Source: General Data Protection Regulation

Chapter 1: Introduction to Subject Access Requests (SARs)

Purpose and Strategic Application

  • The Subject Access Request (SAR) is a tool designed to help individuals understand how a company processes their personal information. It ensures compliance with the General Data Protection Regulation (GDPR) and holds companies accountable.
  • Importance: Responding to an extensive SAR can be resource-intensive for organizations, making it a powerful tool for individuals seeking transparency.
  • Recommended Approach: To make the SAR more effective, divide it into smaller, manageable inquiries. There is no limit to the number of SARs you can submit, allowing for persistent inquiry.
  • Customisation: Tailor the SAR to address specific concerns about a company’s data processing activities. This customization ensures relevance and maximizes the impact of the request.

Chapter 2: Comprehensive Template for Submitting a Subject Access Request (SAR)

1. Template Structure

a. Introduction
When submitting a Subject Access Request (SAR) under Article 15 of the General Data Protection Regulation (GDPR), it is crucial to begin with a clear and concise introduction. The introduction should explicitly state the purpose of the request and reference the relevant GDPR provisions. For example:

“I am writing to formally request access to the personal data that your organisation processes about me, as entitled under Article 15 of the GDPR. This request pertains to all data held in both electronic and physical formats, across all systems and databases.”

b. Identity Verification
To ensure the security of personal data, it is standard practice to include documentation that verifies the requester’s identity. Acceptable forms of identification may include a passport, driving licence, or a recent utility bill. The importance of verifying identity before releasing personal data was emphasized in Durant v Financial Services Authority [2003] EWCA Civ 1746, where the court highlighted the need for stringent verification processes.

c. Response Time Expectation
In accordance with GDPR Article 12(3), the organisation is obligated to respond to an SAR within one calendar month. The template should inform the company of this timeline and the potential escalation to the Information Commissioner’s Office (ICO) if a timely response is not received:

“Please be advised that you are required to respond to this request within one calendar month, as mandated by GDPR. Failure to comply may result in a formal complaint being lodged with the Information Commissioner’s Office.”

2. Specific Inquiries

a. Data Processing Confirmation
The SAR should include specific inquiries to confirm whether personal data is being processed. Key points to address include:

  • Confirmation of Data Processing: Request a formal confirmation of whether any personal data relating to you is currently being processed.
  • Categories of Data Held: Ask for a detailed description of the categories of personal data held by the organisation, as reinforced in Nowak v Data Protection Commissioner [2017] C-434/16.
  • Data Storage and Accessibility: Inquire about the locations where personal data is stored and accessible, including any cross-border transfers, particularly in light of Schrems II [2020] C-311/18, which emphasised the need for clear information about data transfers outside the EU.
  • Access to Personal Data: Request access to or copies of all personal data held by the organisation.

b. Usage of Personal Data
A detailed account of how personal data is being used is essential to understanding the scope of processing. The SAR should include inquiries such as:

  • Purpose of Data Processing: Request detailed information on the purposes for which your personal data has been, is being, or will be used.
  • Legal Basis for Processing: Ask for the legal grounds on which the organisation relies for processing your data, as required under GDPR Article 6(1).

c. Sharing of Personal Data
Understanding who has access to your personal data is crucial. The SAR should inquire about:

  • Third-Party Data Sharing: Request a list of all third parties with whom your personal data has been or may be shared.
  • Jurisdictions and Legal Grounds for Data Sharing: Inquire about the jurisdictions involved in data sharing and the legal grounds for such transfers, in light of the Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 case, which addressed employer liability in data breaches.
  • Data Sharing Safeguards: Request details of the safeguards in place to protect shared personal data, particularly when transferred outside the EU.

d. Data Retention Periods
In accordance with GDPR Article 5(1)(e), the organisation must only retain personal data for as long as necessary. The SAR should include:

  • Retention Periods: Request specific retention periods for each category of personal data held by the organisation.
  • Criteria for Retention: Inquire about the criteria used to determine retention periods if specific timeframes are not provided.

e. Data Collection Sources
To ensure transparency, the SAR should ask for information about the sources from which personal data has been collected:

  • Source of Data: Request details of any sources other than yourself from which personal data has been obtained, as outlined in Google Spain SL v Agencia Española de Protección de Datos [2014] C-131/12.

f. Automated Decision-Making
Given the impact of automated processing on individuals, it is important to inquire about:

  • Automated Decisions and Profiling: Request information on any automated decision-making processes, including profiling, that affect your data. Inquire about the logic involved and the potential consequences, as highlighted in Lloyd v Google LLC [2021] UKSC 50.

