Data Subject Consent Form
The General Data Protection Regulations (GDPR) entitle individuals to request access to any personal data that The cooperative holds about them. This is known as Data Subject Access Request (DSAR). This document outlines the procedures
surrounding making and responding to a DSAR.
A DSAR is where an individual, using their rights under GDPR, makes a request for a copy of the personal data an organisation holds on them, or details of what data is held and its source. A DSAR does not have to reference GDPR, the term “Data Subject Access Request” or any legislative rights.
Procedures For Making A DSAR
DSAR’s can be made verbally, via email or in writing to the cooperative’s Data
Protection Officer (DPO), at the address below;
3 Atabara Street
If a DSAR is made verbally then the requester should be asked to put their request in writing, to allow The cooperative to understand the nature of the DSAR and to
verify the identity of the requester.
Where a request is received elsewhere in the cooperative, the Data Protection Officer should be immediately informed so they can deal with the request with no
undue delay.Once the request is received, the Data Protection Officer will confirm the identity of the requester and assess the scope of the request.
Confirming the Identity of the Requestor:
Additional information may be requested to evidence the identity of the requester.
This can be established by the production of two or more of the following:
- Current passport
- Current driving license
- Recent utility bill with current address
- Birth/marriage certificate
- Recent credit card/deed of assignment/c of o/mortgage statement
If the cooperative is not satisfied with the identity of the requester, then the request will not be granted to avoid inadvertent data breach.
If a request is made by a person seeking the personal data of a data subject, and which purports to be made for that data subject, then a response must not be
provided unless and until written authorisation has been provided by the data subject. The cooperative should not approach the data subject directly, but should inform the requester that it cannot respond without the written authorization of the data subject. Where consent cannot be obtained, or is denied, the DPO will consider the reasons and the cooperative’s duty of care to both parties to decide whether to disclose the information.
Where the parent of a minor makes a request, consideration must be given as to whether the minor is mature enough to understand their rights. If it is considered that the minor cannot understand their rights, then the response should be sent directly to the parent.
Fee for Responding to Requests:
The cooperative will usually deal with a DSAR free of charge, however, a fee may be charged in the following circumstances;
- Where a request is manifestly unfounded or excessive, or the cooperative refuses to respond to the request. This will be stated in writing
highlighting the reasons for refusing to respond.
- Where a repeat request for the same information is made.
Process for dealing with a DSAR:
Once the identity of the data subject (or the right/authority to request the data where the data subject is not the requester) is ascertained, the Data Protection Officer will kick start the process of contacting the appropriate departments to collect and collate the information.
The DPO will take all reasonable and proportionate steps to identify and disclose all
data relating to the request.
To locate the correct information within the cooperative, the DPO may ask the
requester to confirm exactly what information they are requesting, or where
they believe the information may be stored.
Where the information contains reference to third parties the DPO will redact (blank out) the third parties. Where this is impossible, and consent from the third party has
not been received the information will not be disclosed.
The information provided in reply to a request must be that which the cooperative holds (subject to any exemptions) at the time the request is received. However, DPR allows routine updating and maintenance of the data to continue between the date on which the request is received and the date when the reply is dispatched. This means
that the information provided to the individual may differ from that which was held at the time when your request was received as a result of normal processing.
The DPO will ensure that the information disclosed is clear and technical terms are
clarified and explained.
The response should be provided in a written format, via email or letter, including an explanation of the types of data provided and whether, and as far as possible
for what reasons, any data has been withheld.
Period For Responding To A DSAR
The cooperative has one month to respond to a DSAR. This will run from:
- The date of the request;
- The date when any additional identification, or other information requested,
- Payment of any required fee.
The period of response may be extended by a further two calendar months in relation to complex requests. If it is decided that due to the complexity of the request an extension of the period for response is required, the DPO will notify the requester
within one calendar month of receiving the request, together with the reasons as to
why this is considered necessary.
If a request is received during festive periods/end of the year, a response may not be feasible within the stipulated one month period because some key staff may be on vacation. If a receipt is received during this period, The cooperative will send out an initial
acknowledgement of the request, followed by a further acknowledgement as soon
as possible following the start of a new year setting out details of when a full response
will be provided (not later than one month into the new year)
Contacts & Complaints
Enquiries regarding this procedure or The cooperative’s Data Protection Policies should be directed to The cooperative’s DPO using the contact details listed on page 1.