Subject Access Request process

1. Your rights

Under Articles 15 to 22 of the UK GDPR you have the following rights in relation to personal data we hold about you:

• Article 15 — Right of access. Confirmation whether we process your data, a copy of the data, and information about how we use it.
• Article 16 — Right to rectification. Correction of inaccurate or incomplete data.
• Article 17 — Right to erasure. Deletion of your data where one of the grounds in the Article applies.
• Article 18 — Right to restriction. Restriction of processing in certain situations (for example, while you contest accuracy).
• Article 19 — Notification obligation. Where we correct or erase data, we notify recipients we shared it with unless that proves impossible or disproportionate.
• Article 20 — Right to portability. A machine-readable copy of data you provided to us, where the lawful basis is consent or contract.
• Article 21 — Right to object. Object to processing based on legitimate interests or for direct marketing.
• Article 22 — Automated decisions. Not be subject to a solely automated decision producing legal or similarly significant effects.

2. How to make a request

Send your request by email to dpo@sifotech.co.uk. You do not need to use any particular form. Please tell us:

• which right(s) you want to exercise;
• the email address(es) or account(s) we may hold data under;
• if you are limiting your request to a date range, product or type of data;
• how you would like to receive the response.

You may also write to us at our registered office. We accept requests from a clearly authorised representative (for example, a solicitor) on production of written authority.

3. Identity verification

We must be reasonably satisfied of your identity before releasing personal data. For most requests, replying from the email address registered to the relevant account is sufficient. Where the request relates to sensitive data or where we have good reason to doubt identity, we may ask for further evidence (such as a copy of photo ID with the photo and document number redacted). We destroy any identification documents after verification.

4. Response timescales

We respond to valid requests without undue delay and at the latest within one (1) calendar month of receipt, in accordance with Article 12(3) UK GDPR. Where a request is particularly complex or where we have received a number of requests from you, we may extend the period by up to a further two (2) months. We will tell you about any extension and the reason within the first month.

5. Fees

We do not charge a fee for the first copy of personal data or for the great majority of requests. Where a request is manifestly unfounded or excessive — in particular if it is repetitive — we may charge a reasonable administrative fee or refuse to act. We will explain the reason and how to challenge the decision.

6. Format of response

Responses are normally provided by email. Where a portability right under Article 20 applies, we provide data in a structured, commonly-used, machine-readable format such as CSV or JSON. Third-party personal data and other lawfully redacted material will be removed or redacted.

7. Grounds for refusal

We may, in limited circumstances, refuse to act on a request:

• if it is manifestly unfounded or excessive (see section 5);
• if disclosure would adversely affect the rights and freedoms of others;
• where an exemption in Schedules 2 to 4 of the DPA 2018 applies (for example, legal privilege, regulatory functions, or crime prevention);
• where the right does not apply on its terms (for example, erasure where we need to retain data to comply with a legal obligation).

We will explain any refusal in writing and tell you about your right to complain to the ICO.

8. Complaints to the ICO

If you are not satisfied with how we have handled your request you may complain to the UK Information Commissioner's Office.

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Helpline: 0303 123 1113. Website: ico.org.uk.

9. Contact

For all subject-access requests and other data-protection enquiries, email dpo@sifotech.co.uk. Our registered office and ICO number are published at sifotech.co.uk/trust.