g. Data Breach History
Transparency regarding any data breaches involving your personal data is critical. The SAR should request:

  • Disclosure of Data Breaches: Ask for details of any data breaches involving your personal data, including the nature of the breach, the assessment of risk, and the measures taken to address it, as demonstrated in Equifax Inc. v Federal Trade Commission.

h. Information Security Policies
To ensure that your data is adequately protected, inquire about the organisation’s security measures:

  • Security Policies and Standards: Request information about the organisation’s security policies and standards, such as ISO 27001 certification.
  • Data Backups and Security Measures: Inquire about the procedures in place for data backups, storage, and overall security.

i. Employee and Contractor Access
Finally, it is important to understand how your data is accessed within the organisation:

  • Preventing Unauthorized Access: Request details of the technologies or procedures used to prevent unauthorized disclosure of personal data by employees or contractors.
  • Incidents of Improper Access: Inquire about any incidents where improper access to your data occurred and request information on the training and awareness measures in place, as seen in Case C-708/18 TK and Others v Asociația de Proprietari bloc M5A-ScaraA.

Conclusion

  • If the request is not within the remit, forward it to the appropriate Data Protection Officer (DPO) or relevant staff member.

Chapter 3: Response Timeframe and Escalation

GDPR Response Requirements

  • Response Timeframe: According to GDPR Article 12(3), companies must respond within one month, with an extension of two months if the request is complex.
  • No Response: If no satisfactory response is received within three months, a complaint can be filed with the Information Commissioner’s Office (ICO).

Imagined Response from the ICO

  • Scenario: When a typical organization receives a complex SAR, they may struggle to respond adequately, leading to delays or incomplete responses.
  • Sample ICO Communication: Example letter from the ICO initiating an investigation into a company’s data processing practices based on a complaint from a data subject.

Sample Communication from the ICO

1. Full Disclosure Request
The Information Commissioner’s Office (ICO) may issue a formal request for the complete disclosure of all personal data processed by an entity. This request typically seeks a digital copy of all data to ensure transparency and compliance with data protection laws, as established in Durant v Financial Services Authority [2003] EWCA Civ 1746, which highlighted the importance of transparency in data handling.

2. Data Provenance
The ICO often investigates the origins of social media data that was not directly provided by the individual. This inquiry aims to determine whether the data was lawfully obtained, in line with the principles of fairness and transparency as outlined in the GDPR and reinforced by the ruling in Google Spain SL v Agencia Española de Protección de Datos (AEPD) [2014] C-131/12.

3. Data Profiling and Tracking
Concerns regarding profiling and tracking activities are subject to scrutiny, particularly the legal basis for such practices. The case of Lloyd v Google LLC [2021] UKSC 50 underscores the need for a legitimate interest assessment to justify profiling activities under GDPR Article 6(1)(f).

4. Marketing Data Processing
The ICO may request detailed information on how personal data is processed for marketing purposes and the identities of any third parties with whom this data is shared. This scrutiny is aligned with the principles established in Case C-40/17 Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV [2019], which dealt with data sharing responsibilities in marketing contexts.

5. Data Storage and Access Locations
Clarification is often sought on where personal data is stored and who has access to it. The GDPR requires transparency regarding the location of data storage, particularly when data is processed in multiple jurisdictions.

6. Cloud Services Usage
Any discrepancies in the use of cloud services for data storage and processing are closely examined. The ICO may seek an explanation to ensure compliance with data protection regulations, particularly in light of cases like Schrems II [2020] C-311/18, which highlighted concerns about data transfers to cloud providers outside the EU.

7. Third-Party Data Sharing
The ICO may require clarification of data sharing practices with third parties, including the jurisdictions involved. The need for clear data-sharing agreements was emphasized in Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, where the court discussed employer liability in data breaches.

8. Data Transfer Outside the EU
Confirmation of whether personal data is transferred outside the EU, and details of the safeguards in place, are essential. This is particularly relevant following the Schrems II decision, which invalidated the EU-US Privacy Shield and necessitated additional safeguards for international data transfers.

9. Retention Periods
The ICO may request specific retention periods for each category of personal data. Compliance with the principle of storage limitation under GDPR Article 5(1)(e) is critical to ensuring data is not kept longer than necessary.

10. Data Breach Reporting
Entities must disclose any breaches involving personal data, particularly those occurring in data centers outside the EU. The case of Equifax Inc. v. Federal Trade Commission highlighted the importance of timely breach reporting and the consequences of failure to do so.

