Document Templates

DSAR Template

DSAR POLICY TEMPLATE.docx
22.1 kB
1. Introduction
This Data Subject Access Request Policy sets out the procedure to be adopted by (Insert Company name here) in responding to requests by individuals (Data Subjects) regarding their personal data held by (Insert Company name here) in line with the provisions of the Nigerian Data Protection Regulation 2019 (NDPR).
This Policy should be read in conjunction with (Insert Company name here)’s Data Privacy and Protection Policy and (Insert Company name here)’s Privacy Notices.
The Data Protection Officer (DPO) shall be responsible for overseeing this Policy to ensure compliance with the provisions of the NDPR.
2. Data Subject Access Request (DSAR)
A Data Subject Access Request (DSAR) is any request made by an individual or an individual’s legal representative for information held by the Company about that individual. The Data Subject Access Request provides the right for data subjects to see or view their own personal data as well as to request
copies of the data.
3. The Rights of a Data Subject
In line with the provisions of the NDPR, Data Subjects are entitled to the rights below:
a) Right to request for and access Personal Data collected and stored by (Insert Company Name)
b) Right to object to processing of Personal Data;
c) Right to be informed of and provide consent prior to the processing of data for
purposes other than that for which the Personal Data were collected;
d) Right to object to automated decision making and profiling;
e) Right to withdraw consent at any time;
f) Right to request rectification and modification of your data kept by (Insert Company Name)
g) Right to request for deletion of your data collected and stored by (Insert Company Name) and
h) Right to request the movement of data from (Insert Company Name) to a Third Party i.e. the
right to the portability of data.
4. Requirements for a valid DSAR
In order to be able to respond to the Data Subject Access Requests in a timely manner, the data subject should:
(a)Submit his/her request using a Data Subject Access Request Form.
(b)Provide the Company with sufficient information to validate his/her identity (to ensure that the person requesting the information is the data subject or his/her authorized person).
DSAR process
5. Request
Where a Data Subject wishes to exercise any of the rights guaranteed under the NDPR, they shall make a formal request by completing the DSAR Form (See Appendix) and sending the completed form via email to the Data Protection Officer (DPO) at xxxxxxxxxxxxxxxxxxxxxx
Upon receipt of a DSAR, the Data Protection Officer will log the request in the DSAR Register.
The Company shall contact the Data Subject within 5 working days of the receipt of the DSAR Form to confirm receipt of the subject access request and may request additional information to verify and confirm the identity of the individual making the request.
6. Identify verification
The Data Protection Officer needs to check the identity of anyone making a DSAR to ensure information is only given to the person who is entitled to it.
The person receiving the request will ask the requestor to provide two forms of identification, one of which must be a photo identity and the other confirmation of address.
Where the request is from a third party (such as relative or representative of the Data Subject), The Company will verify their authority to act for the Data Subject and may contact the Data Subject to confirm their identity and request the Data Subject’s consent to disclose the information.
7. Information for DSAR
When the identity of the individual making the request is verified, the DPO shall coordinate the gathering of all information collected with respect to the individual in a concise, transparent, intelligible and easily accessible form, using clear and plain language with a view to responding to the specific request. The information may be provided in writing, or by other means, including, where appropriate, by electronic
means or orally provided that the identity of the Data Subject is proven by other means.
Where the information requested relates directly or indirectly to another person, The Company will seek the consent of that person before processing the request.
However, where disclosure would adversely affect the rights and freedoms of others and (the company) is unable to disclose the information, (The Company) will inform the requestor promptly, with reasons for that decision.
8. Fees and Timeframe
The Company shall ensure that it provides the information required by a Data Subject or respond to the request by the Data Subject within a period of one month from the receipt of the request. However, where The Company is unable to act on the request of the Data Subject, it shall inform the Data Subject promptly at least within one month of receipt of the request of the reasons for not taking action and notify them of the option of lodging a complaint with the National Information Technology Development Agency (NITDA),
in line with the NDPR.
Any information provided to the Data Subject by The Company shall be provided free of charge. However, where requests from a Data Subject are manifestly unfounded or excessive in particular because of their repetitive or cumbersome nature, (The Company) may:
Charge a reasonable fee taking into account the administrative costs of providing the information or communication, taking the action required or making a decision to refuse to act on the request; or
b. write a letter to the Data Subject stating refusal to act on the request and copying the National Information Technology Development Agency (NITDA).
9. Response to access requests
The Data Protection Team will provide the finalized response together with the information retrieved and/or a statement that the Company does not hold the information requested, or that an exemption applies.
The Data Protection Team will ensure that a written response will be sent back to the requestor. This will be via email.
10. Archiving
After the response has been sent to the requestor, the DSAR will be considered closed and archived by the Data Protection Team.
11. Exemptions
An individual does not have the right to access information recorded about someone else, unless they are an authorized representative.
The Company is not required to respond to requests for information unless it is provided with sufficient details to enable the location of the information to be identified, and to satisfy itself as to the identity of the data subject making the request.
In principle, the Company will not normally disclose the following types of information in response to a Data Subject Access Request:
Information about other people – A Data Subject Access Request may cover information which relates to an individual or individuals other than the data subject. Access to such data will not be granted, unless the individuals involved consent to the disclosure of their data.
Repeat requests – Where a similar or identical request in relation to the same data subject has previously been complied with within a reasonable time period, and where there is no significant change in personal data held in relation to that data subject, any further request made within a six month period of the original request will be considered a repeat request, and the Company will not normally provide a further copy of the same data
Publicly available information – The Company is not required to provide copies of documents which are already in the public domain.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.