The EU General Data Protection Regulation (“GDPR”) comes into force across the European Union on 25th May 2018 and brings with it the most significant changes to data protection law in two decades. Founded on the basis of privacy by design and taking a risk-based approach, the GDPR has been designed to meet the requirements of the digital age.
The 21st Century brings with it broader use of technology, new definitions of what constitutes personal data, and a vast increase in cross-border processing. The new Regulation aims to standardise data protection laws and processing across the EU; affording individuals stronger, more consistent rights to access and control their personal information.
Grant UK is committed to ensuring the security and protection of the personal information that we process, and to provide a compliant and consistent approach to data protection. We have always had a robust and effective data protection program in place which complies with existing law and abides by the data protection principles. However, we recognise the requirement and importance of updating and expanding this program to meet the demands of the GDPR and the UK’s Data Protection Bill. Grant UK is dedicated to safeguarding the personal information under our remit and in developing a data protection regime that is effective, fit for purpose and demonstrates an understanding of, and appreciation for the new Regulation.
A Subject Access Request (SAR) is the right of an individual to request any personal data that Grant UK hold on their behalf. This right is a principle of the GDPR, designed to regulate the processing of information from which a natural living person can be identified either from the information itself or when combined with other data. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information.
Where requested, we will provide the following information: -
• the purposes of the processing
• the categories of personal data concerned
• the recipient(s) or categories of recipient(s) to whom the personal data have been or will be disclosed
• the envisaged period for which the personal data will be stored (or the criteria used to determine that period)
• where the personal data was not collected directly from the individual, any available information as to its source
A subject access request (SAR) is a request for access to the personal information that the Company holds about you, which we are required to provide under the GDPR (unless an exemption applies). The request doesn't have to specify it's a SAR or refer to the GDPR; it can be a general request for personal information. You can make this request in writing to our registered office address:
FAO The Data Protection Manager,
(GDPR Governance Group),
Grant Engineering (UK) Ltd,
Hopton House,
Hopton Industrial Estate,
Devizes, Wiltshire,
SN10 2EU.
Or, you can submit your access request electronically by email to info@grantuk.com. Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).
Subject Access Requests (SAR) are passed to the Company’s Data Protection Governance Group as soon as received and a record of the request is made. The person in charge (Our Data Protection Manager) will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services.
We will utilise the request information to ensure that we can verify your identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.
If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning the any request.
Information Gathering
If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.
Once we have collated all the personal information held about you, we will send this to you in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.
SARs are always completed within 30-days and are provided free of charge. Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.
Whilst we provide the information requested without a fee, further copies requested by the individual may incur a charge to cover our administrative costs.
The Company always aim to provide the requested information at the earliest convenience, but at a maximum, 30 days from the date the request is received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons.
Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reason(s).
We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Supervisory Authority and to seek a judicial remedy.
In certain circumstances, you may also have the right to request from the Company, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information; as well as the right to object to such processing.
If you would like further details on the Regulation or are unhappy with the way your data has been handled, please contact the Supervisory Authority - The Information Commissioner’s Office (ICO). They can be contacted at: -
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF.
Telephone: 0303 123 1113 (local) / 01625 545 745 (national).
Fax: 01625 524 510.
Email: enquiries@ico.org.uk
Web: www.ico.org.uk
We are dedicated to safeguarding any personal data under our remit and process this information in accordance with our Privacy Policies, see: www.grantuk.com/privacy
Every individual has the right to lodge a complaint with the supervisory authority - the Information Commissioner’s Office (ICO), where they consider that the processing of personal data relating to them infringes the General Data Protection Regulation (GDPR) or we have breaches data protection law. The ICO with which the complaint has been lodged, is responsible for informing the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy where the supervisory authority does not handle a complaint or does not inform the data subject within three months on the progress or outcome of the complaint lodged. The ICO can be contacted at: - Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113 (local) / 01625 545 745 (national). Fax: 01625 524 510. Email: enquiries@ico.org.uk Web: www.ico.org.uk