• Data Controller: the person or organisation which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. For the purposes of this Policy, the Company is the data controller of all personal data used in our business.
• Data Subject: a living, identified, or identifiable natural person about whom the Company holds Personal Data.
• Data Processing: any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use,
  disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. A Data Processor will only carry out processing to the direct instruction of a Data Controller (i.e. processing will not include decision- making).
• Data Protection Law: all legislation and regulations in force from time to time regulating the use of Personal Data and the privacy of electronic communications including, but not limited to, the Data Protection Act 2018. The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
• Encryption or encrypted data: the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text.
• GDPR: the General Data Protection Regulation (the “GDPR”) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of Personal Data outside the EU and EEA areas. The primary aim of the “GDPR” is to give control to individuals over their Personal Data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Following Brexit “UK GDPR” will be retained in UK law and will continue to be read alongside the DPA (The Data Protection Act 2018).
• ICO: the supervisory authority for data protection in the UK.
• Personal Data: any information relating to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data.
• PII (Personally Identifiable Information): any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for deanonymising previously anonymous data can be considered PII.
• Processing: any use that is made of data, including collecting, storing, amending, disclosing or destroying it.
• Pseudonymisation: the processing of Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the Personal Data is not attributed to an identified or identifiable natural person.
• Special Categories of Personal Data: data which relates to an individual’s health, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

• The procedures and principles set out herein must be followed at all times by the Company and all its employees, agents, contractors, consultants, temporary staff, casual or agency staff, or other suppliers or data processors (hereafter referred to as “Staff”) working for or on behalf of the Company.
• All Personal Data collected, held, and processed by the Company will be handled in accordance with the Company’s Data Protection Policy which should be read in conjunction with this policy.
• The Data Protection Policy can be found Hubspot Polices Folder.

The UK GDPR does not set out formal requirements for a valid data access request. The request does not have to include the phrases ‘subject access request’, ‘right of access’ or ‘Article 15 of the UK GDPR’. It just needs to be clear that the individual is asking for their own personal data. For example, if an individual sends a message “please send me details of all the information your company has about me” This must be treated as a SAR and treated in the same manner as an individual who has formerly completed a SAR form.

An individual can make a SAR verbally or in writing, including by social media. They do not have to direct it to a specific person or contact point, it can be made to anyone in the Company.

The Company Subject Access Request Form can be requested from privacy@edatainsight.com and the completed sent to privacy@ edatainsight.com. This should simplify the process for the requestor and the Company however, individuals are not required to use the form.

Although Subject Access Requests may be made verbally, please advise individuals that a request

is likely to be dealt with more efficiently and effectively if it is made in writing.

4.1. What to do when a SAR is received

• Forward the SAR and contact details of the requesting individual to Tina Sharma. This should be done promptly as the Company has a limited period of time to respond.
• Ensure Tina Sharma has received and is aware of the SAR.

4.2. Identifying Data Subjects

• The Company must always verify the identity of anyone making a subject access request before handing over any information. If further information is required to confirm the individual’s identity and their authority to make the request, this must be made promptly. Note that the request can be made on the individual’s behalf, for example, by a solicitor. In that case the third party must be required to provide sufficient evidence that they are authorised to act on the individual’s behalf. Examples of information that may be requested and used to confirm the identity of the individual are a copy of their driving licence or passport. If the data subject’s identity cannot be confirmed, data should not be shared.

4.3. Responding to a SAR

The Company should aim to provide the relevant data as soon as practically possible and normally within one month of receipt. In exceptional circumstances, this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject should be informed.

The following information should be provided to the individual in response to the SAR:

• whether or not their data is processed and the reasons for the processing of the data;
• the categories of personal data concerning them.
• where their data has been collected from if it was not collected by the Company;
• who the personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
• how long the data is kept for (or how that period is decided);
• the individual’s rights in relation to data rectification, erasure, restriction of and objection to processing;
• their right to complain to the Information Commissioner if they believe their rights have been infringed; and
• if the Company carries out any automated decision-making (including profiling), details of that automated decision-making, including a meaningful explanation of the logic involved and the significance and envisaged consequences for the data subject.

The information should be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

The Data Protection Legislation requires the Company to make ‘reasonable efforts’ to find and retrieve personal data in response to a SAR. The right of access is not limited to that information which is easy to find.

4.4. Timescales

The Company must aim to provide the relevant data as soon as practically possible and normally within one month of receipt. In exceptional circumstances, this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject must be kept informed.

4.5. Fee

The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.

We may refuse to deal with a SAR if it is manifestly unfounded or excessive, or if it is repetitive.

Other instances include but are not limited to:

• information which is subject to legal or litigation privilege;
• is of a type likely to prejudice the prevention or detection of a crime, or the apprehension or prosecution of offenders if it is disclosed;
• a reference given or to be given in confidence for purposes of employment;
• information that relates to management planning is not required to be disclosed, but only to the extent that complying with the SAR would prejudice the conduct of the business or activity;
• consists of records of intentions with respect to negotiations between employer and employee, but only to the extent that complying with the SAR would prejudice such negotiations; and
• contains personal data concerning a third party.

When a decision is made to refuse a request, we must contact the individual without delay, and at the latest within one month of receipt, to inform them of the decision. An explanation should be provided and the individual should be informed of their right to complain to the Information Commissioner and to a judicial remedy.

Responsibility for the Subject Access Request Policy and Procedure rests with Tina Sharma. Duties include, but are not limited to:

• Ensuring that all staff in scope and appropriate external parties have read and confirmed their acceptance of the latest version of this policy
• Monitoring for legal, regulatory or industry best practice developments in relation to this policy
• Coordinate with senior management, IT, and legal counsel to communicate and review issues related to this policy
• Review and update this policy at least every 12 months, in order that it remains fit for purpose

This policy has been approved by senior management and is effective from 01-Jan-2025.

If you have questions or comments about this policy, email us at privacy@edatainsight.com or by post to:

Enterprise Data Insight.

71-75 Shelton Street, Convent Garden, London, WC2H 9JQ

If we change our policies and procedures, we will post those changes on this page. If we make any changes to this Policy that materially change how we treat your personal information, we will endeavour to provide you with reasonable notice of such changes, to your email address of record, and where required by law, we will obtain your consent or give you the opportunity to opt out of such changes.