Data Subject Access Request
What is ‘Personal Data’?
Personal Data means any information relating to an identifiable person who can be directly, or indirectly, identified.
Personal identifiers include a name, identification number, location data or online identifier. It applies to automated personal data as well as manual filing systems where personal data is accessible according to specific criteria; this could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
What rights do individuals (‘Data Subjects’) have?
Individuals (‘Data Subjects’) have the right to obtain:
- Confirmation that their data is being processed
- Access to their personal data
- Other supplementary information (mostly the information provided in privacy notices).
- Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- Given a copy of the information comprising the data; and given details of the source of the data (where this is available).
How do individuals (‘Data Subjects’) submit requests for their information?
The information Phoenix Software Ltd hold is available upon request by contacting firstname.lastname@example.org
Individuals can also request their data is updated and/or deleted at any time, unless Phoenix Software Ltd needs to retain it for legitimate business or legal purposes, by submitting a request to this email address.
Responding to Subject Data Access Requests
Phoenix Software Ltd may ask the individual to verify their identity before their request is actioned.
Phoenix Software Ltd has the right to ask the individual for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.
Phoenix Software Ltd has the right to ask for information that is reasonably needed to find the personal data covered by the request. If no personal information about the individual is held, they will be informed.
If data processing is outsourced, subject access requests may be sent to the third party to respond.
Phoenix Software Ltd GDPR committee will refer to the Company’s GDPR Data Register to locate all the information held on the individual and liaise with the Phoenix Software Ltd Departments and/or Third Parties concerned in order to collate all the information.
Information will be provided within at least one month of receiving the request. Where requests are complex or numerous, Phoenix Software Ltd has the right to extend the deadline for providing the information to three months. However, a response to the request explaining why the extension is necessary, will be sent within one month.
Data Access Requests that are manifestly unfounded or excessive can be refused or a charge be made. If a request is refused, the individual will be informed as to why and advised that they have the right to complain to the ICO and to a judicial remedy. The refusal will be made without undue delay and at the latest, within one month.
Information will be provided free of charge.