Subject Access Request (SAR) policy template

Overview

This Subject Access Request (SAR) Policy outlines the procedures and guidelines for handling SARs received by [Company Name]. The policy is designed to ensure compliance with data protection laws, including the General Data Protection Regulation (GDPR), and to safeguard the rights of individuals regarding their personal data.

Scope

This policy applies to all employees, contractors, and agents of [Company Name] who may handle SARs on behalf of the organisation. It covers the process for receiving, assessing, and responding to SARs in a timely and efficient manner.

General Principles

Definitions

• Subject Access Request (SAR): A request made by an individual to obtain access to the personal data held about them by [Company Name].

• Data Controller: The organisation that determines the purposes and means of processing personal data.

• Data Processor: An entity that processes personal data on behalf of the data controller.

Responsibilities

• Data Protection Officer (DPO): The DPO is responsible for overseeing compliance with data protection laws, including the handling of SARs, and ensuring that appropriate procedures are in place.

• HR Manager/Officer: The HR Manager/Officer is responsible for receiving, assessing, and responding to SARs received by the organisation.

• Employees: All employees are responsible for promptly forwarding any SARs they receive to the HR Manager/Officer and cooperating with the SAR process as required.

SAR Procedure

• Receipt of SAR: SARs may be submitted in writing or verbally. Employees who receive a SAR must promptly forward it to the HR Manager/Officer.

• Verification of Identity: The HR Manager/Officer must verify the identity of the individual making the SAR to ensure that personal data is disclosed to the correct person.

• Assessment and Response: The HR Manager/Officer will assess each SAR to determine whether it is valid and whether any exemptions or limitations apply. A response will be provided to the individual within one month of receipt, unless an extension is necessary.

• Record-Keeping: Records of SARs received and actions taken in response must be maintained in accordance with data protection laws.

Training and Awareness

All employees involved in handling SARs will receive training on their responsibilities under this policy and data protection laws. Regular updates and refresher training will be provided as necessary to ensure ongoing compliance.

Review and Monitoring

This policy will be reviewed and updated regularly to reflect changes in data protection laws and organisational practices. Compliance with the policy will be monitored through regular audits and assessments.

Conclusion

This SAR Policy demonstrates [Company Name]'s commitment to protecting the privacy rights of individuals and ensuring compliance with data protection laws. By following the procedures outlined in this policy, we aim to handle SARs effectively and transparently while respecting individuals' rights regarding their personal data.