Data Subject Access Request Procedure

This Data Subject Access Request Procedure is applicable to the RD&X Group, comprising RD&X Group DMCC and RDandX Network LLP.


Change history

DateVersionCreated ByDescription of Change
DD.MM.YYYYv. 1.0  
    
    

Data Subject Access Request Procedure

This Data Subject Access Request Procedure is applicable to the RD&X Group, comprising RD&X Group DMCC and RDandX Network LLP.

1. Scope, Purpose and Users

This procedure sets out the key features regarding handling or responding to requests for access to personal data made by data subjects, their representatives or other interested parties. This procedure will enable RD&X Group (collectively: “Company”) to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.

This procedure applies broadly across all entities or subsidiaries owned or operated by the Company but does not affect any state or local laws or regulations which may otherwise be applicable. This procedure applies to employees that handle data subject access requests such as the Data Protection Officer.

2. Reference Documents

EU GDPR 2016/679 (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC)

Privacy Policy as updated on the weblink (https://www.rdandx.com/privacy-policy/)

3. About a Data Subject Access Request 

A Data Subject Access Request (“DSAR”) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. DSAR provides the right for data subjects to see or view their own personal data as well as to request copies of the data.

DSAR must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs. In the event a formal DSAR is made verbally to a staff member of the Company, further guidance should be sought from Data Protection Officer, who will consider and approve all DSAR applications.

A DSAR can be made via any of the following methods: 

DSARs made online must be treated like any other DSAR when they are received, though the Company will not provide personal information via social media channels.

4. The Rights of a Data Subject

The rights to data subject access include the following:

  • Know whether a data controller holds any personal data about them.
  • Receive a description of the data held about them and, if permissible and practical, a copy of the data.
  • Be informed of the purpose(s) for which that data is being processed, and from where it was received.
  • Be informed whether the information is being disclosed to anyone apart from the original recipient of the data; and if so, the identity of those recipients.
  • The right of data portability. Data subjects can ask that their personal data be transferred to them or a third party in machine readable format (word, pdf, etc.). However, such requests can only be fulfilled if the data in question is: i) provided by the data subject to the Company, ii) is processed automatically and iii) is processed based on consent or fulfilment of a contract.
  • If the data is being used to make automated decisions about the data subject, it to be told what logic the system uses to make those decisions and to be able to request human intervention.

The Company must provide a response to data subjects requesting access to their data within 30 calendar days of receiving the DSAR unless local legislation dictates otherwise.

5. Requirements for a valid DSAR

In order to be able to respond to the DSAR in a timely manner, the data subject should:

  • Submit his/her request using a DSAR Form (format attached in Exhibit A).
  • Provide the Company with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).

Subject to the exemptions referred to in this document, the Company will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by Company.

However, Company will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information.

Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g., by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g., a copy of a particular form or email records from within a particular department).

6. DSAR Process

6.1 Request

Step 1:Upon receipt of a DSAR from the data subject, the Data Protection Officer will acknowledge the request.
Step 2:The data subject may be asked to complete a DSAR Form to better enable the Company to locate the relevant information.

6.2 Identity verification
The Data Protection Officer needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it.

Step 1:If the identity of a DSAR data subject has not already been provided, Data Protection Officer will ask the data subject to provide two forms of identification, one of which must be a photo identity and the other confirmation of address. 
Step 2:If the requestor is not the data subject, written confirmation that the requestor is authorized to act on behalf of the data subject is required.
Step 3:In case of no response within 10 working days from the data subject, Data Protection Officer will be entitled to close the request and record the DSAR response.

6.3 Information for Data Subject Access Request

Step 1:On receipt of all relevant information from the data subject with respect to the DSAR, to the satisfaction of the Data Protection Officer, Data Protection Officer will notify the data subject that his/her DSAR will be responded to within 30 calendar days. The data subject will be informed by the Data Protection Officer in writing if there will be any deviation from the 30-day timeframe due to other intervening events.
Step 2:

There will normally be no charge for receiving a copy of information requested in a DSAR. However, a reasonable fee may be levied when:

  1. A request is considered by the Company to be “manifestly unfounded”, excessive or repetitive;
  2. There are requests for additional copies of the same information.

Examples of “manifestly unfounded” requests include when a person sends different requests to the Company as part of a campaign with the intention of causing disruption, or the person is targeting a particular person against whom they have a grudge.

