Subject Access Request Policy
Introduction
This policy is to be used when a data subject exercises rights they are granted under the European Union General Data Protection Regulation (GDPR).
Generally, the Human Rights Due Diligence platform will be proactive in ensuring that the personal data of Data subjects lies in their control.
In the case where data for any reason, is not in the direct control of the user, this document is to be followed.
Subject Access Request process
A data subject can request access to any of their personal data in writing (including email) to &Wider.
The request administrator (an internal person from the Human Rights Due Diligence platform who receives the Data access request) is responsible for logging the data access request and following through with its processing by reaching out to the relevant divisions or staff members within the Human Rights Due Diligence platform.
Before processing a data access request, the identity of the data subject must be confirmed. To achieve this, the Human Rights Due Diligence platform may request further information.
The Human Rights Due Diligence platform reserves the right to reject any unlawful data access request
The Right of Access:
Data subjects shall have the right to obtain from the platform confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
Whether the data will be subject to profiling or automated processing, and the consequences involved.
Where the data subject’s data is to be transferred to a third party country, or international organisation, information on the safeguards applied.
How long will it take for us to respond to your request?
We will deal with your subject access request without undue delay and in any event within 40 calendar days of receipt of your request. However, if the work involved is particularly complex or if numerous requests are made then we will provide an explanation about why we are unable to provide the information on time. In many cases, it will be possible to respond in advance of the 40 calendar day target and we will aim to do so.
Will we charge you for providing the requested information?
We will not charge a fee for dealing with your request unless it is manifestly unfounded or excessive. If we charge a fee, we will inform you of this and explain the reasons for doing so. We will explain what steps have been taken in dealing with your request i.e. we will set out the source of your personal information we have gathered. The information will be provided in a concise, transparent and easily accessible form. It may be provided in writing, or by other means, including, where appropriate, by electronic means.
Complaints procedure
If you are not satisfied by our actions, you can seek recourse through our internal complaints procedure, the Information Commissioner or the courts.
The Chief Executive will deal with any written complaint about the way a request has been handled and about what information has been disclosed. The Chief Executive can be contacted at:
&Wider B.V.
Herengracht 201
1016 BE, Amsterdam
The Netherlands