Subject Access Request

Get your Data from ANY Corporation

With changes to the Data Protection laws in the UK due to the General Data Protection Regulation 2018 (European Legislation) adopted in UK law in the form of the Data Protection Act 2018, it has never been a better time to hold companies to account for the Data they are processing of yours. You are entitled to view any Corporations information and check that it is correct and also glean information on how they are processing that information and who they are passing it to. The Subject Access Request used to cost £10, it is now FREE.

STANDARD SUBJECT ACCESS REQUEST TEMPLATE

[YOUR ADDRESS & POSTCODE]

[THEIR ADDRESS & POSTCODE]

Your Ref: [THEIR REFERENCE NUMBER IF YOU KNOW IT]

DATE: [THE DATE]

Dear Sir or Madam,

I am writing to formally make a 'Subject Access Request' for a copy of information that you hold about me which I am entitled under the General Data Protection Regulation 2018.

You can identify my records using the following information:

Full name:

Address:

Please supply me the data about me that I am entitled to under the data protection law including:

confirmation that you are processing my personal data;
a copy of my personal data;
the purposes of your processing;
the categories of personal data concerned;
the recipients or categories of recipient you disclose my personal data to;
your retention period for storing my personal data or, where this is not possible, your criteria for determining how long you will store it;

Confirmation of the existence of my right to request rectification, erasure or restriction or to object to such processing;
confirmation of my right to lodge a complaint with the ICO or another supervisory authority;
information about the source of the data, where it was not obtained directly from me;
the existence of any automated decision-making (including profiling); and
the safeguards you provide if you transfer my personal data to a third country or international organisation.

please provide the mapping management process involved in the data usage;
include the regulatory compliance process used to ensure sufficient governance is in place ;
include the same for any third parties you provide access to my data;
include what your legal reason for holding such data, and any data you do not have a legal reason to hold, please delete and provide necessary regulatory requirements to evidence the deletion of said data.

I look forward to receiving your response to this request for data within one calendar month, per the General Data Protection Regulation. If you do not normally deal with these requests, please pass this letter to your Data Protection Officer, or relevant staff member.

Yours faithfully,

[YOUR NAME]

Under the General Data Protection Regulation 2018 - They should respond within one-month period. If the request is complex they should advise that they will require a further two months (Article 12(3) GDPR). If you have not had a full response in 3 months, then you could file a complaint with the Information Commissioners Officer, who has the authority to issue large fines for non compliance.

If they ask for I.D. in response to the request - send it to them

THE NIGHTMARE SUBJECT ACCESS REQUEST

If you are NOT looking for a quick response and want to test just how good a companies Data Management skills are,

why not send them a NIGHTMARE SUBJECT ACCESS REQUEST! This can be edited to suite your individual case, be specific to information relevant to you or you may have a hard time reporting the Company to the ICO.

SAR Ramblings

You can also ask for details of the agents and SAR them too and if the outsourced agents use self employed agents (the door knockers) SAR the agents' self employed agents too. SAR everyone in the process chain right down to the door knocker.

The subject has the right to SAR any organisation (self employed door knocking collectors are trading as a sole proprietorship is therefore a data processing organisation) each organisation should be able to provide you with a copy of the legitimate interest balance test that they have carried out (supposedly), and specifically ask them to, substantiate how they have concluded that their legitimate interest outweigh the interests of the data subject (you) of their processing your personal information, specifically request how that legitimises their processing your information without your consent to the extent of a privacy invasion of coming to your door. How more invasive can a use of data can there be than turning up at your door uninvited without consent?

Such a balance test should be carried out, at each stage that one organisation passes the info to the next organisation in the chain. First principle of GDPR is responsibility and accountability, simply not good enough to assume the controller has been diligent. Each ' hand over' from controller to processor ought to be able to provide a legitimate interest balance test to substantiate how and why their legitimate interest outweighs your privacy rights, when said processing in the context of "debt collection" is a likely cause of anxiety and stress.

I personally think that this "accountability" (first principle of GDPR), the due diligence of the balance test, that each legal entity involved in the process accountability transcends from the originating controller to the individual processor (and should be demonstrable for each "handover") and that that goes right down to the door knocker and if that door knocker is self employed as an agent on behalf of more than two or three different collectors than he / she as an trading entity (sole proprietorship) should also have carried out and be able document a legitimate interest balance test, because they are effectively a legal entity and if they cannot show that they have exercised due diligence before processing your information (yeah right) to ensure accountability.... then they have no right to be processing the personal information.

I also question, controller ( originator) passes personal data to processor (collection agency), passes it to a third party (also a processor), does this not make them BOTH a controller and a processor, bet none of them are registered with the ICO as both?

So if they are not registered as both a controller and a and a processor, therefore are conflicted, therefore by default unable to carry out a fair and impartial balance test? Typically the collecting agency will be registered with the ICO as a processor but when they pass information down the chain they become a controller (if they are not registered as both, there's a possible loop hole). Anyway... If they can't don't or won't share this the legitimate interest balance test results and substantiated balance test conclusion then that would be grounds for a report and compliant to the the ICO - which the ICO HAS to investigate and audit each organisations role in the handing, processing and transferring of your information, such investigation could include enforced cessation of processing of personal data, yours, and any other data subjects information i.e they shut them down until the audits and investigation runs its course.