A clear and bold header
This hotel booking engine is owned and run by Roomex Limited.
GDPR: Data Subject Access Request Protocol
The General Data Protection Regulation and the Data Protection Act 2018
1. The purpose of this protocol
1 Roomex Limited (“Roomex”) is committed to complying with our data protection obligations. To achieve consistency and excellence of service, we believe that it is important to set out a protocol which must be followed when dealing with a data subject access request.
2. Right of Access to Personal Data
2.2. Article 15 of the General Data Protection Regulation (the “GDPR”) and Section 91 of the Data Protection Act 2018 (“the Data Protection Act”) provide that any individual about whom we hold personal data (a data subject) may make a written request for the following:
- A copy of his/her data;
- A description of the purposes for which the data is held;
- A description of those to whom the data have been or will be disclosed;
- The envisaged period for which the personal data will be stored; and
- Where the data has not been collected from the data subject, information about the source of the data (unless this would be contrary to public interest).
2.1. We are also obliged to explain to a data subject the logic used in any automated decision-making process where the decision significantly affects the individual and the decision is solely based on the automated process.
2.2. Every individual about whom we keep personal information has other rights under the GDPR and the Data Protection Act, in addition to the right of access. These include:
- to ask for details of their personal data held by us
- to ask for a copy of their personal data
- to have any inaccurate or misleading data rectified, corrected and erased
- to restrict the processing of their personal data in certain circumstances
- to object to the processing of their personal data
- to transfer their personal data to a third party
- a right not to be subject to automated decision making
- the right to receive notification of a data breach
- the right to lodge a complaint to the Data Protection Commissioner.
3. Making a Data Subject Access Request
3.1. An individual making an access request must: -
- apply to us in writing;
- give any details which might help us identify him or her and locate all the information we may keep about him/her (e.g., previous addresses, account numbers, relevant time periods, relationship to Roomex).
4. What must we do in response to an access request?
4.1. Give the information to the individual within one month of receiving the request. This time limit runs immediately on receipt of the request and cannot be delayed for any reason, for example, while awaiting ID verification. While we cannot provide the information until we receive ID verification, if this is provided by the data subject on day 29 we must be in a position to provide the requested information within the timeframe. It is also essential to note that, having received the access request, we cannot change or delete any personal data which we hold.
4.2. Provide the information in a form which will be clear to the ordinary person (e.g., any reference codes or identifying numbers et cetera must be explained).
4.3. Ensure that we give personal information only to the individual concerned (or someone acting on his or her behalf and with their authority). Do not provide such information by phone. If we do not keep any information on computer or in a relevant filing system about the individual making the request we must tell them so within one month.
5. Exceptions or limits to the right of access
5.1. There are a number of restrictions on the right of access under GDPR and Section 94 of the Data Protection Act based on necessity and proportionality. Where we restrict access, we are obliged to keep a record of that restriction:
- That the right of access does not apply in a number of cases, in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand, such as the need to investigate crime effectively, defence, public security, the prevention, investigation, detection and prosecution of breaches of ethics; the enforcement of claims.
- That the right of access to medical data and social workers' data is also restricted in some very limited circumstances, to protect the individual from hearing anything about himself or herself which might cause serious harm to his or her physical or mental health or emotional well-being.
- The right of access to examination results is modified slightly.
- The right of access does not include a right to see personal data about another individual, without that other person's consent. This is necessary to protect the privacy rights of the other person. Where personal data consists of expressions of opinion about the data subject by another person, the data subject has a right to that expression of opinion except where that expression of opinion was given in confidence.
- The right of access does not include documents subject to legal professional privilege which relate to advice received from our lawyers and documents created for the dominant purpose of being used in legal proceedings.
- Confidential opinion relating to the data subject, where the opinion has the necessary quality of confidence.
6. Our Procedure for Data Subject Access Requests
6.1. Notify the Data Protection Officer or the Subject Access Request team:
Given the strict time limits for compliance with a data subject access request, it is important that whoever first receives the request immediately notifies our Data Protection Officer.
Our Data Protection Officer can be contacted by sending an email to firstname.lastname@example.org.
You may also send an email to email@example.com where your request will be forwarded to the appropriate person.
6.2. Data Protection Office acknowledgment
On receipt of the data subject access request, the Data Protection Officer or his/her alternate, will immediately reply to the request in writing (by email or letter - depending on the method of communication used by the data subject). This initial acknowledgement of the data subject access request should issue within 48 hours or two working days of receipt of the request. If we have any concerns as to the identity of the requestor it is important that the Data Protection Officer is made aware of this and that he/she asks for further identifying details from the requestor before releasing any information.
6.3. Time Process
At the same time as sending the initial response to the data subject, the date of expiry of the timeframe for delivery of a full response must be entered into the Data Protection Officer’s diary.
6.4. Further Information
The Data Protection Officer may ask the data subject for more information to help us to locate the data sought.
6.5. Information Collection
Once the Data Protection Officer is satisfied that a valid request has been made, she/he will liaise with the relevant people within Roomex and carry out the following:
- database search for all personal data sought;
- depending on the type of personal data sought, searches on individual staff members’ PCs/laptops; and
- full hardcopy records search.
If requested to do so by the Data Protection Officer, all of us within Roomex must do our utmost to comply with the time deadlines which she/he specifies. This will help us to respond quickly to data subject access requests and enable us to comply with our data protection obligations.
6.6. Information Review
Once the Data Protection Officer has gathered the information set out above, she/he will review the documents to identify any personal data contained therein and will extract any personal data relevant to that data subject only. Under no circumstances should personal data belonging to a third party be released to the data subject. If a document consists of personal data belonging to a number of data subjects, this document must be redacted, and any third-party personal data removed.
The Data Protection Officer will then fill in the template table setting out what personal data is being released and specifying what personal data, if any, is being retained and the relevant exemption of the GDPR and the Data Protection Act relied upon to refuse access.
The documents and a covering letter will issue to the data subject, including a copy of the relevant data, in a readable format.
In order to identify the types of data that are being requested on a regular basis, the Data Protection Officer will maintain a log of the data subject access requests to assist us in identifying how we can improve our processes.
6.7. Release to the Data Subject
The Data Protection Officer will fill in a template letter to the data subject; enclose a copy of the proposed data and the table of documents referred to above.