Subject Access Request

 

SUBJECT ACCESS REQUEST POLICY

 

  1. Introduction

    • Mount Merrion Youths Football Club is aware of its obligations as a data controller, with primary responsibility for, and a duty of care towards the personal data within its control.
    • In this policy, “we” and “our” refers to Mount Merrion Youths Football Club while “you” and “your” refers to any relevant person making a request for access to personal data under this policy.
    • Our obligations in this regard are as set out in the General Data Protection Regulation (EU Regulation 2016/679) and associated implementing and supplementary legislation in Ireland (“GDPR”).
    • Data subjects whose personal data is held by any data controller in Europe are entitled to ask data controllers and receive confirmation as to whether or not personal data concerning them are being processed.
    • Where data is being processed, data subjects are entitled to access that personal data as well as the following information in relation thereto:-
      • the purposes of the processing;
      • the categories of personal data concerned;
      • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international     organisations;
      • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
      • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the          data subject or to object to such processing;
      • the right to lodge a complaint with a supervisory authority;
      • where the personal data are not collected from the data subject, any available information as to their source;
      • the existence of automated decision-making (including profiling) being operated on the data subject’s data and, where relevant, meaningful             information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; and
      • where personal data are transferred to a third country or to an international organisation, the appropriate safeguards pursuant to the GDPR relating to such
  1. Form of the request

    • A request for details of or access to personal data is known as a subject access request.
    • However, it may not always be necessary to treat a request for information as a formal request under the GDPR.
    • If the request for information is one which Mount Merrion Youths Football Club would normally deal with within the normal course of business (e.g. contact details for a manager of a team), Mount Merrion Youths Football Club will consider whether this is a formal subject access request under the applicable law, or whether it can be managed as a “business-as-usual” process.
    • We ask that a subject access request should be made in writing and should include sufficient information to identify the data subject to our reasonable satisfaction so we can verify that we are not releasing your data to someone who is impersonating you. We have prepared a subject access form that we request you complete when making an access request.  Please email dataprivacy@mmyfc.ie for access to the form.
    • When these criteria are satisfied, we will be in a position to commence the work involved in responding to your request. Mount Merrion Youths Football Club will strive to respond to a valid request as quickly as possible and in any event without undue delay, but if we have not been able to complete our work in that regard within thirty (30) days we will update you as to the progress of our response to your request.
  2. Communicating with the Data Subject

    • Mount Merrion Youths Football Club will communicate directly with you once a valid subject access request has been received.
    • Rather than having to provide a copy of all data held by Mount Merrion Youths Football Club this contact may help you to specify the exact information you wish to receive, thereby reducing the effort, time and cost required to collate and provide the data being sought.
    • You can help us to expedite responding to your request by giving us as much information as possible about the data you are seeking to access and limiting the range, scope and time of data sources you wish us to search as much as possible.
    • However, we acknowledge that, where you wish to receive a copy of everything we hold about you, then we will fulfil a complete and exhaustive search of all relevant data in the organisation.
  3. Systems Search
    • Unless there is a legitimate option to reduce the scope of the request, a search of all databases and all relevant filing systems (manual files) under the GDPR will be carried out throughout the organisation.
    • Emails are subject to subject access, as are archived computerised and manual data held in a relevant filing system. CCTV footage and tapes of telephone conversations, if applicable, will also be included within the scope of the request, and must be searched on receipt of any subject access request from you, unless you require otherwise.
    • Mount Merrion Youths Football Club will organise the response to the request by giving one or more individuals responsibility for issuing requests for information throughout the organisation and receiving all the returns.
    • The co-ordination of your subject access request will be the responsibility of such person(s).
  4. Restrictions following receipt of a request

    • Compliance with the GDPR and related legislation is not intended to interfere with the normal running of the data controller’s business and following the receipt of a valid request, we are permitted to make changes to the requested information in the normal course of operation provided that no changes are made because of the request itself.
    • This applies even where the data controller would rather not release the information in its current form. This includes the correction of any incorrect data held as the principle is that the individual has a right to request the actual information held about them (whether or not it is accurate or correct).
  5. Third Party Data
    • Once the information has been collected, we will consider our obligations to other data subjects. The person(s) preparing our response to your request will consider the rights of third parties, any obligations of confidentiality which may apply and any relevant exemptions under the GDPR.
    • Where the identity of third parties would be disclosed in data which relates to you we may need to either blank out (redact) that data to protect the privacy and confidentiality of such third parties or provide you with an extract from that data instead of the original source material.
  6. Exemptions

    • Some material is exempt from inclusion in the response to a subject access request by law and exemptions may be added to from time to time by ministerial order for example if the data is subject to legal professional privilege.
    • If we hold data that is exempt from the requirement to disclose it to you we will inform you of the relevant exemption upon which we rely for not disclosing the data.
  7. Form of Response

    • As a matter of course, Mount Merrion Youths Football Club will provide the data subject with any relevant data in response to a subject access request in electronic form.
    • We will typically provide the information in password protected format and by email unless requested otherwise. Please ensure that if you do not wish to receive our response to your request by email (whether because of security or other reasons) that you let us know at the time of making your request.
    • Once our response to your subject access request has been finalised, we will make a full copy of the material to be retained for our own reference and for evidentiary purposes. This record will be used as a reference should, in the future, there be any dispute as to the content or timeliness of the response provided to you.
    • We recognise that failure to respond to a subject access request within the requisite period gives rise to the ability of the individual to complain to the Office of the Data Protection Commissioner and may well give rise to an investigation by the Commissioner.
    • We do our best to ensure that all subject access requests are handled efficiently and effectively at all times and we appreciate your co-operation and assistance in vindicating your rights under GDPR.