This procedure document supplements the subject access request (SAR) provisions set out in ICAP CRIF EAD (hereinafter referred to as the ‘Company’ or ‘ICAP CRIF’) Data Protection Policy & Procedure and provides the process for individuals to use when making an access request, along with the protocols followed by the Company when such a request is received.
The Company collects personal information to effectively and compliantly carry out our everyday business functions and services and, in some circumstances, to comply with the requirements of the law and/or regulations.
As the Company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with the GDPR and its principles.
THE GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR) gives individuals the right to know what information is held about them, to access this information and to exercise other rights, including the rectification of inaccurate data. The GDPR is a standardised regulatory framework which ensures that personal information is obtained, handled and disposed of properly.
As the Company are obligated under the GDPR and Bulgarian data protection laws, we abide by the Regulations’ principles, which ensure that personal information shall be:
The Regulation also requires that ‘the controller shall be responsible for, and be able to demonstrate, compliance with the GDPR principles’ (‘accountability’). The Company have adequate and effective measures, controls and procedures in place, that protect and secure your personal information and guarantee that it is only ever obtained, processed and disclosed in accordance with the relevant data protection laws and regulations.
2. WHAT IS PERSONAL INFORMATION?
Information protected under the GDPR is known as “personal data” and is defined as:
“Any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
According to the legal definition of Art. 2, Paragraph 1 of the Bulgarian Personal Data Protection Act, personal data is any information related to an individual who is identified or can be identified directly or indirectly by an identification number or by one or more specific features. It covers data of any nature which, alone or in combination with other data, may lead to a unique identification of a particular individual.
The definition in the Bulgarian law contains four basic building blocks:
• “Any information”
• “connected to”
• “Identified or identifiable”
Everyone has the right to the protection of personal data. This includes the right of individuals to protection against the recording, processing, transfer and storage of their personal data.
In Bulgaria, personal data is protected and administered by the Personal Data Protection Commission.
3. THE RIGHT OF ACCESS
Under Article 15 of the GDPR, an individual has the right to obtain from the controller, confirmation as to whether or not personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information:
3.1 HOW TO MAKE A SUBJECT ACCESS REQUEST (SAR)?
A subject access request (SAR) is a request for access to the personal information that the Company holds about you, which we are required to provide under the GDPR (unless an exemption applies). The information that we provide is covered in section 3 of this document.
You can make this request in writing using the details provided in section 7, or you can submit your access request electronically. Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).
3.2 WHAT WE DO WHEN WE RECEIVE AN ACCESS REQUEST
Subject Access Requests (SAR) are passed to the Data Protection Officer/Compliance Officer as soon as received and a record of the request is noted. The person in charge will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services.
We will utilise the request information to ensure that we can verify your identity and where we are unable to do so, we may contact you for further information, or ask you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.
If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act for you and again, may contact you to confirm their identity and gain your authorisation prior to actioning the any request.
If you have provided enough information in your SAR to collate the personal information held about you, we will gather all forms (hard-copy, electronic etc) and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.
Once we have collated all the personal information held about you, we will send this to you in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.
4. FEES AND TIMEFRAMES
SARs are always completed within 30-days and are provided free of charge. Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.
The Company always aim to provide the requested information at the earliest convenience, but at a maximum, 30 days from the date the request is received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by one month. If this is the case, we will write to you within 30 days and keep you informed of the delay and provide the reasons.
5. YOUR OTHER RIGHTS
Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reasons.
We will rectify the errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the Supervisory Authority and to seek a judicial remedy.
In certain circumstances, you may also have the right to request from the Company, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information; as well as the right to object to such processing. You can use the contact details in section 7 to make such requests.
6. EXEMPTIONS AND REFUSALS
The GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your subject access request or where the Company does not act upon the request, we shall inform you at the earliest convenience, or at the latest, within one month of receipt of the request.
Where possible, we will provide you with the reasons for not acting and any possibility of lodging a complaint with the Supervisory Authority and your right to seek a judicial remedy. Details of how to contact the Supervisory Authority are laid out in section 7 of this document.
If you are unsatisfied with our actions or wish to place a further data subject request, you can contact us in writing at: DPO/Privacy Office, email@example.com
ICAP CRIF EAD, 51B Bulgaria Blvd. fl.5, office 14, 1404 Sofia Bulgaria, +359028014100
If you remain dissatisfied with our actions, you have the right to lodge a complaint with the Supervisory Authority. The Bulgarian Supervisory Authority can be contacted at:
Personal Data Protection Commission, 2, Prof. Tsvetan Lazarov Blvd, 1592, Sofia, +359029153555, +359029153519, firstname.lastname@example.org , www.cpdp.bg