FLETCHER’S BUSINESS SOLUTIONS (FBS) PRIVACY NOTICE
1. Who we are
We are Fletcher’s Business Solution, the owner and operator of www.fletchbiz.co.uk (referred to as “we”, “us” and “our” in this privacy policy) Fletcher’s Business Solutions is the controller responsible for personal information processed by it.
It is important that you read this privacy policy carefully so that you are fully aware of how and why we use your personal information. We do not knowingly collect personal information relating to children under the age of 16 and children under the age of 16 should not use this website.
We have appointed a data protection officer to oversee our data protection and privacy practices. If you have any questions about this privacy policy or if you wish to exercise your legal rights set out in this privacy policy, please contact our company using the details at the bottom.
We are committed to protecting and respecting your privacy. This privacy policy explains the types of personal information we collect, how we use that information, who we share it with, how we protect that information, and your legal rights in relation to your information.
2. Information we may collect from you
During the course of our relationship with you, we may need to collect and process data about you. The types of data that we will require will fall broadly into one of the categories below:
Type of Personal Information Description
| Contact | Name, telephone, address, email address and how to contact you |
|---|---|
| Financial | Bank details, credit information |
| Public | Details from the electoral register, companies house, and other information publicly available about you or your business |
| Special | Criminal records data – this is only stored for Insurance customers currently, please see how your data is used section for further details on this |
| Permission | Permissions you have granted us to use your data, primarily for marketing purposes |
| Documentation | Data stored in documents you have sent us, such as bills and contracts from suppliers to enable us to help you switch, or leases to prove change of tenancy where required. |
| Technical Data | The types of equipment and software, IP addresses, geographical location, operating system and browser type you use to access our online services where available. |
| Analytics | Data that tells us how you have navigated across our websites, selected certain preferences on our website, what number you called us on, how long you called us for and the reason for the call etc. |
| Product Specific | Details about the products you have taken, what you are interested in, whether we’ve discussed certain products with you previously. |
We will collect this data during the course of business with you, by one of the following methods:
- When you fill out forms on our sites
- When we communicate with each other by post
- When we talk with each other by telephone
- When we communicate with each other by email
- When we communicate with each other by instant messaging
- When you visit our sites and navigate around the web pages (further detail on this below)
- From completed surveys we send you from time to time
- From your interaction with our social media accounts
In the cases where we are in the course of arranging a contract for you, or have arranged a contract for you in the past, we will also receive data about you via the following methods:
- Details about your insurance policies (including claims) from your insurer(s)
- Details about your energy supply from your energy supplier(s)
- Details about your telecommunications agreements from your telecommunications provider(s)
- Credit reference agencies (eg. Creditsafe) where required to arrange certain contracts with certain suppliers
- Fraud prevention agencies
- Publicly held information from Companies House or the Electoral Register
- Companies that introduce you to us
How we use personal information, the lawful grounds upon which we rely and why
| How might you use my personal information? | What lawful basis will you have to use my personal information in this way? | Why do you use my personal information in this way? |
|---|---|---|
| We may share your personal information with our approved partners and third-party product providers so that they can return a quote to you via our website. For example, if you use our energy or gas service, we will send your personal information to our panel of approved energy provider so that they can return energy quotes to you via our website. | This processing of your personal information is necessary so that we can provide our services to you in accordance with our website terms and conditions. If we process special category data for this purpose, we will do so only if the law allows us to and at all times strictly in accordance with the terms of our policy document. | Without processing your personal information in this way, we would be unable to provide our services to you. |
| We may share your personal information with a limited number of approved third-party data providers in return for further information about you. We use this further information for data enrichment purposes and in order to auto-populate relevant fields within our website journeys to save you time and effort. For example, if you run an energy quote and provide us with your bill of authority, we may search the databases of our approved third-party data providers in order to auto-populate information about your energy usage. | We have a legitimate interest in processing your personal information in this way. | It is in our legitimate interests to process your personal information in this way so that we can provide a more user-friendly, intuitive and enjoyable price and product comparison experience. We know that our customers’ time is valuable and hence we strive to save people everywhere time and money! |
