability right does not apply to all Personal Data held by SRS Group Holdings Ltd concerning the Data Subject. Instead: It must be automated data. Paper files are not included. The Personal Data should be knowingly and actively provided by the Data Subject. By contrast, Personal Data that is derived or inferred from the data provided by the Data Subject, such as a user profile created by analysis of raw data, is excluded from the scope of the right to Data Portability, since it is not provided by the Data Subject, but created by SRS Group Holdings Ltd. The Personal Data has to be Processed by SRS Group Holdings Ltd with the Data Subject’s consent or pursuant to a contract with him/her. It does not apply to Processing based SRS Group Holdings Ltd’s legitimate interests.
13.11 DSARs – Third-Party Data A Data Subject generally does not have the right to access personal information recorded about someone else, unless they are an authorised representative or have a legal basis to access the information, e.g. a solicitor or an individual with power of attorney over the Data Subject.
SRS Group Holdings Ltd cannot refuse to provide access to Personal Data simply because the data refers to a third-party source. Instead, it is necessary to undertake an assessment to ensure the privacy rights of the individual requesting the data and the third party included in the data is respected. When deciding whether or not to disclose information that comprises a mix of the Personal Data of the Data Subject and other clearly identifiable individuals you can: seek consent from the third party for the disclosure of their data or release data with third-party information redacted where consent is not forthcoming or cannot be obtained. The Data Subject would need to be informed of this decision.
Where it is not possible to separate, or remove, the third-party information by way of redaction from the Personal Data of the Data Subject, you should consider whether: The third party has a particular professional relationship to the requester, such as social worker, health professional or teacher. Unless it is likely that serious harm would be caused (e.g. resulting in the possibility of violence or abuse), the third-party data should be disclosed. Or, if the third-party information has previously been provided to the requester by you, is already known by them, or is generally available to the public, it will be more likely to be reasonable for you to disclose that information.
13.12 Data Portability Requests – Third-Party Data In certain circumstances, it is permissible and necessary to transfer Personal Data relating to third parties in response to a data portability request. However, the recipient of the data cannot use the third-party data for other purposes, e.g. for marketing purposes.
A similar situation occurs when a Data Subject exercises his or her right to data portability on his or her bank account, since it can contain Personal Data relating to the purchases and transactions of the Data Subject but also information relating to transactions, which have been ‘provided by’ other Data Subjects who have transferred money to the Data Subject in question.
13.13 Exemptions There are some circumstances where SRS Group Holdings Ltd] can refuse to comply, such as in connection with legal proceedings or where it is required to retain the information by law. The most relevant exemptions are summarised below.
Confidential references Confidential references given by SRS Group Holdings Ltd that are connected to actual or potential education, training or appointment of the Data Subject. This does not apply to references from a third-party source.
Legal privilege Documents that are subject to legal professional privilege.
Management forecasts Data used for an organisation’s forecast or planning (to the extent that disclosure would prejudice SRS Group Holdings Ltd’s ability to conduct its business).
Negotiations with the individual Information which relates to ongoing negotiations between SRS Group Holdings Ltd and the individual requesting the information, where disclosure would prejudice those negotiations.
Prevention or detection of crime Any information if its release would prejudice: the prevention or detection of crime the apprehension or prosecution of offenders the assessment or collection of any tax or duty or of any imposition of a similar nature.
Third-party data Please refer to previous section.
Freedom of expression in the media Applicable where Processing is carried out for journalistic purposes, or for the purposes of academic, artistic or literary expression.
Research Applicable where such rights ‘render impossible or seriously impair’ the achievement of these specific purposes (long-term research studies, including in health and science), and refusal of the request is necessary to meet those requirements.
13.14 Coded Data Data that contains operational codes or indicators needs to be disclosed to the Data Subject in ‘plain English’, or with an explanation of what these codes mean at the very least.
13.15 SRS Group Holdings Ltd must ensure that the Personal Data is transmitted securely (e.g. by use of encryption) to the right destination (e.g. by use of additional authentication information). SRS Group Holdings Ltd should, as a best practice, recommend appropriate format(s) and encryption measures to help ensure that the Data Subject stores the data securely.
13.16 Format – DSARs Where the Data Subject makes a DSAR by electronic means (e.g. email), and unless otherwise requested by the Data Subject, the information should be provided in a commonly used electronic format. This would therefore require relevant paper files to be scanned. Please note that unlike portability requests, it is not necessary to provide data in a machine-readable open format to facilitate its reuse when responding to a DSAR. PDF copies of paper files are acceptable. The GDPR (Recital 63) introduces a new best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.
