Last updated: 24/05/2018


One of the key rights that individuals (data subjects) have under the EU General Data Protection Regulations is to have access to the data that is held on them. The purpose of this procedure is to set out clearly the rights that individuals have and how Wordbank Marketing Ltd (“the Company”) meets these rights.

This procedure should be considered in conjunction with the following related documents:

o Privacy Statement
o Record Retention and Protection Policy
o Data Breach Notification Procedure


There are some underlying principles relating to Data Subject Access requests, which apply to both data subjects and the Company. They are:

1. When requested, the Company needs to provide data subjects with the information that we hold on them in a concise, transparent, intelligible and easily accessible format, using clear and plain language.
2. Information may be provided in writing, electronically or by other means.
3. The data subject may request the information orally (e.g. over the telephone or face to face), as long as the identity of the data subject has been established.
4. The Company must provide information without undue delay and within a maximum of one month from the receipt of the request.
5. The response timescale may be extended by up to two further months for complex or a high volume of requests – the data subject must be informed of this within one month of the request, and the reasons for the delay given.
6. If a request is made via electronic form, the response should be via electronic means where possible, unless the data subject requests otherwise.
7. If it is decided that the Company will not comply with a request, the data subject must be informed without delay and at the latest within a month, stating the reason(s) and informing the data subject of their right to complain to the Information Commissioner’s Office (ICO).
8. If there is doubt about a data subject’s identity, we may request further information to establish it.

A data subject has the right to ask the Company whether we process data about them, to have access to that data and in addition to the following information:

1. The purposes of the processing.
2. The categories of the personal data concerned.
3. The recipients, or categories of recipients, of the data, if any, in particular any third countries or international organizations.
4. The length of time that the personal data will be stored for (or the criteria used to determine that period).
5. The data subject’s rights to rectification or erasure of their personal data and restriction of, or objection to, its processing.
6. The data subject’s right to lodge a complaint with a supervisory authority.
7. Whether the personal data will be subject to automated processing, including profiling and, if so, the logic and potential consequences involved.
8. Where the data is transferred to a third country or international organization, information about the safeguards that apply.

Many of the above items are set out in our Privacy Statement and individuals should ensure that they are familiar with that document.


The steps for dealing with a Data Subject Access Request are set out below.

Data subject request received The data subject submits a request using one of a number of methods, including electronically (via email), by letter or on the telephone. This may be received by any part of the organization but should ideally be addressed to the COO via


Log data subject request The fact that the request has been received is logged in the Data Subject Request Register and the date of the request recorded.


Confirm identity of data subject The identity of the data subject is confirmed via an approved method. More information may be requested to confirm their identity if required. If the identity of the data subject cannot be confirmed, the request is rejected and the reason for this communicated to the data subject.


Evaluate validity of request The test of whether the request is “manifestly unfounded or excessive” is applied. If so, a decision is made whether to reject the request or apply a charge to it.

In the case of requests for rectification, erasure, restriction of, or objection to, processing, a decision is also taken about whether the request is reasonable and lawful. If not, the request is rejected and the data subject informed of the decision and their right to complain to the supervisory authority.


Charge for request If a charge is applied, the data subject is informed of the charge and has an opportunity to decide whether or not to proceed. If the data subject decides not to proceed, the request is rejected and the reasons communicated.


Compile requested information The relevant information is compiled according to the type of request. This may involve planning how the requested action, e.g. erasure or restriction of processing, will be achieved. A maximum of one month is permitted. If the request will take longer, then a maximum of two further months are allowed and the data subject must be informed of the delay and the reasons for it within one month of the request being submitted.


Take requested action/provide requested information The requested action is carried out (if applicable) and the information requested is provided to the data subject electronically, if that is the preferred method, or via other means.


Close data subject request The fact that the request has been responded to is logged in the Data Subject Request Register, together with the date of closure.



The Company will need to make a case-by-case decision as to whether the request can or should be declined for one of the following reasons:

o Right of freedom of expression and information
o Compliance with a legal obligation
o Public interest in the area of public health
o To protect archiving purposes in the public interest
o The personal data is relevant to a legal claim

It is likely that such decisions will require the involvement of the Managing Director.

GDPR is new legislation and its interpretation will evolve over time. The Company will continue to adopt best endeavours to ensure ongoing compliance. However, if you have concerns about any of the actions that are being taken, or are unclear as to how the Company is complying with specific elements of the legislation, please raise your concerns with the COO via We will then investigate the matter and respond to you within 28 days.