| We may process your personal information for the purposes of providing you with our continuous savings services. For example, if you have previously used our telecom contract service then we may process your personal information in order to renew a contract for you when your existing one ends. | We have a legitimate interest in processing your personal information for the purposes of providing you with our continuous savings services except where our provision of this service necessitates the processing of special category data. We will only process special category data for the purposes of providing our continuous savings services to you with your consent, if the law allows us to and at all times in accordance with the terms of our policy document. | Our continuous savings services, means that we do all of the hard work of generating a quote for you, whenever your product is due for renewal. We generate quotes early which often means that we secure a better price for you via our website than you might obtain yourself by generating a quote on a date which is closer to your renewal date. You can still come back to our website and run your own quotes or simply confirm that the details we hold about you remain correct and then sign your contract directly via our site – thereby saving you time and money! |
| We may process your personal information for the purposes of providing renewal reminders to you. For example, if you opt-in to receive renewal reminders from us and you have previously used our website to compare energy and gas prices, we may send you renewal reminders before your energy or gas contract is due for renewal. We will send your renewal reminder in advance of the date on which we understand your renewal is due. | We will only process your personal information for the purposes of providing renewal reminders to you with your consent. | Renewal reminders mean that you will be given plenty of notice to return to our website to make sure you are getting a great deal before your policy automatically renews or expires. |
| If you opt-in to receive general marketing from us, we may process your personal information for the purposes of providing our general marketing to you. For example, if you opt-in to receive our general marketing, we may send you newsletters, information about our latest offers, products and promotions and more. | We will only process your personal information for the purposes of providing direct marketing to you with your consent. | All of our marketing is carefully drafted and intended always to be topical, relevant and useful for our customers. Those opted-in are first in-the-know! |
| If you opt-in to receive contact from our partners who provide you with the cheapest quotes, we may provide your contact details to those partners so that they can contact you in order to progress a sale. For example, if you opt-in to receive contact from our partners who provide you with the cheapest quotes, one or more of those partners may contact you after you have run a quote via our website. Those partners may contact you for the purpose of assisting you in purchasing a product or service from them. | We will only share your personal information with our partners so that they can contact you in this way with your consent. | We understand that some of our customers prefer to speak to any supplier before purchasing a contract policy. By opting-in to receive contact from our partners who provide you with the cheapest quotes, you may save a lengthy call queue and still purchase your preferred product in your preferred way! |
| If you opt-in to receive contact from our third-party product providers, we may provide your contact details to those providers so that they can contact you in order to progress a sale. For example, if you opt-in to receive contact from our third-party product provider of contracts in the course of completing a quote on one of our other contract journeys, that provider may contact you after you have run a quote via our website. Those providers may contact you for the purpose of assisting you in purchasing a product or service from them. They may share your personal data with any service providers they work with to provide you with a quote. | We will only share your personal information with our third-party product providers so that they can contact you in this way with your consent. | We understand that some of our customers may be interested in other supplier policies whilst completing a particular journey on our website. For example, if you were to complete a quote for a contract for a phone, some customers may also be interested in purchasing energy too. By opting-in to receive contact from our third-party providers who have access to a range of suppliers, you may save having to complete another journey on our website and still purchase an additional service relevant to you. |
| We may process your personal information in order to send you service communications. | This processing of your personal information is necessary so that we can provide our services to you in accordance with our website terms and conditions. | Without processing your personal information in this way, we would be unable to provide our services to you. |
| We may process your personal information in order to detect and prevent financial crime, including fraud. | We have a legitimate interest in processing your personal information for the purposes of detecting and preventing financial crime. | It is in our legitimate interests to process your personal information in this way because financial crime negatively impacts all of us. We take our obligation to investigate, report and hence seek to prevent financial crime extremely seriously and we believe our work in this area benefits the overwhelming majority of our customers who use our website honestly. |
| We may process your personal information and share it with our approved partners and third-party product providers in order to verify that a sale between you and one of our approved partners or third-party product providers has taken place. | We have a legitimate interest in processing your personal information for sales validation and audit purposes. | It is in our legitimate interests to process your personal information in this way so that we can continue to provide our services to you free of charge. This means that when you buy a product or service from a third party via our website, that third party pays us a commission instead. In order to ensure that we are fairly and properly remunerated and able to continue to provide our services free of charge, it is imperative that we are able to audit our approved partners and third-party product providers for sales validation purposes. |
| We may process your personal information in order to personalise or improve aspects of our service delivery and for troubleshooting and other quality control and testing purposes, including for the purposes of responding to any queries or complaints about our services raised by you or our approved partners and third party and product providers. | We have a legitimate interest in processing your personal information in order to ensure that we are always able to provide an excellent quality of service. | It is in our legitimate interests to process your personal information in this way so that we can provide an excellent quality of service. To do this, we regularly monitor and seek to improve our interactions with you and our approved partners and third-party product providers. This helps us to understand how we can better satisfy your needs and hence grow our business. Sometimes we may also need to access your personal information in order to resolve any queries or complaints which are made about our service. Our work in this area ensures that we can continue to provide the level of service which you have rightly come to expect from us. |
| We may process your personal information in order to obtain feedback and reviews for customer research purposes to help us improve and quality control our service this may include the use of trusted independent third parties. | We have a legitimate interest in processing your personal information in order to ensure that we are always able to provide an excellent quality of service. | It is in our legitimate interests to process and share your personal information in this way so that we can provide an excellent quality of service. To do this, we regularly monitor and seek to improve our interactions with you and our approved partners and third-party product providers. This helps us to understand how we can better satisfy your needs and hence grow our business. Our work in this area ensures that we can continue to provide the level of service which you have rightly come to expect from us. |
| We may process your personal information in order to comply with any and all legal and/or regulatory obligations to which we are subject. | This processing of your personal information is necessary so that we can comply with legal obligations to which we are subject. | We operate within a heavily regulated environment and we are subject to numerous laws, rules and requirements. Sometimes it is necessary for us to process your personal information in order to obey the laws, rules and requirements to which we are subject. |
| We may process your personal information with third-party companies, in order to comply with the Financial Conduct Authority, (FCA) or with partners accredited by the FCA. | This processing is necessary as it makes sure we adhere to regulations and are compliant with the FCA. | We need to make sure our services are within these guidelines to make sure the customers are getting a fair service. |
Who do we share your information with?
When you use our services, agree a contract with a supplier or talk to us about services we offer we may share your information with our partners and the third parties below. If you would like to know who your information has been shared with in the course of arranging your contracts, then you can request this information at any time.
Fidelity Energy
VideoTile
Takepayments (FCA accredited)
Carphone warehouse
Also:
- our approved third-party data providers
- our regulators and other regulatory bodies, including the Financial Conduct Authority and the Information Commissioner’s Office (ICO number: ZA468634)
- law enforcement and fraud prevention agencies
- third parties to whom we may sell, transfer or merge parts of our business or assets or third parties whose business or assets we may acquire
- our third-party suppliers (for example, IT software and service providers and marketing agencies).
- third parties we use to collect feedback and reviews on our behalf
What communications you may receive from us
The communications we send to our customers can be categorised broadly as “direct marketing communications” and “service communications”.
a. Direct marketing communications
We understand that some of our customers like to receive only certain types of direct marketing communications. For us, this means drawing a distinction between our renewal reminders and our general marketing which includes our newsletters and information about our latest offers, products and promotions.
Because we draw a distinction between renewal reminders and our general marketing, you can choose to receive renewal reminders but not our general marketing and vice versa. Similarly, if you tell us that you do not want to receive renewal reminders or general marketing from us, we will not send any direct marketing communications to you.
b. Service communications
Service communications broadly comprise of communications which:
- 1. We have a legal or regulatory obligation to send to you (such as communications which we are obliged by our regulator to send to you from time to time);
- 2. We send in connection with the provision of our services to you (such as our “best price” email, which we send to you immediately following your use of our service in order to confirm the best price for a product or service which you have compared via our website); and
- 3. We send so that we can provide services at your request (such as password reset emails, which you may ask us to send if you do not remember your login credentials but want to access our products and services).
