Supporting Documents
- Subject Access Request Form
- Subject Access Response Form
Data subjects have a right, under the General Data Protection Regulation, to know what personal data we hold on them. If you wish to access such data you need to submit a Subject Access Request
How to Request Data
Please complete and submit an SAR form (available on our website – give the link) and submit this with evidence of your identity. If this evidence is not provided we cannot comply with the request.
We normally comply with requests at no cost unless the request is unusually complex. If this is the case, we will contact you and discuss the fee with you.
On receipt of an SAR our Data Protection Officer checks;
- The validity of the access request
- That sufficient material has been supplied to definitively identify the applicant
- That sufficient information to locate the data has been supplied.
If it is not clear what data you are requesting, our Data Protection Officer will ask you for more information. This could involve identifying the databases, locations or files to be searched or
giving a description of the interactions you have had with Phoenix STS.
The Data Protection Officer log the date of receipt of valid requests and keeps note of all steps taken to locate and collate data and monitor the process of responding to the request – observing the time limit of 40 days.
We supply the data in an intelligible form (include an explanation of terms if necessary) and include a description of purposes, disclosee and source of data (unless revealing the source would be contrary to the public interest) in a Subject Access Response Form which is signed-off by the Managing Director.
The time limit for complying with an access request is 40 days. If we are unable to meet this timeline we will contact you to inform you that an extension of time is required.
In the unlikely event of us refusing to process your subject access request for any reason we will contact you to provide an explanation. You have a right to appeal our decision to the Office of the Data Protection Commissioner.