Subject Access Request
The General Data Protection Regulation (GDPR) is now in effect and like thousands of small businesses with an internet presence Westermill Farm Holidays is (somewhat) struggling to put together all the information (we believe that we are supposed to) to be compliant with the GDPR.
Westermill Farm subscribes to the tenents and guidance set forth by the Information Commisioner’s Office with regard to the processing of a “subject access request.”
Here are a couple of the resources we are using to help guide us in making your personal data available to you.
Here is what we agree with so far … in so far as we are able to understand any of it well enough to agree with anything.
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
What is an individual entitled to?
Individuals have the right to obtain the following from you:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Supplementary information’ below).
This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). Other rights relating to these types of decisions are dealt with in more detail in Automated decision taking.
In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. For more information, please see Exemptions.
Personal data of the individual
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). For further information about the definition of personal data please see the key definitions guidance.
What does all that techno-jargon mean?
Frankly, I am not absolutely certain what a lot of it is about which is one reason why Westermill Farm has deployed a concise, easy to understand and readily available online form with which you can make requests to us about your data.
Of course you are absolutely free to make subject access requests by any valid method in the meantime.
Verifying your identity
In order to ensure that personal data is transmitted only to the owner of the data or their representative(s) we are required to make a reasonable effort to verify the identity of the requester making a Subject Access Request.
As the personal data we have had, and do have, access to, has almost exclusively been provided via online digital booking forms, we propose, therefore, to use details from those booking forms to initially attempt to verify the requester’s identity.
Such details will include some or all of the following data:
- Booking reference number associated with the requester
- Phone number included on the booking form
- Arrival date included on the booking form
- Street address included on the booking form
In the event that we cannot be reasonably certain of the identify the requester as the owner of the personal data from the responses to the foregoing data exchange – we will then follow up with a telephone call to the requester to discuss further details associated with the occasion of the business conducted between Westermill Farm and the requester.
Subject Access Request - Form
This form has been active as of May 29, 2018.
You do not have to use the form on this page to make a Subject Access Request (SAR) to Westermill Farm Holidays. You are welcome to make an SAR using whatever authorized format and technology you prefer. However, Westermill Farm Holidays will require the data outlined in its SAR Form to be provided in writing in order to be able to process the request. Consequently we suggest that those interested review the form so as to assist the requester in providing the information needed to deal with their request. Finally please note that Westermill Farm Holidays is not and has never been accessible via Fax.