The calculation of the fee is based on the administrative cost of providing the information. The Company will explain why the fee has been levied within a month of receiving the original DSAR. The Company does not have to comply with the request until it has received the fee.

Note: The 30-day period begins from the date that the required documents are received. 

Illustration: The Company receives a request on Jan 30. The time limit starts from the next day i.e., Jan 31 even if that day is a weekend or public holiday. As there is no equivalent date in Feb, the organization has until 28th /29th Feb to comply with the request. However, if 28th /29th Feb falls on a weekend, or is a public holiday, the calendar month ends the next working day.

6.4 Review of Information

Step 1:The Data Protection Officer will contact and ask the relevant department(s) for the required information as requested in the DSAR and the timeline within which the information needs to be provided. The Data Protection Officer will establish the nature and likely location of the information requested and will contact the relevant business and system owner. 
Step 2:The Data Protection Officer will provide guidance and support to relevant departments conducting the searches to be carried out but it is the responsibility of individual members of the departments to carry out the searches within agreed timescales. 
Step 3:
  1. The relevant departments will collate and provide the Data Protection Officer with all relevant information in support of the DSAR.
  2. The relevant departments will be tasked with determining whether any of the personal data held with respect to the data subject has been sent to third parties for processing. If yes, they should provide the Data Protection Officer with a list of those third parties as well as a point of contact for each entity.
  3. The relevant departments will also determine whether any of the personal data held with respect to the data subject has been sent outside of the country in which it was collected. If yes, they should provide the Data Protection Officer with a list of those countries. 
Step 4:The Data Protection Officer will notify the impacted third parties of DSAR to respond as appropriate to the data subject and consider the legal implications of any international transfers of data.
Step 5:The Data Protection Officer will determine whether there is any information which may be subject to an exemption and/or if consent is required to be provided from a third party.
Step 6:If necessary, an initial meeting with the relevant department to go through the request, may be initiated. 
Step 7:The department which holds the information must return the required information by the deadline provided by the Data Protection Officer and/or a further meeting is arranged with the department to review the information. 
Step 8:The Data Protection Officer will ask the relevant department to complete a “Data Subject Disclosure Form” to document compliance with the 30-day requirement.
Note: The Data Protection Officer must ensure that the information is reviewed/received by the imposed deadline to ensure the 30-calendar day timeframe is not breached. 

6.5 Response to Access Requests

Step 1:

The Data Protection Officer will respond to the DSAR received from the data subject as follows:

  1. provide the finalized response together with the information retrieved from the department(s); or 
  2. provide a statement that the Company does not hold the information requested; or 
  3.  provide details of applicability of an exemption or rejection*.
Step 2:The Data Protection Officer will ensure that a written response will be sent back to the data subject (format attached in Exhibit B). This will be via email, unless the requestor has specified another method by which they wish to receive the response (e.g., post). The Company will only provide information via channels that are secure. When hard copies of information are posted, they will be sealed securely and sent by recorded delivery.
Step 3:A data subject dissatisfied with the outcome of his/her DSAR is entitled to make a request to the Data Protection Officer to review the outcome. In this case, steps mentioned in point 6.1. to 6.4. will be followed.
Step 3:After the response has been sent to the data subject, the DSAR will be considered closed and archived by the Data Protection Officer. 

*Exemptions and rejection

A data subject does not have the right to access information recorded about someone else, unless they are an authorised representative, or have parental responsibility. The Company is not required to respond to requests for information, unless it is provided with sufficient details to enable the location of the information to be identified, and to satisfy itself as to the identity of the data subject making the request. In principle, the Company will not normally disclose the following types of information in response to a DSAR:

  • Information about other people. A DSAR may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted, unless the individuals involved consent to the disclosure of their data.
  • Repeat requests. Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six-month period of the original request will be considered a repeat request, and the Company will not normally provide a further copy of the same data.
  • Publicly available information. The Company is not required to provide copies of documents which are already in the public domain.
  • Opinions given in confidence or protected by copyright law. The Company does not have to disclose personal data held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.
  • Privileged documents. Any privileged information held by Company need not be disclosed in response to a DSAR. In general, privileged information includes any document which is confidential (e.g. a direct communication between a client and his/her lawyer) and is created for the purpose of obtaining or giving legal advice.

There are situations where individuals do not have a right to see information relating to them. For instance:

  • If the information is kept only for the purpose of statistics or research, and where the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
  • Requests made for other, non-data protection purposes can be rejected.

