Data Subject Access Request (DSAR) Procedure

1. Introduction

1.1. This procedure outlines the steps that Fifty Five and Five Ltd (“the Company”) will follow upon receiving a Data Subject Access Request (DSAR) from an individual wishing to access their personal data held by our organisation.

2. Scope

2.1. This procedure applies to all employees and personnel of the Company responsible for handling personal data and processing DSARs.

3. Recognition of a DSAR

3.1. A DSAR can be made in writing or verbally.
3.2. All staff should be trained to recognise a DSAR and should immediately forward any received DSAR to the designated Data Protection Officer (DPO).

4. Procedure upon Receiving a DSAR

4.1. All DSARs, whether received by email, post, or verbally, should be logged and dated in the DSAR log.
4.2. The DPO should acknowledge receipt of the DSAR within five working days and inform the data subject of the next steps.

5. Verification of the Data Subject’s Identity

5.1. Before processing the DSAR, the DPO must verify the identity of the individual making the request.
5.2. If the DPO has doubts about the identity of the individual, further information may be requested to confirm the requester’s identity.

6. Collating the Data

6.1. The DPO will liaise with relevant departments to collate all the personal data pertaining to the data subject.
6.2. The Company must ensure that the data of other individuals is not disclosed as part of the DSAR.

7. Responding to the DSAR

7.1. The Company has one month from the receipt of the DSAR to provide a response.
7.2. The response should be clear and concise, providing the data subject with a copy of their personal data and any supplementary information deemed relevant.
7.3. If the request is complex, the response period may be extended by a further two months. In such cases, the data subject must be informed of the extension within one month of the request’s receipt, explaining the reason for the delay.

8. Exemptions

8.1. In certain circumstances, the organisation may be exempt from providing all or some of the personal data requested. Such exemptions will be assessed on a case-by-case basis and could include data related to legal proceedings, legal privilege, or if disclosure may cause serious harm to the physical or mental health of any individual.

9. Refusal of a DSAR

9.1. If the DSAR is considered manifestly unfounded or excessive, the Company can either refuse to act on the request or charge a reasonable fee for its administrative costs.
9.2. If the Company decides to refuse a DSAR, the data subject must be informed of this decision and the reasons for it within one month of the request’s receipt. The data subject should also be informed of their right to complain to the Information Commissioner’s Office (ICO) and their right to a judicial remedy.

10. Record Keeping

10.1. All DSARs and the Company’s responses to them should be logged and kept for a period of at least two years to demonstrate compliance.

11. Queries and Complaints

11.1. Any queries regarding this procedure or any complaints regarding the handling of a DSAR should be directed to the DPO at