Policies and Procedures

Subject Access Request Policy

Last updated: February 15, 2024

Introduction

North Offaly CoderDojo (“the Dojo”) is aware of its obligations as a data controller, with primary responsibility for, and a duty of care towards, the personal data within its control.  

In this policy, “we” and “our” refers to the Dojo while “you” and “your” refers to any relevant person making a request for access to personal data under this policy. 

Our obligations in this regard are as set out in the General Data Protection Regulation (EU Regulation 2016/679) and associated implementing and supplementary legislation in Ireland (“GDPR”).

Data subjects whose personal data is held by any data controller in Europe are entitled to ask data controllers and receive confirmation as to whether or not personal data concerning them are being processed.  

Where data is being processed, data subjects are entitled to access that personal data as well as the following information in relation thereto: 

  • the purposes of the processing;
  • the categories of personal data concerned;
  • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
  • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  • the right to lodge a complaint with a supervisory authority;
    where the personal data is not collected from the data subject, any available information as to its source;
  • the existence of automated decision-making (including profiling) being operated on the data subject’s data and, where relevant, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; and
    where personal data is transferred to a third country or to an international organisation, the appropriate safeguards pursuant to the GDPR relating to such transfer.

Form of the request

A request for details of, or access to, personal data is known as a subject access request. However, it may not always be necessary to treat a request for information as a formal request under the GDPR.

If the request for information is one which the Dojo would normally deal with within the normal course of business the Dojo will consider whether this is a formal subject access request under the applicable law, or whether it can be managed as a “business-as-usual” process.

We ask that a subject access request should be made in writing, and should include sufficient information to identify the data subject to our reasonable satisfaction so we can verify that we are not releasing your data to someone who is impersonating you. We have prepared a subject access form that we request you complete when making an access request. Please email northoffaly.ie@coderdojo.com to request the subject access request form.

On satisfaction of these criteria we will be in a position to commence the work involved in responding to your request. The Dojo will strive to respond to a valid request as quickly as possible and in any event without undue delay, but if we have not been able to complete our work in that regard within thirty (30) days we will update you as to the progress of our response to your request.

Communicating with the Data Subject

The Dojo will communicate directly with you once a valid subject access request has been received.

Rather than having to provide a copy of all data held by the Dojo this contact may help you to specify the exact information you wish to receive, thereby reducing the effort, time and cost required to collate and provide the data being sought.

You can help us to expedite responding to your request by giving us as much information as possible about the data you are seeking to access and limiting the range, scope and time of data sources you wish us to search in so far as possible.

However, we acknowledge that, where you wish to receive a copy of everything we hold about you, then we will fulfil a complete and exhaustive search of all relevant data within the Dojo.

Systems Search

Unless there is a legitimate option to reduce the scope of the request, a search of all databases and all relevant filing systems (to include manual files) under the GDPR will be carried out throughout the Dojo.

Emails are subject to subject access, as are archived computerised and manual data held in a relevant filing system.

The Dojo will organise the response to the request by giving one or more individuals responsibility for issuing requests for information throughout the Association and receiving all the returns.

The co-ordination of your subject access request will be the responsibility of such person(s). You will be notified of their identity upon receipt of your request.

Restrictions following receipt of a request

Compliance with the GDPR and related legislation is not intended to interfere with the normal running of the data controller’s business and following the receipt of a valid request, we are permitted to make changes to the requested information in the normal course of operation provided that no changes are made as a result of the request itself.

This applies even where the data controller would rather not release the information in its current form. This includes the correction of any incorrect data held as the principle is that the individual has a right to request the actual information held about them, regardless of its accuracy.

Third party data

Once the information has been collected, we will consider our obligations to other data subjects. The person(s) preparing our response to your request will consider the rights of third parties, any obligations of confidentiality which may apply and any relevant exemptions under the GDPR.

Where the identity of third parties would be disclosed in data which relates to you we may need to either blank out (redact) that data to protect the privacy and confidentiality of such third parties or provide you with an extract from that data instead of the original source material.

Exemptions

Some material is exempt from inclusion in the response to a subject access request by law and exemptions may be added to from time to time by ministerial order or for example if the data is subject to legal professional privilege .

If we hold data that is exempt from the requirement to disclose it to you we will inform you of the relevant exemption upon which we rely for not disclosing such data.

Form of response

As a matter of course, the Dojo will provide the data subject with any relevant data in response to a subject access request in electronic form.

We will typically provide the information in password protected format and by email unless requested otherwise. Please ensure that if you do not wish to receive our response to your request by email (whether because of security or other reasons) that you let us know at the time of making your request.

Once our response to your subject access request has been finalised, we will make a full copy of the material to be retained for our own reference and for evidentiary purposes. This record will be used as a reference should, in the future, there be any dispute as to the content or timeliness of the response provided to you.

As a club run by volunteers, we do our best to ensure that all subject access requests are handled efficiently and effectively at all times and we appreciate your co-operation and assistance in vindicating your rights under GDPR.