13.17 Format – Portability In response to a portability request, you must supply the Data Subject’s Personal Data or on request transmit the data directly to another organisation in a structured, commonly used ‘open’ and machine-readable format (e.g. XML, JSON, CSV), along with useful metadata at the best possible level of granularity, while maintaining a high level of abstraction. This metadata should be enough to make the function and reuse of the data possible but, of course, without revealing trade secrets. It is unlikely, therefore, that providing an individual with PDF versions of an email inbox would be sufficiently structured or descriptive to allow the inbox data to be reused easily. Instead, the e-mail data should be provided in a format which preserves all the metadata, to allow the effective reuse of the data.
13.18 Right to object SRS Group Holdings Ltd must cease such Processing unless SRS Group Holdings Ltd : can demonstrate compelling legitimate grounds for the Processing that override the interests, rights and freedoms of the Data Subject or requires the data in order to establish, exercise or defend legal rights.
13.19 Restriction of data Methods that can be used to restrict the processing of the Data Subject’s Personal Data include temporarily removing or blocking published data from a website, or a temporary transfer of the ‘marked’ Personal Data to another Processing system, making it unavailable. The restriction of Processing should, in principle, be ensured by technical means and should be logged in the relevant IT systems in such a manner that the Data Subject’s Personal Data is not subject to further Processing operations and cannot be changed. Before lifting any Processing restriction, SRS Group Holdings Ltd must inform the Data Subject
13.20 Rectification of data The right to rectification means that the Data Subject has the right to request rectification of inaccurate Personal Data concerning him or her. The Data Subject also has the right to have incomplete Personal Data completed, including by means of providing a supplementary statement. It may be necessary to ‘restrict’ the Processing of the data until SRS Group Holdings Ltd has had the opportunity to verify its accuracy. If it is established that the data is inaccurate, rectification should be made as soon as possible.
13.21 Erasure Where it is established that data relating to the Data Subject is no longer needed for the purpose for which it was gathered, or Consent to Processing is withdrawn, and providing an exemption does not apply, then the data should be erased within one month (30 days) of receipt of the request. There are some circumstances where SRS Group Holdings Ltd can refuse to comply, such as in connection with legal proceedings or where it is required to retain the information by law (see exemptions listed above).
13.22 Notifying third parties regarding rectification, erasure or restriction Where the Data Subject’s Personal Data has previously been disclosed to third parties and the Data Subject has since exercised any of the rights of rectification, erasure or blocking, SRS Group Holdings Ltd must inform the third parties about the request, unless it is impossible or involves disproportionate effort to do so. The third party would be obliged to respond to the request by erasing, rectifying or temporarily restricting access to inaccurate data unless it can be established that an exemption applies. The GDPR reinforces the right to erasure by clarifying that organisations in the online environment that make Personal Data public should inform other organisations who Process the Personal Data to erase links to, copies or replication of the Personal Data in question. The Data Subject is also entitled to request information about the identities of those third parties. Where SRS Group Holdings Ltd has made the data public, and the Data Subject exercises these rights, SRS Group Holdings Ltd must take reasonable steps (taking costs into account) to inform third parties that the Data Subject has exercised those rights.
13.23 Rejecting a request You can also refuse to respond. In the absence of any applicable exemptions, in practice, there should be very few cases where SRS Group Holdings Ltd would be able to justify a refusal to deliver the requested information, even regarding multiple data requests. For example, implementing automated systems such as Application Programming Interfaces (APIs) can facilitate the exchanges with the Data Subject, or in the case of DSARs, remote access to a secure self-service portal can lessen the potential burden resulting from repetitive requests. Where you refuse to respond to a request, you must explain the grounds of refusal to the Data Subject (e.g. use of exemptions), informing them of their right to complain to the relevant supervisory authority and to a judicial remedy without undue delay, at the latest within one month of receipt of the request.
13.24 Individual Rights Register As with any process relating to Personal Data, it is crucial for SRS Group Holdings Ltd to keep up-to-date and precise records of any requests that fall within the scope of this policy. This is especially important if the request falls into the ‘complex’ category or if a complaint is made. In such cases, the data protection supervisory authority is likely to analyse the thought processes and reasoning behind decisions, so clear documentation is vital. And, as always with Personal Data Processing, appropriate measures to protect the register’s security and privacy must be taken.
14. Complaints Process
14.1 If a Data Subject is not satisfied by the actions of SRS Group Holdings Ltd they can seek recourse through the internal complaints procedure. We will deal with any complaint about the way a request has been handled and about what information has been disclosed.
14.2 If the Data Subject remains dissatisfied, they have the right to refer the matter to the ICO or the relevant supervisory authority.