Get In Touch
6 Altamont Crescent, Kingston 5
info@mystiquejamaica.com
Phone: (876)618-8320

Data Subject Access Request Procedure

  1. Introduction

This Data Subject Access Request (DSAR) Procedure outlines the process for handling requests from data subjects to access their personal data in accordance with applicable data protection laws, such as the General Data Protection Regulation (GDPR) or other relevant regulations.

 

  1. Scope

This procedure applies to all employees, contractors, and third-party service providers who handle DSARs on behalf of [Organization Name].

 

  1. Definitions

“Data Subject” is an individual whose personal data is processed by Mystique Integrated Services Limited.

“DSAR” is a request made by a data subject to access their personal data held by Mystique Integrated Services Limited.

“Personal Data” is any information relating to an identified or identifiable natural person.

 

  1. Procedure

 

4.1 Receipt of DSAR

  1. DSARs may be submitted in writing, electronically, or verbally.
  2. Upon receiving a DSAR, the individual handling the request should promptly acknowledge receipt of the request to the data subject.

 

4.2 Verification of Identity

  1. Mystique Integrated Services Limited will verify the identity of the data subject making the DSAR to ensure the request is legitimate.
  2. Depending on the circumstances, additional information or documentation may be requested from the data subject to confirm their identity.

 

4.3 Processing the DSAR

  1. The Data Protection Officer (DPO) or designated personnel will coordinate the processing of the DSAR.
  2. The DPO will review the request and determine whether Mystique Integrated Services Limited possesses the requested personal data and whether any exemptions or limitations apply.
  3. If necessary, the DPO may consult with relevant departments or personnel to locate and retrieve the requested personal data.
  4. The DPO will ensure that the personal data is provided to the data subject in a clear, concise, and easily understandable format within the prescribed time frame specified by applicable regulations (e.g., within 30 days under GDPR).
  5. If the DSAR is complex or numerous, Mystique Integrated Services Limited may extend the response time by an additional period, provided that the data subject is informed of the extension and the reasons for it within the initial response period.

 

4.4 Exemptions and Refusals

  1. Mystique Integrated Services Limited may refuse to comply with a DSAR if it is manifestly unfounded or excessive.
  2. Exemptions to the right of access may apply in certain circumstances, such as legal privilege, trade secrets, or confidential business information. If an exemption applies, the data subject will be informed accordingly.

 

4.5 Communication with Data Subjects

  1. Mystique Integrated Services Limited will communicate with the data subject throughout the DSAR process to provide updates on the status of their request and to address any inquiries or concerns.
  2. Upon fulfilling the DSAR, Mystique Integrated Services Limited will provide the data subject with a copy of the requested personal data along with any relevant supplementary information.

 

4.6 Record-Keeping

  1. Mystique Integrated Services Limited will maintain records of all DSARs received, including details of the request, actions taken, and any correspondence with the data subject.
  2. Records of DSARs and responses will be retained in accordance with Mystique Integrated Services Limited’s data retention policy.

 

  1. Training and Awareness
  1. All employees involved in handling DSARs will receive training on this procedure and their responsibilities under data protection laws.
  2. Mystique Integrated Services Limited will periodically review and update this procedure to ensure compliance with evolving legal and regulatory requirements.

 

Last Update: December 2023

 

Code:

 

Version:

1

Date of version:

December 2024

Created by:

Kathryn Davis – Director of Operations

Approved by:

Valon Thorpe

Confidentiality level:

Public

 

Change history:

Date

Version

Created by

Description of change

dd.mm.yyyy

0.1