Sending personal information outside the European Economic Area (EEA)
We will only ever send personal information to providers outside the EEA if those providers are required to protect personal information in exactly the same way they would be required to protect personal information if they were based within the EEA. This means that we will only send personal information to a non-EEA country if:
- 1. the European Commission has determined that the relevant non-EEA country affords an adequate level of protection for personal information;
- 2. pursuant to agreement between us and the relevant provider based in the non-EEA country which contains data protection clauses adopted or approved by the European Commission;
Data security
The security of personal information is extremely important to us and hence we have put in place appropriate security measures to protect personal information from being accidentally lost, used or accessed in an unauthorised way.
Your Legal Rights
Under the General Data Protection Legislation, you have the following rights, this section explains what they mean and what you can request of us:
1. The right to be informed
We will always explain to you how we are going to use your personal information when you take a contract with us, this could be as part of your application process, or asking how you would like to be marketed to, but also will be set out in the terms and conditions of your agreements with us and within this privacy policy.
2. The right of access
You are entitled to request the personal information we hold on you and how we have processed that information. You can do this simply by contacting us via email, letter or phone and we will respond within 30 days. Additionally, you have the right to certain information in a digital format to use this yourself. Please let us know that you would like this option at the point of requesting your personal information.
3. The right to rectification
If you believe that any of the personal information we hold is incorrect or out of date, please contact us and we will resolve it for you.
4. The right to request we stop processing your information, object to us holding it or delete your information completely
You can ask us to delete, remove or stop using your personal information if there is no reason that we should be holding it or processing it. As stated above, there may be a contractual agreement in place, or we have a legal obligation to process or store your data, and in these circumstances, we will explain whether we can delete your data or stop processing it, this will not be on all occasions. Broadly speaking, where we have asked for your consent to process your data eg. Sending marketing emails, you can withdraw your consent at any time to that sort of processing; or where we are acting under legitimate interests, you will be able to request we stop that processing. We will review any request under these rights and provide you with an answer either agreeing to your request, or explaining why we can’t. Our site also contains links to and from the websites of our partner networks, suppliers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies or data activities on such websites. Please check these policies before you submit any personal data to these websites.
Customers Complaints Policy and Procedures
It is Fletcher’s policy to handle complaints as part of the overall strategy to satisfy the needs of customers using our services. Expressions of dissatisfaction will be considered as important as complaints and plans put in place to remedy the service.
1. Complaints will be handled:
- Confidently
- Fairly
- Promptly
2. Staff will endeavour to:
- Be courteous to the complainant
- Respond positively
- Offer constructively
3. Formal written complaints will be:
- Recorded
- Acknowledged within 14 days
- Notified to senior management
4. The complaints procedure will be:
- Publicly displayed on Fletcher’s website
- Monitored regularly as per Quality Management System
- Reviewed and evaluated periodically as per our Quality Management System
5. Anonymous feedback from courses or word of mouth
- Will be analysed
- Discussed with the trainer
- Discussed with the venue provider
- Corrective action implemented where appropriate
Complaints Procedure
Any person dissatisfied with Fletcher’s services will be encouraged to make this fact known at the point and time of their dissatisfaction to the persons directly involved.
The first person to be advised of the complaint will, if appropriate, endeavour to resolve the difficulty, ensuring that Fletcher’s policy and procedures are followed. If it is not appropriate for the member of staff to deal with the complaint, it will be referred as soon as possible to the Manager.
This is the sequence of activities to be followed within the centre:
- 1. Complaint received
- 2. Entry made on customer complaint form with nature of the complaint
- 3. Complaint formally acknowledged
- 4. If necessary, complaint passed on to the Centre Manager
- 5. Facts ascertained and recorded onto customer complaint form
- 6. Explanations/remedy proposed and recorded onto customer complaint form
- 7. Complainant kept informed
- 8. Outcome recorded onto customer complaint form
- 9. If relevant, concerns from delegates can be forwarded to the awarding organisation
- 10. Report filed by manager in complaints file
If a satisfactory conclusion is not obtained by the customer from the above procedure then the customer has the right to escalate the complaint to the Awarding Organisation who will investigate the complaint until resolved.