11. Notification of Breaches
If a breach occurred, the ICO may investigate the reasons for any failure to notify EU data protection authorities. The GDPR mandates prompt notification under Articles 33 and 34, with significant penalties for non-compliance.

12. Mitigation Measures
Details of the steps taken to protect personal data, including encryption, data minimization, and anonymization, are often requested. The case of Information Commissioner’s Office v CRB Contractors Ltd [2021] UKICO exemplifies the importance of robust mitigation measures in data protection.

13. Security Policies
The ICO may address concerns regarding an organization’s security policies, including backup and archival procedures. Ensuring that such policies are in line with GDPR requirements is crucial for compliance, as discussed in Common Services Agency v Scottish Information Commissioner [2008] UKHL 47.

14. Employee Training
Documentation of employee training and awareness programs is frequently requested. Effective training is essential for ensuring that staff understand their responsibilities under data protection laws, as reinforced in Case C-708/18 TK and Others v Asociația de Proprietari bloc M5A-ScaraA.

15. Data Loss Prevention
A description of the measures in place to prevent data loss and protect against breaches is necessary. Ensuring that these measures are robust and in compliance with GDPR is a key aspect of data protection governance.


Additional Information on GDPR Remedies

1. Overview of GDPR Rights
The General Data Protection Regulation (GDPR) provides individuals with a robust framework of rights aimed at protecting personal data and ensuring transparency in its processing. Key rights under GDPR include:

  • Right to Rectification: This right allows individuals to request the correction of inaccurate or incomplete personal data, as emphasized in Case C-131/12 Google Spain SL v Agencia Española de Protección de Datos.
  • Right to Erasure (“Right to be Forgotten”): Individuals can request the deletion of their personal data in certain circumstances, as highlighted in NT1 & NT2 v Google LLC [2018] EWHC 799 (QB).
  • Right to Data Portability: This right enables individuals to receive their personal data in a structured, commonly used, and machine-readable format, facilitating the transfer of data to another service provider, as affirmed in Nowak v Data Protection Commissioner [2017] C-434/16.
  • Right to Object to Processing: Individuals may object to the processing of their personal data, particularly in cases involving direct marketing or profiling, as discussed in Lloyd v Google LLC [2021] UKSC 50.

2. Practical Applications of GDPR Rights

Rectification Request
An example of exercising the right to rectification could involve a request to correct erroneous profiling data. For instance, if an individual discovers that their profile inaccurately categorizes them based on incorrect assumptions or outdated information, they are entitled to request a correction under GDPR Article 16. The importance of accurate data was emphasized in Durant v Financial Services Authority [2003] EWCA Civ 1746, where the court highlighted the need for precise data management.

Data Deletion Request
An individual may also request the deletion of specific data that is unjustly retained. For example, if profiling data related to meal choices is deemed discriminatory or unnecessary, a request for its deletion can be made under GDPR Article 17. The principle of data minimization, as discussed in Google Spain SL v Agencia Española de Protección de Datos [2014] C-131/12, supports the deletion of data that is no longer relevant.

Third-Party Vendor Data Deletion
A practical application of the right to erasure involves requesting the deletion of contact information from third-party vendors who were provided with personal data without the individual’s explicit consent. The case of Case C-210/16 Wirtschaftsakademie Schleswig-Holstein GmbH highlighted the responsibility of data controllers in managing third-party data sharing.

Data Portability Request
An individual may exercise the right to data portability by requesting their financial data in a CSV format, enabling them to transfer it to another service provider within the EU. This right, protected under GDPR Article 20, is crucial for ensuring that individuals maintain control over their financial information, as reinforced in Nowak v Data Protection Commissioner [2017] C-434/16.

Objection to Unwanted Marketing
An individual may also invoke the right to object under GDPR Article 21 to stop receiving marketing communications, particularly those related to sensitive areas such as gambling. The case of C-708/18 TK and Others v Asociația de Proprietari bloc M5A-ScaraA underscores the significance of upholding an individual’s right to object to unwanted data processing.

3. Escalation Procedures

If an individual’s requests under GDPR are not adequately addressed, escalation procedures may be necessary. The following steps can be taken:

  • Internal Review Request: Initially, the individual should request an internal review from the data controller, demanding a reconsideration of their original request.
  • Lodging a Complaint with the ICO: If the issue remains unresolved, the individual can escalate the matter by filing a complaint with the Information Commissioner’s Office (ICO). The case of Information Commissioner’s Office v CRB Contractors Ltd [2021] UKICO illustrates the consequences of non-compliance with GDPR requests.
  • Judicial Review or Civil Claim: As a final measure, the individual may seek a judicial review or pursue a civil claim for damages if they believe their GDPR rights have been infringed. The ruling in Vidal-Hall v Google Inc [2015] EWCA Civ 311 established the potential for compensation where data protection rights have been breached.

