Subject Access Requests

Privacy Policy
Data Breach Policy
Data Retention Policy
Being able to provide a clear process and swift response to Subject Access Requests (SARs) is an essential element of GDPR. The below sets out J+D Consulting’s policy for dealing with SARs. General
  • Data subjects will be informed of their right to access their personal data at the point at which the reason for the collection of personal data is first mentioned
  • Data subjects will be informed of the process by which they can access their personal data at the point at which this is collected – via email to [email protected]
  • All J+D Consulting staff will be trained on our SAR policy and will understand how to deal with any SAR request. In particular:
    • Responsibility for handling SAR requests – this will fall upon the Office Manager, who will then liaise with relevant internal staff colleagues to swiftly and efficiently respond to the request
    • Timing – all SAR requests will be acknowledged within 2 working days and will be responded to within 15 working days
    • Changes to data – any requests to change personal data will be actioned within the above timeframe and confirmed with the individual once complete
    • Handling requests for erasure or restriction of processing – the request will be placed on file and the personal data either erased (within the above timeframes) or its processing use restricted and notified to internal J+D staff who would be involved in the processing of the data
  • Personal data will be made to be easily accessible at all times via our secure Microsoft 365 SharePoint software. This will ensure that SARs can be responded to as swiftly and efficiently as possible
  • Please note that in order to successfully respond to a SAR, we may need to collect additional information from the individual. For example, if you contact us via email with no other personal identifier, and if we do not hold an email address on file as part of the personal data for you, then we may need to seek an additional identifier to make sure we process the request accurately
Upon receipt of a SAR Below is our internal procedure upon receipt of a SAR:
  • If we are a processor, then we will inform the data subject and refer you to the actual controller
  • If needed, we may request further evidence on your identity
  • If necessary, we may need to clarify the reason behind your request and that the details being requested are also explicitly clear
  • If requests are unfounded or excessive (e.g. repetitive requests), then it is at the discretion of J+D Consulting to refuse to act on the request or charge an administrative fee in line with the time taken to deal with the request
  • We will acknowledge receipt of your SAR in line with the timings above and we will inform you of any costs involved in the processing of the SAR
  • If the requests involves data on other data subjects, then we will make sure this data is filtered before the requested data is supplied to the data subject. If data cannot be filtered, we will ensure that other data subjects have consented to the supply of their data as part of the SAR
Responding to a SAR
  • The SAR will be acknowledged within 2 working days by our Office Manager
  • A full response will be provided with 15 working days by our Office Manager. Should this not be possible, we will contact the individual within this 15 day period to confirm why and when we will be able to provide a response (this will be no longer than 2 months from initial request)
  • If data on the data subject is processed, we will include as a minimum the following information in the SAR response:
    • the purposes of the processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipients to whom personal data has been or will be disclosed;
    • the period for which personal data will be stored;
    • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
    • the right to lodge a complaint with a supervisory authority;
    • if the data has not been collected from the data subject: the source of such data;
    • the existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  • We will provide a copy of the personal data undergoing processing. This will be provided in a commonly used electronic format (e.g. Excel) if the data subject has submitted the SAR electronically and will be sent to the data subject via a secure link that only they can access