This Data Subject Access Request Procedure is applicable to the RD&X Group, comprising RD&X Group DMCC and RDandX Network LLP.
1. Scope, Purpose and Users
This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties. This procedure will enable RD&X Group (collectively: “Company”) to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.
This procedure applies broadly across all entities or subsidiaries owned or operated by the Company but does not affect any state or local laws or regulations which may otherwise be applicable. This procedure applies to employees that handle data subject access requests such as the Data Protection Officer.
2. Reference Documents
EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)
Privacy Policy as updated on the weblink (https://www.rdandx.com/privacy-policy/)
3. About a Data Subject Access Request
A Data Subject Access Request (“DSAR”) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. DSAR provides the right for data subjects to see or view their own personal data as well as to request copies of the data.
DSAR must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs. In the event a formal DSAR is made verbally to a staff member of the Company, further guidance should be sought from Data Protection Officer, who will consider and approve all DSAR applications.
A DSAR can be made via any of the following methods:
DSARs made online must be treated like any other DSAR when they are received, though the Company will not provide personal information via social media channels.
4. The Rights of a Data Subject
The rights to data subject access include the following:
- Know whether a data controller holds any personal data about them.
- Receive a description of the data held about them and, if permissible and practical, a copy of the data.
- Be informed of the purpose(s) for which that data is being processed, and from where it was received.
- Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
- The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (word, pdf, etc.). However, such requests can only be fulfilled if the data in question is: i) provided by the data subject to the Company, ii) is processed automatically and iii) is processed based on consent or fulfilment of a contract.
- If the data is being used to make automated decisions about the data subject, it to be told what logic the system uses to make those decisions and to be able to request human intervention.
The Company must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the DSAR unless local legislation dictates otherwise.
5. Requirements for a valid DSAR
In order to be able to respond to the DSAR in a timely manner, the data subject should:
- Submit his/her request using a DSAR Form (format attached in Exhibit A).
- Provide the Company with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by Company.
However, Company will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.
Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g., by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g., a copy of a particular form or email records from within a particular department).