Chapter 6: Filing a Complaint with the Information Commissioner’s Office (ICO)

1. Steps for Filing a Complaint

a. Gather All Relevant Documentation
Before proceeding with a complaint, it is essential to compile all necessary documentation. This includes records of your Subject Access Request (SAR), proof of submission, and any subsequent communications with the organisation. The importance of maintaining a comprehensive record is underscored in R (on the application of NT1 and NT2) v Google LLC [2018] EWHC 799 (QB), where the adequacy of evidence was crucial to the case’s outcome.

b. Access the ICO Website
To begin the complaint process, visit the official Information Commissioner’s Office (ICO) website. Navigate to the complaint section, which provides resources and guidance on submitting a complaint. The website serves as the primary portal for initiating your grievance, as outlined in the ICO’s procedural guidelines.

c. Complete the ICO Complaint Form
The next step involves completing the ICO complaint form. This form requires you to provide:

  • Personal Details: Your name, contact information, and any relevant identification details.
  • Organisation Details: The name and contact information of the organisation against which the complaint is being made.
  • Description of the Issue: A clear and concise explanation of the issue, supported by relevant documentation.
  • Supporting Documents: Attach all pertinent documents, such as the SAR, correspondence, and any evidence of non-compliance. The importance of comprehensive documentation was highlighted in Holyoake v Candy [2017] EWHC 52 (QB), where thorough evidence played a key role in the case.

d. Submit the Complaint
Once the form is complete, you may submit the complaint online through the ICO’s website or via mail. It is advisable to keep a confirmation of the submission for your records. This confirmation serves as proof that the complaint was filed, which may be necessary if the matter progresses to further legal action.

2. ICO Investigation Process

a. Investigation Timeline
The ICO will review the complaint according to its established investigation process. The timeline for investigation can vary depending on the complexity of the issue. The ICO’s role in reviewing complaints is guided by its statutory duties under the Data Protection Act 2018, as demonstrated in Information Commissioner’s Office v CRB Contractors Ltd [2021] UKICO.

b. Follow Up and Resolution
It is important to monitor the progress of the complaint after submission. The ICO may request additional information or clarification during the investigation. Understanding the resolution process is crucial, as it provides insight into the potential outcomes, which may include corrective actions, fines, or further recommendations to the organisation.

c. Further Legal Action
If the ICO’s involvement does not resolve the issue to your satisfaction, you may consider pursuing additional legal avenues. This could include seeking a judicial review or filing a civil claim for damages under the GDPR. The case of Vidal-Hall v Google Inc [2015] EWCA Civ 311 exemplifies the potential for further legal recourse when regulatory interventions fail to provide adequate redress.


Chapter 7: Non-Response to SARs and Escalation

1. Actions to Take if No Response is Received

a. Send a Reminder
If you do not receive a response to your Subject Access Request (SAR) within the statutory timeframe of one calendar month, the first step is to send a follow-up communication. This reminder should reference your original SAR, the date it was submitted, and the GDPR requirements that mandate a timely response. The importance of persistence in securing compliance was highlighted in Durant v Financial Services Authority [2003] EWCA Civ 1746, where the court emphasized the data subject’s right to access personal data.

b. Escalate to the Data Protection Officer (DPO)
Should the initial reminder go unanswered, escalate the matter directly to the organisation’s Data Protection Officer (DPO). The DPO is responsible for ensuring compliance with GDPR within the organisation, as mandated by Article 37 of the GDPR. Direct engagement with the DPO can sometimes expedite the response process, as seen in R (on the application of NT1 and NT2) v Google LLC [2018] EWHC 799 (QB), where the DPO’s involvement was crucial in addressing data access issues.

c. File a Complaint with the ICO
If the organisation continues to ignore your request, the next step is to file a formal complaint with the Information Commissioner’s Office (ICO). Your complaint should include:

  • Details of the Original SAR: The date of submission and a summary of the information requested.
  • Proof of Submission: Any evidence that the SAR was properly submitted, such as emails or postal receipts.
  • Follow-Up Communications: Copies of any reminders or communications sent to the organisation following the initial SAR submission. Filing a complaint with the ICO is a formal process, and as demonstrated in Holyoake v Candy [2017] EWHC 52 (QB), well-documented complaints can lead to significant regulatory scrutiny and potential penalties for non-compliant organisations.

d. Consider Legal Action
If the ICO’s intervention does not yield a satisfactory resolution, you may need to seek legal advice. Legal action could include pursuing compensation for damages resulting from the organisation’s failure to comply with GDPR. The case of Vidal-Hall v Google Inc [2015] EWCA Civ 311 set a precedent for compensation claims under data protection law, highlighting the potential for monetary redress when rights are infringed.

