Subject Access Request Policy

A Subject Access Request (“SAR”) is a request by a data subject in accordance with data protection legislation to see any information that is held about them by an organisation.

Upon receipt of a SAR, we reserve the right to request additional information to confirm the identity of the individual submitting the SAR prior to taking any further action.

If we are satisfied in relation to identity, we will review the SAR and determine whether we are the data controller or data processor for the purposes of the SAR.  If we establish that we are the data processor then we will forward the SAR to the data controller for their attention.
(Article 15(1))

In the event that we are satisfied that a SAR has been properly directed to us in our capacity as data controller, we will undertake a reasonable and proportionate review of our records to determine the information that we hold about the data subject.  We will thereafter provide the data subject with a copy of the details of the Personal Data that we hold.
(Article 15(1))

We will respond to a SAR within 30 days of the date of receipt of all information required to identify the data subject if additional information is required.  This may be extended to 90 days in the case of particularly complex or numerous requests.  We reserve the right to charge a reasonable fee in the event of unfounded or excessive requests, based on our administrative costs of responding to the SAR.
(Article 15(3))

If a SAR is received by Scott-Moncrieff you should contact our Data Protection Team – Marc Shenken or Fraser Nicol.

Words used with first letter capitalisation (e.g. Personal Data), unless otherwise defined in this policy, have the same definition and meaning as they do in the prevailing data protection legislation in the United Kingdom.