Contacting Us
If you have any questions about this privacy policy, or if you wish to exercise your rights as referred to in this privacy policy, please contact us by:
- writing to us at:
Our trading address:
Office 6
Fletcher’s Business Solutions
Bishop Crewe House
North Street
Daventry
NN11 4GH
Or
- Our registered address:
332 Marsh Lane
Erdington
Birmingham
West Midlands
B23 6HP
- mailing our Data Protection Officer by sending an email to:[email protected]
If you would like to request any data we hold about you, please complete our Enquiry Form and email it to [email protected]
1. Data Protection Policy
| Last updated | 20th August 2020 |
|---|
Definitions
| GDPR | means the General Data Protection Regulation. |
|---|---|
| Register of Systems | means a register of all systems or contexts in which personal data is processed by Fletchers Business Solutions. |
1. Data protection principles
Fletcher’s Business Solutions is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- a. processed lawfully, fairly and in a transparent manner in relation to individuals;
- b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
- a. This policy applies to all personal data processed by Fletcher’s Business Solutions.
- b. Karl Whitehead shall take responsibility for Fletcher’s Business Solutions ongoing compliance with this policy.
- c. This policy shall be reviewed at least annually.
- d. Fletcher’s Business Solutions shall register with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, fair and transparent processing
- a. To ensure its processing of data is lawful, fair and transparent, Fletcher’s Business Solutions shall maintain a register of systems.
- b. The register of systems shall be reviewed at least annually.
- c. Individuals have the right to access their personal data and any such requests made to Fletcher’s Business Solutions shall be dealt with in a timely manner.
4. Lawful purposes
- a. All data processed by Fletcher’s Business Solutions must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
- b. Fletcher’s Business Solutions shall note the appropriate lawful basis in the register of systems.
- c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
- d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Fletcher’s Business Solutions systems.
5. Data minimisation
- a. Fletcher’s Business Solutions shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6. Accuracy
- a. Fletcher’s Business Solutions shall take reasonable steps to ensure personal data is accurate.
- b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
- a. To ensure that personal data is kept for no longer than necessary, Fletcher’s Business Solutions shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- b. The archiving policy shall consider what data should/must be retained, for how long, and why.
8. Security
- a. Fletcher’s Business Solutions shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
- b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- c. When personal data is deleted this should be done safely such that the data is irrecoverable.
- d. Appropriate back-up and disaster recovery solutions shall be in place.
9. Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Fletcher’s Business Solutions shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
2. Data Retention Policy
Purpose
The purpose of this policy is to summarise the procedures for the retention and disposal of information.
This Policy applies to all business units, processes, and systems in all countries in which the Company conducts business and has dealings or other business relationships with third parties.
This policy applies to all information used at the Company. Examples of documents include:
- Emails
- Hard copy documents
- Soft copy documents
- Video and audio
- Contracts
Who is this for?
All employees either permanent or temporary, all clients and businesses, regardless of their length of employment/placement in the service, are required to read and understand this document, so they are fully aligned with the policy of Fletcher’s Business Solutions. This document will be made available to clients or employees on request.
How long do we keep our records?
Records will be kept for as long as they are required to meet the operational needs of Fletcher’s Business Solutions, in compliance with legal and regulatory requirements.
We will regularly look into the retention periods for different categories of information to determine whether the information should be disposed of, or whether it needs to be retained for a longer period of time.
- CONTRACTS– 7 years after expiration or termination
- PERSONAL INFORMATION – 7 years
- INFORMATION POSTED TO WEBSITE FOR PUBLIC – 5 years
- FINANCE RECORDS – 6 years
- EMAILS – 12 months
- CALL RECORDINGS – 6 months
Security of personal information
Fletcher’s Business Solutions will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
Fletcher’s Business Solutions will store all personal information on our secure (password- and firewall-protected) servers.
The client should acknowledge that the transmission of information over the internet is inherently insecure, and that The Company cannot guarantee the security of data sent over the internet.
Destruction of data
Different types of information will be destroyed in certain ways. For example:
- 1. Non-sensitive information will be disposed of in a normal rubbish bin.
- 2. Confidential information will be disposed of by cross cut shredding and burned.
- 3. Electronic information (anything digitally) will be permanently removed from our database.
3. Subject Access Request Policy
Introduction
Individuals have the right to access their personal data and supplementary information. The right of access allows individuals to be aware of and verify the lawfulness of the processing. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).
Individual Rights
An individual has the right to know what information is held about them. GDPR in the UK provides a framework to ensure that personal information is handled properly. This information must be:
- Processed fairly, lawfully and in a transparent manner
- Processed for specific, legitimate and lawful purposes
- Adequate, relevant and not excessive
- Accurate and up to date
- Not kept for longer than necessary
- Processed in line with an individual’s rights
- Secure
- Not transferred other than in accordance with agreed terms and conditions
How do you make a subject access request?
A subject access request is a written request for personal information held about you by Fletcher’s Business Solutions. You have the right to see what personal information we hold about you. You are entitled to be given confirmation as to whether we hold or process your personal information, and if so you are entitled to access all your personal information as well as details of:
- The purposes for which we process your personal data;
- The categories of your personal data we process;
- The recipients, or categories or recipient to whom personal data has been or will be disclosed, in particular recipients in third countries or who are international organisations;
- How long we expect to store your data
- Where you did not give us the personal data, the source from which we collected the personal data; and
- Whether we use any automated decision making in relation to the processing of your personal data. You are entitled to have any mistakes in your personal data rectified, and to have the data deleted if you would no longer like us to store or process your personal data, or to request restriction of our processing of your personal data.
How do we verify the requestor’s identity?
The requestor must supply valid evidence to prove their identity. We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification. We accept the following example forms of identification:
- Current UK/EEA Passport
- UK Driving Licence
- Financial Statement issued by bank, building society or credit card company
- Utility bill for supply of gas, electric, water or telephone landline
How to process the request
Our aim is to determine what information the requestor is asking for. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.
We must verify whether we process the data requested. If we do not process any such data, we must inform the data subject accordingly.
We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.
Karl Whitehead is responsible for the handling of Subject Access Requests (SAR) in our business. Any employee, who receives a request from Karl Whitehead to locate and supply information relating to a SAR, must make a full exhaustive search of the records which they are responsible for or owns. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.
Karl Whitehead should check whether the data requested also involves data on other data subjects and make sure this data is filtered before the requested data is supplied to the requestor; if data cannot be filtered, ensure that other data subjects have consented to the supply of their data as part of the SAR.
All the information that has been requested must be provided unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we will explain acronyms, codes or complex terms.
Issuing a response
Once any queries around the information requested have been resolved, copies of the information will be sent to you electronically wherever possible or, if this is not technically possible, by post.
Will we charge a fee?
If your data subject access requests are excessive or manifestly unfounded, we will charge £10 to cover the administrative costs involved in dealing with your request. In extreme circumstances, we reserve the right to refuse your requests.
Complex requests
As stated, we have to respond to a SAR within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner within 30 days. Where we decide not take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.
Our response to the requestor
After processing the SAR, our response to the requestor should include:
- The purpose(s) the processing;
- The categories of personal data concerned;
- The recipients or categories of recipients to whom personal data has been or will be disclosed, in particular in third party countries or international organisations, including any appropriate safeguards for transfer of data;
- The envisaged period for which personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- The right to lodge a complaint with the ICO;
- If the data has not been collected from the data subject: the source of such data;
- The existence of any automated decision-making, including profiling and any meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the requestor.
Complaints
Where a requestor is not satisfied with a response to a SAR, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome, they may complain to theInformation Commissioners Office or take legal action against us.