2. Importance of Documentation

a. Document Everything
Throughout the entire process, it is essential to keep a detailed record of all communications and actions taken. This includes copies of all letters, emails, reminders, and responses. Comprehensive documentation is crucial for supporting your case in any future complaints or legal proceedings, as emphasized in Case C-524/06 Huber v Bundesrepublik Deutschland [2008] ECR I-9705, which underscored the importance of evidence in data protection cases.

3. Public Awareness and Advocacy

a. Public Awareness
In some cases, raising public awareness about an organisation’s failure to respond to a SAR can exert additional pressure. However, it is important to consider the privacy implications and ensure that any public communication does not inadvertently disclose personal data. Public campaigns have been effective in cases like Equifax Inc. v Federal Trade Commission, where public scrutiny led to heightened regulatory action.

b. Engage Data Privacy Advocacy Groups
Seeking support from consumer rights organisations or data privacy advocacy groups can also amplify pressure on the non-compliant organisation. These groups can provide resources, advocacy, and potentially legal support, as demonstrated in Google Spain SL v Agencia Española de Protección de Datos (AEPD) [2014] C-131/12, where advocacy played a significant role in the case’s outcome.


Example Templates:

Example Subject Access Request Template


“Add Your Address”

“Add Their Address”

DATE: “Add The Date”

Your Ref: “Add Their Reference Number If Known”

Dear Sir or Madam, (Add DPO Name if known)

I am writing to formally submit a Subject Access Request for a copy of the information that you hold about me, to which I am entitled under the General Data Protection Regulation (GDPR) 2018.

You can identify my records using the following information:

  • Full name:
  • Address:

Please provide the following information:

  1. Confirmation of Processing: Please confirm whether you are processing my personal data.
  2. Access to My Personal Data: I request a copy of all personal data you hold concerning me.
  3. Purpose of Processing: Provide detailed information on the purposes for which you are processing my personal data.
  4. Categories of Personal Data: Specify the categories of personal data that you process.
  5. Data Recipients: Identify the recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. Data Retention: Outline your retention period for storing my personal data, or if this is not possible, explain the criteria used to determine this period.
  7. Rights Confirmation: Confirm my right to request rectification, erasure, restriction of processing, or to object to the processing of my personal data.
  8. Right to Lodge a Complaint: Confirm my right to lodge a complaint with the Information Commissioner’s Office (ICO) or another relevant supervisory authority.
  9. Source of Data: If my personal data was not collected directly from me, please provide detailed information regarding its source.
  10. Automated Decision-Making: Inform me of the existence of any automated decision-making processes, including profiling, that involve my personal data.
  11. International Data Transfers: Describe the safeguards in place if my personal data is transferred to a third country or international organization.

Additionally, I request the following:

  1. Data Usage Mapping: Provide details of the data mapping process used to track how my personal data is processed and managed within your organization.
  2. Regulatory Compliance Procedures: Describe the compliance processes you have implemented to ensure that my data is handled in accordance with legal and regulatory requirements.
  3. Third-Party Access: List all third parties, including partners or service providers, who have been granted access to my personal data, along with the purpose for which this access was provided.
  4. Legal Basis for Processing: Clarify the legal basis for processing each category of my personal data. If you do not have a legitimate legal basis for holding any of my data, please delete that data and provide the necessary documentation to confirm the deletion.

I expect to receive your response to this request within one calendar month, as required by the GDPR. If you are not the appropriate person to handle this request, kindly forward it to your Data Protection Officer or the relevant department.

Thank you for your prompt attention to this matter.

“Add Your Name”
Strictly Private & Confidential
No Onward Chain Permitted


Advanced Subject Access Request Template

“Add Your Address”

“Add Their Address”

DATE: “Add The Current Date”

Your Ref: “Add Their Reference Number If Known”

Dear Sir/Madam, (Add DPO Name If Known)

Under Article 15 of the General Data Protection Regulation (GDPR) 2018, I would like to submit the following Subject Access Request to better understand how you process my personal information:

Subject: Urgent Data Subject Access Request and Information Security Concerns

Dear Sir/Madam,

In light of recent developments, I am increasingly concerned that your company’s data handling practices may be exposing my personal information to undue risk, or may have already breached your legal obligations to protect my data. This concern is particularly heightened by reports of incidents similar to those documented in the article linked below:

T-Mobile Says Hack Exposed Personal Data of 40 Million People – The New York Times (nytimes.com)

I have enclosed documentation necessary to verify my identity. Should you require any further information, please do not hesitate to contact me at the address provided above.

To address these concerns, I am formally requesting the following information under the General Data Protection Regulation (GDPR):

Confirmation of Processing

  1. Processing Status: Confirm whether or not my personal data is currently being processed. If so, provide details on the categories of personal data held in your systems, including databases, email systems, documents, and any other media or storage forms that may contain my data.
  2. Geographical Data Storage: Specify the countries where my personal data is stored or accessible from, particularly if cloud services are employed. Include information on current and past storage locations over the last 12 months.
  3. Access to Personal Data: Provide me with a complete copy of, or access to, all personal data that you have processed, are processing, or plan to process.

Details of Data Usage

  1. Specific Uses: Offer a detailed explanation of how my personal data has been, is being, or will be used within your organisation.

Third-Party Data Sharing

  1. Disclosure to Third Parties: List all third parties to whom my personal data has been or may have been disclosed. If you cannot confirm specific entities, provide a list of potential third parties with access to my data.
  2. Jurisdictional Information: Clarify the jurisdictions associated with these third parties and provide the legal grounds for transferring my personal data to these regions. Include any safeguards applied during these transfers, and provide documentation of these safeguards.

Data Retention Policies

  1. Retention Periods: State how long my personal data is retained, or provide the criteria used to determine the retention period for each category of personal data.

Source of Data Collection

  1. Data Origin: If any personal data was collected from sources other than myself, please provide full details of these sources as required by Article 14 of the GDPR.

Automated Decision-Making

  1. Automated Processing: If any automated decision-making, including profiling, has been applied to my data, please provide details of the logic used, the significance of the process, and its potential consequences.

Data Security Breaches

  1. Disclosure of Security Breaches: Inform me whether my personal data has ever been inadvertently disclosed or compromised due to a security or privacy breach. For each incident, include:
    • A general description of what occurred.
    • The estimated date and time of the breach.
    • When the breach was discovered.
    • The source of the breach, whether internal or through a third party.
    • Details of the specific personal data involved.
    • An assessment of the potential harm to me resulting from the breach.
    • Measures taken to prevent further breaches.
    • Contact information for further assistance.
    • Advice on how I can protect myself from any resultant harm, such as identity theft.
  2. Mitigation Measures: If there is uncertainty regarding whether my data has been exposed, please outline the measures you have implemented, such as encryption, data minimisation, anonymisation, or pseudonymisation.

Information Security Policies

  1. Security Standards and Practices: Provide a detailed overview of your information security policies, including whether your organisation adheres to ISO 27001 standards. Specifically, include information on:
    • Backup practices for my data, including the media used and security measures in place.
    • Technologies or processes ensuring the protection of my data from loss, theft, or unauthorised access, including encryption and intrusion detection systems.

Employee and Contractor Management

  1. Internal Data Management Practices: Explain the technologies and business procedures in place to monitor and prevent unauthorised disclosure of personal data by employees or contractors, including through email, webmail, or instant messaging.
  2. Incident Reporting: Indicate whether any employees or contractors have been dismissed or legally charged for improper access to my data, or similar cases involving other customers in the last twelve months.
  3. Training and Compliance: Describe the training and awareness initiatives you have implemented to ensure that your staff and contractors handle my personal data in strict compliance with GDPR requirements.

If your organisation does not typically handle such requests, please forward this letter to your Data Protection Officer or the appropriate personnel. Should you require guidance, the Information Commissioner’s Office (ICO) can be contacted via their website at ico.org.uk or by phone at 0303 123 1113.

I anticipate your full response within the one-month period stipulated by GDPR. Failure to provide the requested information within this timeframe will result in a formal complaint being lodged with the ICO.

Thank you for your prompt attention to this matter.

Yours faithfully,

“Add Your Name”
Strictly Private & Confidential
No Onward Chain Permitted


Leave a Reply

Your email address will not be published. Required fields are marked *

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *