Data protection request policy
Who should read this policy:
All personnel should be able to spot a data subject access request. This forms part Zeyro Limited’s policies and practices alongside any relevant training.
Who is responsible:
Zeyro Limited has overall responsibility to comply with data protection requests. Certain personnel will have responsibility for handling data subject access requests within the Zeyro Limited. If you are not sure if you are responsible or who should handle a request, please contact Gareth Malna for further information.
Are there deadlines:
Yes. Most data protection requests will need to be responded and dealt with promptly and not later than one month of receiving the request or the date which the individual making the request was identified. It is therefore important everyone acts on any request they receive straight away.
What's covered:
This policy will cover how to both spot and handle data protection requests.
Who checks this policy is enforced:
The Information Commissioner’s Office (ICO) is the UK regulator and is responsible for checking that businesses comply with UK Data Protection Law.
Why do we have this policy?
This policy applies to all employees, directors, consultants or contractors of Zeyro Limited, company registered in England and Wales with company number 14490357 whose registered address is 7 Gay Street, Bath, BA1 2PH (we/us/our).
​
We hold personal data about many individuals as part of our normal business practices. For example, this includes information about our employees, our customers, or suppliers.
​
Personal data includes all information which could be used to identify an individual. Under UK Data Protection Law, individuals may make requests about how we handle their personal data. These rights include:
​
-
Access. The individual wants to have access to personal data we hold about them.
-
Provide. Individuals have a right to ask us for a copy of their personal data.
-
Correction. We have a duty to keep personal data up to date and individual’s have a right to ask us to correct their personal data.
-
Erasure. In certain circumstances, we may need to erase personal data if asked to do so.
-
Restrict. In certain circumstances we may be asked to restrict our use of an individual’s personal data.
-
Port/transfer. Individuals have the right ask to port over or transfer their personal data to another party.
-
Object. In certain circumstances we may have to stop using an individual’s personal data for certain activities or to ensure that the personal data isn’t used in automated decision-making.
Spotting and acting on data protection requests
There are no set requirements for how an individual may request to exercise any of their rights under UK Data Protection Law. This means that you could receive a letter, email, online message, or phone call containing a data protection request.
​
It is important that you pass on data protection requests onto the relevant department because we have a legal obligation to respond to these requests within certain time periods. We have set out some guidance below.
​
-
Receiving written requests (e.g. email, letter or online message): please simply forward these requests to Gareth Malna as soon as possible.
-
Receiving oral requests (e.g. over the phone): if you receive a request over the phone, please take down the individual’s name and preferred contact details and forward this onto Gareth Malna as soon as possible, who will be in touch with the individual to process this request.
​
Once you have forwarded the request as set out above, if you are not responsible for handling the requests, you are unlikely to need to do more at this stage. However, please be ready to assist Gareth Malna if they need help with handling the request.
What happens once a data protection request is received?
The individual will need to told that we have received their request and that the individual making the request may be contacted to verify their identification. Gareth Malna will do this as soon as practicable after receiving the request.
Once we are sure that we can identify the person making the data protection request, we will start to process this. Timescales can be tight because there is a maximum of a one-month limit for processing data protection requests and responding to these can sometimes be complex and involved task.
Identifying the person making a data protection request
If we are not sure on who the individual is who is making the request, then we will need to ask them for identification. Gareth Malna is responsible for contacting the individual making the request in order to confirm their identity. We could ask for photo identification such as their passport, ID card or driver’s licence. We can accept a photocopy or scanned image of the documents as proof of identity. It is up to Gareth Malna to confirm that he is comfortable with any ID documents provided.
​
It is important that we store these identification documents separately and only use them for the purpose of identifying the individual to handle their request. Once a request has been responded to within the one-month time limit (or any extended time period as appliable), these documents should be marked for deletion six months later. This time period is to allow for any follow up queries. Please contact Gareth Malna to schedule deletion of these files.
What if someone makes a request on behalf of another person?
Whilst this is permitted under UK Data Protection Law, we will need to take steps to make sure that they are able to act on another individual’s behalf when making this request for them. In this instance, please speak to Gareth Malna to confirm that he is comfortable with any authorisation documents provided.
​
We may also need to identify both the person making the request and the third party doing in on their behalf. This should be done the same way as if they were the person making the request.
Documenting Data Protection Requests
Gareth Malna must document any data protection requests received by Englebert Limited. The following information should be documented:
​
-
The name of the person who is making the request.
-
The name of any third party making as request on behalf of someone else (if relevant).
-
The date the request was received.
-
How the request was received (e.g. over the phone, email etc.).
-
Who initially received the request.
-
Who has responsibility for handling the request.
-
The date of acknowledgement and any further communication with the individual making the data protection request.
-
Whether any ID documents have been requested and received.
-
The date the request was fully responded to.
How to manage a data protection request
In general, there is a one-month time frame to fully respond to a request. However, in practice, we need to respond as soon as reasonably practicable which should be a shorter time period for small and easy to manage requests. For instance, where an individual has asked for their name to be removed from a marketing list, that request should be dealt with quickly (e.g. 2 business days).
​
Some requests can take a long time to fully respond to because they involve identifying and location all information we hold about that individual. Where this is the case, we need to work quickly to meet the deadline of responding within one month of the request (or if we could not identify the individual, the date we could identify the individual). Where we need to gather all the personal data held on an individual, the following steps should be taken.
​
-
Identify all employees that might reasonably have had contact with the individual whom the request relates to.
-
Contact the Gareth Malna to ask them to gather all personal data relating to that individual from all relevant sources. The below is an illustrative list of where we may hold information:
-
Emails;
-
Company databases;
-
Telephone records;
-
Internet logs;
-
Hard copy files;
-
Computer hard drives; and
-
Back-up files.
-
Gareth Malna is responsible for reviewing the files and identifying whether the personal data gathered is relevant to the request. They will then need to assess whether any of the documents provided require any redactions (so as to protect the personal data of other individual’s).
​
We do not charge for handling data protection requests.
Can we ever deny a data protection request?
Yes, there may be instances where we can deny a data protection request. There are both general reasons for denying a request and reasons for denying specific types of requests. The general reasons are:
​
-
An Exemption applies. There are many Exemptions, but ones that may be of particular interest to us include where the personal data is being used for the establishment, exercise or defence of legal claims, or protection of the rights of another person (natural or legal).
-
We cannot identify the individual making the request (or any third party doing so on their behalf).
-
Any other law provides a basis for denying the request.
-
We do not hold personal data about the individual making the request.
The following points summarise the reasons the denying specific requests:
​
Request type: The right of access, correction, objection, restriction, or to be provided with a copy of the personal data
​
​Reasons for denying: The request was manifestly unfounded or manifestly excessive.
​
Request type: The right of erasure.
​
​Reasons for denying: Both of these reasons apply:
-
The personal data is still necessary for the purpose it was originally provided for; and
-
We are not processing the personal data based on consent or our Legitimate Interests.
​
Request type: The right of portability
​
​Reasons for denying: Both of these reasons apply:
-
We are not relying on consent of performance of a contract as grounds for processing the personal data; and
-
Where the processing is not carried out by automated means.
​
If you think there may be a reason why we do not need to comply with a data protection request, please contact Gareth Malna in the first instance.
Responding to data protection requests
Gareth Malna is responsible for responding or reviewing responses to any data protection requests.
​
When responding the data protection requests, there is certain information we need to provide to the individual. The table below summarises the steps to be taken for each individual and what information they must be provided with.
​
​
Where a data protection request has been denied:
-
The reason why we have denied the request
Advise the individual making the request that they have a right to complain to the Information Commissioner.
Training and Awareness
This policy will be published on https://www.zeyro.one/. Gareth Malna must ensure that all staff subject to the Policy understand their roles in implementing this Policy through training, communications, and team meetings.