Skip to Main Content

Data Subject Access Request

You have the right to ask a ‘Data Controller’ whether or not they are using or storing your personal information.

You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.

What is ‘Personal Data’?

Personal Data means any information relating to an identifiable person who can be directly, or indirectly, identified.

Personal identifiers include a name, identification number, location data or online identifier. It applies to automated personal data as well as manual filing systems where personal data is accessible according to specific criteria; this could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

What rights do individuals (‘Data Subjects’) have?

Individuals (‘Data Subjects’) have the right to obtain:

  • Confirmation that their data is being processed
  • Access to their personal data
  • Other supplementary information (mostly the information provided in privacy notices).
  • Given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
  • Given a copy of the information comprising the data; and given details of the source of the data (where this is available).

How do individuals (‘Data Subjects’) submit requests for their information?

Phoenix Software Ltd will hold personal data either as a Data Controller for our own and our employees data or a Data Processor for our customers’ data.

Where we have your personal data on behalf of a customer, we will direct your query to that customer as the responsible Data Controller for the personal data we are processing. They will be responsible for acknowledging and handling your request.

The information Phoenix Software Ltd holds as a Data Controller is available upon request by contacting [email protected].

Individuals can also request their data is updated and/or deleted at any time, unless Phoenix Software Ltd needs to retain it for legitimate business or legal purposes, by submitting a request to this email address.

Responding to Subject Data Access Requests

Phoenix Software Ltd may ask you to verify their identity before their request is actioned.

Phoenix Software Ltd has the right to you for enough information to judge whether the person making the request is the individual to whom the personal data relates. This is to avoid personal data about one individual being sent to another, accidentally or as a result of deception.

Phoenix Software Ltd has the right to ask for information that is reasonably needed to find the personal data covered by the request. If no personal information about the individual is held, you will be informed.

Phoenix Software Ltd will take all reasonable efforts to locate all the information held on you and liaise with the Phoenix Software Ltd Departments and/or Third Parties concerned in order to collate all the information.

Information will be provided within at least one calendar month of receiving the request. Where requests are complex or numerous, Phoenix Software Ltd has the right to extend the deadline for providing the information to three months. However, a response to the request explaining why the extension is necessary, will be sent within one month.

Information will be provided free of charge unless the request is deemed to be manifestly unfounded or excessive. In which case a request can be refused or a charge be made. If a request is refused, the individual will be informed as to why and advised that they have the right to complain to the ICO and to a judicial remedy. The refusal will be made without undue delay and at the latest, within one month.

Where we are allowed or required to remove data from our response under the provisions of the Data Protection Act 2018, we will do so and outline this to you as appropriate.

We will also outline in our response how you can complain about the handling of the request to us and the Information Commissioner’s Office.

Last revised: 10th January 2024