This Policy is designed to establish a procedure for handling or responding to access requests to personal data made by data subjects, their representatives or other interested parties. This policy will enable Goaffpro to comply with legal obligations, provide better customer care, improve transparency, enable individuals to verify that information held about them is accurate, and increase the level of trust by being open with individuals about the information that is held about them.
This policy applies to all entities owned or operated by Goaffpro but does not affect any state or local laws or regulations which may otherwise be applicable. This policy also applies to Goaffpro employees who handle data subject access requests.
A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by Goaffpro about that individual. The DSAR provides the right for data subjects to see or view their own personal data as well as to request copies of the data. A DSAR must be made in writing. In general, verbal requests for information held about an individual are not valid DSARs. A DSAR can be shared via any of the following methods: email or post. DSARs made online must be treated like any other Data Subject Access Requests when they are received, though Goaffpro will not provide personal information via social media channels.Refer the DSAR form for contact details
The rights to data subject access include the following:
However, the aforementioned requests can only be fulfilled if the data in question is:
Goaffpro shall provide a response to data subjects requesting access to their data within 30 calendar days of receiving the DSAR or from the final receipt of additional information to enable us fulfil the request unless local legislation dictates otherwise
In order to enable us to respond to the Data Subject Access Requests in a timely manner, the data subject should:
Subject to the exemptions referred to in this document, Goaffpro will provide information to data subjects whose requests are in writing (or by some other method explicitly permitted by the local law), and are received from an individual whose identity can be validated by Goaffpro
It must be noted that Goaffpro will not provide data where the resources required to identify and retrieve it would be excessively difficult or time-consuming. Requests are more likely to be successful where they are specific and targeted at particular information
Factors that can assist in narrowing the scope of a search include identifying the likely holder of the information (e.g. by making reference to a specific department), the time period in which the information was generated or processed (the narrower the time frame, the more likely a request is to succeed) and being specific about the nature of the data sought (e.g. a copy of a particular form or email records from within a particular department)
Upon receipt of a DSAR, the Data Protection Team will log and acknowledge the request. The requester shall be asked to complete a Data Subject Access Request Form to better enable Goaffpro to locate the relevant information
The Data Protection Team shall check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it If the identity of a DSAR requester has not already been provided, the person receiving the request will ask the requester to provide two forms of identification, one of which must be a photo identity and the other confirmation of address If the requester is not the data subject, written confirmation that the requester is authorized to act on behalf of the data subject is required
Upon receipt of the required documents, the person receiving the request will provide the Data Protection Team with all relevant information in support of the DSAR Where the Data Protection Team is reasonably satisfied with the information presented by the person who received the request, the Data Protection Team will notify the requester that his/her DSAR will be responded to within 30 calendar days The 30 day period begins from the date that the required documents are received. The requester will be informed by the Data Protection Team in writing if there will be any deviation from the 30 day timeframe due to other intervening events
The Data Protection Team which includes cross department representatives will collate the relevant and required information as requested in the DSAR The Data Protection Team shall ensure that the information is reviewed/received by the imposed deadline to ensure the 30 calendar day timeframe is not breached The Data Protection Officer will ask the relevant departments to complete a “Data Subject Response Form” to document compliance with the 30 day requirement
The Data Protection Team will provide the finalized response together with the information retrieved and/or a statement that the does not hold the information requested, or that an exemption applies The Data Protection Team will ensure that a written response will be sent back to the requester. This will be via email, unless the requester has specified another method by which they wish to receive the response (e.g. post) Goaffpro will only provide information via channels that are secure. When hard copies of information are posted, they will be sealed securely and sent by recorded delivery
After the response has been sent to the requester, the DSAR will be considered closed and archived by the Data Protection Team
There are situations where individuals do not have a right to see information relating to them. For instance:
DSAR (and related) records are stored in Datacenter in N.Virgina, USA (Managed by Amazon Web Services). The DSAR data is retained for a period of up to 3 years.
This policy is to be read in conjunction with the related policies: Data Protection Policy
Disclaimer: This SOP is for the use of intended recipients only and may not be distributed externally. Any reproduction for external distribution in any form without express permission of Goaffpro will attract penal action.