IT&T Subject Access Request Policy
GDPR Data Subject Access Request (SAR) Policy – Clients and Suppliers
Data Protection Statement
The GDPR require that personal data is processed fairly and lawfully. IT&T is committed
to protecting the privacy and confidentiality of personal information relating to clients and
The Company's Data Controller is Daniela Bosco. Where an individual feels that
the rules of data protection have been compromised within IT&T, they should
contact the Daniela Bosco.
Personal data held by the Company will be used for the purposes of fulfilling business
contracts and communicating information which is of legitimate interest to clients and
suppliers. Disclosure of personal information to a third party will only occur with the
expression permission of the individual, unless the Company has a statutory/legal obligation
to disclose the information.
The Right to Subject Access
In accordance with the GDPR, you have the right to be informed of the information held about
you and to discover to whom it has been disclosed. Should you wish to access the information
held by IT&T, you must make a formal request to IT&T in
writing. We will also need to see proof of your identity, to make sure it really is you asking for
your personal data. We have created a Subject Access Request form to make this easier, but
you do not have to use this in order to request access to your data – we just need some
details as to what you would like to access.
Under the GDPR you are entitled to access the following:
the reasons why your data is being processed;
the description of the personal data;
anyone who has received or will receive your personal data; and
details of the origin of your data if it was not collected from you.
How We Handle SARs
Once you have submitted your Subject Access Request, along with proof of your identity, we
will respond to you in writing within one month with your data or with an indication of
timelines if we cannot provide your data within this time frame. All data requests will be
completed within a maximum of three months in accordance with the GDPR. There will be no
charge for making a Subject Access Request unless the request is ‘manifestly unfounded or
excessive’. We may charge for multiple requests and this will be handled on a case-by-case
Who to Contact
Please contact our Data Protection Officer (DPO) by email (firstname.lastname@example.org).