If the Data Protection Officer or the relevant department in the Company refuses a DSAR, the reasons for the rejection must be clearly set out in writing. 

7. Responsibilities

The overall responsibility for ensuring compliance with a DSAR rests with the Data Protection Officer. If the Company acts as a data controller towards the data subject making the request, then the DSAR will be addressed based on the provisions of this procedure. If the Company acts as a data processor, the Data Protection Officer will forward the request to the appropriate data controller on whose behalf the Company processes personal data of the data subject making the request.

8. Managing records kept on the basis of this document

Record nameStorage locationPerson responsible for storageControls for record protectionRetention time
Data Subject Access Request Forms Data Protection OfficerOnly authorized persons may access the folder7 years
Data Subject Disclosure Form Data Protection OfficerOnly authorized persons may access the folder7 years

9. Validity and document management

This document is valid as of [mention date]. The owner of this document is [mention designation], who must check and, if necessary, update the document at least once a year.

Exhibit A: Data Subject Access Request Form

DATA SUBJECT ACCESS REQUEST FORM

Article 15 of the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) grants you the right to access your personal data held by RD&X Group, comprising RD&X Group DMCC and RDandX Network LLP (collectively ‘Company’).  It includes the right to obtain confirmation that we process your personal data, receive certain information about the processing of your personal data, and obtain a copy of the personal data we process.  We recommend that you submit your request to us in writing using this form.

In line with the GDPR regulations, we expect to respond to your request within one month of receipt of a fully completed form and proof of identity. 

In addition to exercising your access right, the GDPR also grants you the right to:

  • Request correction or erasure of your personal data;
  • Restrict or object to certain types of data processing;
  • Make a complaint with the local data protection authority.

For more information on your rights under the GDPR, see Privacy Policy as updated on the weblink (https://www.rdandx.com/privacy-policy/)and the Data Subject Access Policy which is available at [*].

1. DATA SUBJECT DETAILS

Please provide your contact information in the space provided below.  If you are making this request on behalf of someone, you should provide your name and contact information in Section 2. Please note, we will only use the information you provide on this form to identify you and the personal data you are requesting access to, and to respond to your request.

Title (please cross the relevant box):Mr. Mrs. Miss. Ms. Other: 
Surname: 
Forename(s): 
Date of birth: 
Current address: 
Telephone number: 
Home 
Work 
Mobile 
Email address: 
Details of identification provided to confirm name of data subject: 
Nature of your connection with the Company: 

Proof of Identity

Unless we already hold it, we will require proof of your identity before we can respond to your access request.  To help us establish your identity, you must provide identification that clearly shows your name, date of birth and current address.  We accept a photocopy or a scanned image of one of the following: 

  • Passport; or
  • Photo identification such as a driver’s license, national identification number card, or birth or adoption certificate

Please also attach a copy of a bank or credit card statement or utility bill showing your current address and dated within the last three months.  

If you have changed your name, please provide the relevant documents evidencing the change. Please note, we may request additional information from you to help confirm your identity and your right to access, and to provide you with the personal data we hold about you.  We reserve the right to refuse to act on your request if we are unable to identify you.

If you do not have any of these forms of identification available, please contact the Company’s Data Protection Officer on [email] for advice on other acceptable forms of identification.

Exhibit B: Data Subject Disclosure Form

DATA SUBJECT DISCLOSURE FORM

Use this address when sending by post: [address]
This Data Subject Disclosure Form is addressed to the person identified below as a result of completing the Data Subject Access Request Form.
Data Subject’s Full NameData Subject’s Date of Birth
  
Data Subject’s Current Address
 
Purpose of processing
 
Recipients, or categories of recipients 
 
Retention period
 
Source of the data (if not collected from the data subject)
 
  Any regulated automated decisions taken 
 
Response to Data Subject Access Request
 
Reasons for not disclosing information to the Data subject
The information relates to an individual or individuals other than the data subject.
A similar or identical request in relation to the same data subject was previously complied with within a reasonable time period.  Since there is no significant change in personal data held in relation to that data subject, any further request made within a six-month period of the original request is considered to be a repeat request. RD&X Group does not normally provide further copies of the same data, nor is required to provide copies of documents which are already in the public domain.
Personal data are held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.
The information is considered privileged or confidential (e.g., a direct communication between a client and his/her lawyer).
The information is kept only for the purpose of statistics or research, and the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
The purposes related to the individual’s rights under data protection legislation: requests made for other, non-data protection purposed can be rejected.
As a Data subject, you have the following rights:
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply, to have a right to restrict the processing.
  • Right to object to processing – you have the right to object to certain types of processing such as direct marketing.
  • Right to lodge a complaint – if you are not satisfied with how your personal data is being processed by RD&C Group (or third parties), or how your complaint has been handled, you may lodge a complaint directly with the supervisory authority and Carisbrooke Shipping Ltd data protection representatives (IS & IT Manager)
Name of the Data Protection Officer:

Date: 

Signature: 

2. DETAILS OF PERSON REQUESTING INFORMATION (IF NOT THE DATA SUBJECT) 

Are you acting on behalf of the data subject with their written or other legal authority?

Yes 

No  

If ‘Yes’ please state your relationship with the data subject (e.g., parent, legal guardian or solicitor) 
Please enclose proof that you are legally authorised to obtain this information.
Title:Mr. Mrs. Miss. Ms. Other: 
Surname: 
First name(s): 
Current address: 
Date of birth: 
Telephone number: 
Home 
Work 
Mobile 
Email address: 

As proof of your legal authority to act on the data subject’s behalf, we will accept a copy of one of the following:

  • A written consent signed by the data subject
  • A certified copy of a Power of Attorney
  • Evidence of parental responsibility



3. DATA SUBJECT ACCESS REQUEST

Please provide as much information as possible regarding the scope of your request.

Data Subject Access Request
 
 
Date from:Date to:

4. FEE

We reserve the right to charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive.  We may also charge a reasonable fee to comply with requests for further copies of the same information.  The fee is based on the administrative cost of providing the information. 



5. DECLARATION

I, ………………………………………………………, the undersigned and the person identified in (1) above, hereby request that the Company provide me with the data about me identified above.



Signature:Date:


DSAR form completed by (name):


OR


I, ………………………………………………………, the undersigned and the person identified in (2) above, hereby request that the Company provide me with the data about the data subject identified in (1) above.


Signature: Date:


DSAR form completed by (name):


Notes:

This form must be forwarded to the Company’s Data Protection Officer at [email]. We will do our best to respond within one month of the date of your request. If your request is unclear or complex, it may take longer for us to respond. 


If you are not satisfied with the response you receive, please let us know by emailing [email]. We will do our best to work with you to find a suitable resolution. If you are still not satisfied, you may lodge a complaint with your national data protection supervisory authority. The list of European Data Protection Board authorities can be found here


Please do not enter sensitive personal information or protected health information into this form.

Exhibit B: Data Subject Disclosure Form

DATA SUBJECT DISCLOSURE FORM

Use this address when sending by post: [address]
This Data Subject Disclosure Form is addressed to the person identified below as a result of completing the Data Subject Access Request Form.
Data Subject’s Full NameData Subject’s Date of Birth
  
Data Subject’s Current Address
 
Purpose of processing
 
Recipients, or categories of recipients 
 
Retention period
 
Source of the data (if not collected from the data subject)
 
  Any regulated automated decisions taken 
 
Response to Data Subject Access Request
 
Reasons for not disclosing information to the Data subject
The information relates to an individual or individuals other than the data subject.
A similar or identical request in relation to the same data subject was previously complied with within a reasonable time period.  Since there is no significant change in personal data held in relation to that data subject, any further request made within a six-month period of the original request is considered to be a repeat request. RD&X Group does not normally provide further copies of the same data, nor is required to provide copies of documents which are already in the public domain.
Personal data are held in relation to a data subject that is in the form of an opinion given in confidence or protected by copyright law.
The information is considered privileged or confidential (e.g., a direct communication between a client and his/her lawyer).
The information is kept only for the purpose of statistics or research, and the results of the statistical work or research are not made available in a form that identifies any of the individuals involved.
The purposes related to the individual’s rights under data protection legislation: requests made for other, non-data protection purposed can be rejected.
As a Data subject, you have the following rights:
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply, to have a right to restrict the processing.
  • Right to object to processing – you have the right to object to certain types of processing such as direct marketing.
  • Right to lodge a complaint – if you are not satisfied with how your personal data is being processed by RD&C Group (or third parties), or how your complaint has been handled, you may lodge a complaint directly with the supervisory authority and Carisbrooke Shipping Ltd data protection representatives (IS & IT Manager)
Name of the Data Protection Officer:

Date: 

Signature: