The GDPR gives individuals the right to know what information is held about them by Drive Lines Technologies Ltd (hereinafter referred to as Drive Lines). It provides a framework to ensure that personal information is handled properly.
This document sets out our policy for responding to subject access requests under the General Data Protection Regulation. All Drive Lines staff are contractually bound to comply with the GDPR.
Drive Lines welcome the rights of access to information that are set out in the GDPR. We are committed to operating openly and to meeting all reasonable requests for information that are not subject to specific exemption.
How do you make a Subject Access Request?
A subject access request is a written request for personal information (aka personal data) held about you by Drive Lines. Generally, you have the right to see what personal information we hold about you, you are entitled to be given a description of the information, what we use it for, who we might pass it onto, and any information we might have about the source of the information. However, this right is subject to certain exemptions that are set out in the GDPR.
Requests should be sent by
What is personal data?
Personal data is information that relates to a living individual who can be identified from the information and which affects the privacy of that individual, either in a personal or professional capacity. Any expression of opinion about the individual or any indication of the intentions of any person in respect of the individual will be personal data.
Provided the information in question can be linked to an identifiable individual, the following are likely to be examples of personal data held by Drive Lines depending on the category of the individual:
- Name, address, job title,
- An individual’s salary or financial information and employment status
- An individual’s personal circumstances including family life
- Special category personal information – including racial or ethnic origin, physical or mental health
What do we do when we receive a subject access request?
Checking of identity:
We will first check that we have enough information to be sure of your identity.
If the person requesting the information is a relative/representative of the individual concerned, then the relative/representative is entitled to personal data about themselves but must supply the individual’s consent for the release of their personal data. If you have been appointed to act for someone under the Mental Capacity Act 2005, you must confirm your capacity to act on their behalf and explain how you are entitled to access their information.
Should you make a data subject access request but you are not the data subject, you must stipulate the basis under the GDPR that you consider makes you entitled to the information.
Collation of information
We will check that we have enough information to find the personal information you requested. If we feel we need more information, then we will promptly ask you for this. We will gather any manual or electronically held information.
When responding to a subject access request that involves providing information that relates both to the individual making the request and to another individual we do not have to comply with the request if to do so would mean disclosing information about another individual who can be identified from that information, except where:
- The other individual has consented to the disclosure
- It is reasonable in all the circumstances to comply with the request without that individual’s consent
Issuing our response
Once any queries around the information requested have been resolved, copies of the information in a permanent form will be sent to you except where you agree, where it is impossible, or where it would involve undue effort. In these cases, an alternative would be to allow you to view the information at our premises in Bedford. Unless specified otherwise, we will also provide a copy of any information that you have seen before.
Timeframe and costs
We have 30 calendar days starting from when we have received all the information necessary to identify you, to identify the information requested, to provide you with the information or to provide an explanation about why we are unable to provide the information. In many cases, it will be possible to respond in advance of the
The GDPR rules mean we are not permitted to charge you for access to this information.
Please note we may not respond to access requests if the frequency of request is unreasonable.
The GDPR contains a number of exemptions to our duty to disclose personal information and we may seek legal advice if we consider that they might apply. Possible exemptions would be to safeguard:
- National and public security
- The prevention, investigation, detection or prosecution of criminal offences
- Important public, economic or financial interests
- Legislative matters including HMRC considerations
- The protection of others individual rights
- The enforcement of civil law matters
What if you identify an error in our records?
If we agree that the information is inaccurate, we will correct it and, where practicable, destroy the inaccurate information. We will consider informing any relevant third party of the correction. If we do not agree or feel unable to decide whether the information is inaccurate, we will make a note of the alleged error and keep this on file.
Review of this Document
We keep this document under regular review. This document was last updated in April 2018.