Find us
John Banks GroupJohn Banks Group
01284 656098
Find us

Data Subject Access Request Policy & Procedure

Introduction

This policy outlines the obligations of John Banks Limited ("the Company"), a company registered in the United Kingdom under number 1831725 with its registered office at Kempson Way, Moreton Hall, Bury St Edmunds, Suffolk, IP32 7AR. It details how the Company handles data subject access requests (SARs) in compliance with applicable Data Protection Legislation (defined below).

The policy provides guidance on the identification, handling, and response to SARs. All employees, agents, contractors, or other parties working on behalf of the Company must adhere to the procedures and principles outlined herein.

Definitions

Data Controller: The entity that determines the purposes and means of processing personal data. The Company acts as the data controller for all personal data processed within its operations.

Data Processor: Any individual or organisation that processes personal data on behalf of a data controller.

Data Protection Legislation: Refers to all applicable laws regarding data protection and privacy, including the General Data Protection Regulation (GDPR) and any associated national legislation in England and Wales.

Data Subject: A living individual identifiable by the personal data held by the Company.

Personal Data: Information relating to a data subject that can identify them directly or indirectly.

Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and destruction.

Special Category Personal Data: Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, health, sexual orientation, or biometric/genetic data.

Data Protection Officer & Scope of Policy

The Data Protection Officer (DPO) for John Banks Limited is Olivia Tombs ([email protected]). The DPO is responsible for:

Administering and overseeing this policy.

Developing and implementing related policies and procedures.

Ensuring compliance with Data Protection Legislation regarding SARs.

Providing training and support to staff on their data protection responsibilities.

This policy applies to all personal data processed by the Company, including data related to employees, customers, suppliers, and business contacts. It specifically addresses the right of access under Article 15 of the GDPR, enabling data subjects to:

Confirm whether their personal data is being processed.

Access copies of their personal data.

Receive supplementary information about how their data is used.

Recognising a Subject Access Request

SARs can be made in any format (written, verbal, electronic) and may not explicitly reference "Subject Access Request" or data protection laws. For instance, a message such as, "Please provide all the information you hold about me," qualifies as a SAR.

Employees should remain vigilant to such requests and immediately escalate them to the DPO. To assist data subjects, the Company provides a SAR form, available from the head office. However, data subjects are not obligated to use this form.

Third-party SARs (e.g., made by solicitors or family members) must be supported by evidence of the requester’s authority to act on the data subject’s behalf. Special considerations apply when SARs involve children or individuals lacking mental capacity.

Handling Subject Access Requests

Initial Steps

Escalation: Forward all SARs immediately to the DPO at [email protected]. Do not take further action unless authorised.

Verification: Reasonable steps must be taken to verify the identity of the requester. Acceptable documentation includes:

A passport or driving licence.

Proof of vehicle registration (if applicable).

Clarification: If the request is broad, the data subject may be asked to clarify their request. The timeframe for responding begins only after sufficient information is provided.

Timeframes

Standard Response: Respond to SARs within one calendar month of receipt.

Extensions: For complex requests or multiple SARs, the response time may be extended by up to two months. The data subject must be informed of any extension within the initial one-month period.

Response Content

The response to a SAR must include:

The purposes of processing.

Categories of personal data processed.

Recipients of the data.

Retention periods or criteria used to determine them.

Details of rights to rectification, erasure, or objection.

Information on automated decision-making (if applicable).

Safeguards for international data transfers (if any).

Refusing a Subject Access Request

The Company may refuse to comply with a SAR if:

The request is manifestly unfounded or excessive.

The requester fails to provide necessary identification.

Refusals must be justified in writing within one month, and data subjects must be informed of their right to complain to the ICO or seek judicial remedy.

Exemptions to Access

Exemptions to the right of access include data:

Subject to legal privilege.

Processed for management forecasting or planning.

Containing third-party personal data (unless consent is obtained).

For specific concerns, staff should consult the DPO or refer to ICO guidance.

Data Management During SARs

Personal data must not be amended, deleted, or otherwise altered following receipt of a SAR unless such action aligns with normal data management procedures.

Compliance and Consequences

Failure to comply with this policy or the Data Protection Legislation may result in:

Regulatory action by the ICO.

Legal claims for damages.

Disciplinary action for employees, up to and including dismissal for gross misconduct.

Policy Review

This policy will be reviewed regularly. The DPO and CEO will oversee its ongoing relevance and compliance with legal requirements.

Implementation

This policy is effective from August 2019. No part of this policy is retroactive and applies only to actions taken on or after this date. This Policy is reviewed annually.

Approved and Authorised by:

Name: Melanie Banks-Browne

Position: Chief Executive

Date: December 2024

John Banks Head Office, Kempson Way,
Bury St. Edmunds, Suffolk. IP32 7AR

Tel: 01284 656098
Reg. Company Number: 01831725 VAT Reg. No. GB 740 9181 35 Office of Fair Trading Licence 169742
Website driven by Autonomy, from mtc.
We accept these payment methods
MastercardMaestroVisaApple PayGoogle Pay
Complaints procedureCorporate Responsibility StatementGender Pay Gap14 day return policyInitial Disclosure DocumentData Protection PolicyData Subject Access Request PolicyModern slavery statement

John Banks Limited is an appointed representative of ITC Compliance Limited which is authorised and regulated by the Financial Conduct Authority (their registration number is 313486). Permitted activities include advising on and arranging general insurance contracts and acting as a credit broker not a lender. We can introduce you to a limited number of finance providers. We do not charge a fee for our Consumer Credit services. We do not act as a financial adviser, or fiduciary. We act in our own interest, whichever lender we introduce you to, we will typically receive commission from them based on either a fixed fee or a fixed percentage of the amount you borrow. Any and all commission amounts will be fully disclosed to you as part of your sales journey. You will be required to give your fully informed consent to our receipt of this commission. By doing this, you acknowledge that you understand our role as a credit broker, and that we will receive a financial incentive if you take out a loan from a lender that we introduce you to. All finance applications are subject to status, terms and conditions apply, UK residents only, 18s or over, Guarantees may be required.