A **GDPR Request**, alsoformally known as a **Data Subject Access Request (DSAR)**, is a communication received from a data subject that they wish to exercise their rights under the GDPR to access their data.
from [[ https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#III_Rights_of_the_data_subject | wikipedia.org/wiki/General_Data_Protection_Regulation#III_Rights_of_the_data_subject]]
>The right of access (Article 15) is a data subject right.[12] It gives citizens the right to access their personal data and information about how this personal data is being processed. A data controller must provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)); furthermore, the data controller has to inform the data subject on details about the processing, such as the purposes of the processing (Article 15(1)(a)), with whom the data is shared (Article 15(1)(c)), and how it acquired the data (Article 15(1)(g)).
-----
==Policy==
- We **should** consider which of our staff who regularly interact with individuals may need specific training to identify a request.
- We **should** define procedures for recording details of the requests we receive, particularly those made by telephone or in person/chat/social media.
- We **should** keep a log of requests.
- We **MUST** respond within 1 month. We **should** respond as quickly as possible.
- We **MUST** comply with GDPR and [[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access#other | respond to these requests properly]].
- We **should** be prepared to receive GDPR requests through any medium, not just electronically.
>The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
>A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
[[ https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access#3 | source ]]
-----
* We **should** consider which of our staff who regularly interact with individuals may need specific training to identify a request.
* We **should** define procedures for recording details of the requests we receive, particularly those made by telephone or in person/chat/social media.
* We **should** keep a log of requests.
* We **MUST** respond within 1 month. We **should** respond as quickly as possible.==Processes==
* We **MUST** comply with GDPR and [[https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access#other | respond to these requests properly]].
{M6}
-----
==Procedures==
=====None yet=====
-----
Recommended reading:
https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr