Data – Cheyne Walk Club

Data Subject Rights Policy and Procedure

Document Control
Document Name	Data Subject Rights Policy and Procedure
Author	Data Protection Lead
Department	Data Protection
Approval
Review Date
Distribution	Internal Document
Version	0.1

Version Control
Version	Date	Author	Comments
0.1	Mar 2026	Data Protection Lead	Document Drafted

Contents

How Requests are Made.

Right of Access (Subject Access Requests)

What to do When a Subject Access Request is Received.

Responding to a Subject Access Request Part 1: Identifying Data Subjects and Clarifying Requests

Responding to a Subject Access Request Part 2: Fees.

Responding to a Subject Access Request Part 3: Time Limits.

Responding to a Subject Access Request Part 4: Information to be Provided.

Responding to a Subject Access Request Part 5: Locating Information.

Review of the information.

Refusing to Respond to a Subject Access Request

Exemptions to the Right of Access.

Erasure or Disposal of Personal Data.

Right to Rectification (Article 16)

Right to Erasure (“Right to be Forgotten”) (Article 17)

Right to Restriction of Processing (Article 18)

Right to Data Portability (Article 20)

Right to Object (Article 21)

Complaints/Escalation.

Internal Reviews and the Information Commissioner’s Office (ICO)

Failure to Comply with this Policy.

Policy Review.

Introduction

This Policy sets out the obligations of Cheyne Walk Club (the Company) regarding data subject rights under the Data Protection Legislation (defined below).

This Policy also provides guidance on the handling of data rights requests. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.

Definitions

“data controller”	means the person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data. For the purposes of this Policy, the Company is the data controller of all personal data used in our business;
“data processor”	means a person or organisation which processes personal data on behalf of a data controller;
“Data Protection Legislation”	means all applicable data protection and privacy laws including, but not limited to, the UK GDPR, the Data Protection Act 2018, and any other applicable national laws, regulations, and secondary legislation in England and Wales concerning the processing of personal data or the privacy of electronic communications, as amended, replaced, or updated from time to time;
“data subject”	means a living, identified, or identifiable individual about whom the Company holds personal data;
“personal data”	means any information relating to a data subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that data subject;
“processing”	means any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; and
“special category personal data”	means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sexual life, sexual orientation, biometric, or genetic data.

Scope of Policy

The Company’s Data Protection Lead is responsible for administering this Policy; for developing and implementing any applicable related policies (including those referred to in this Policy), procedures, and/or guidelines; and for ensuring that all employees, agents, contractors, or other parties working on behalf of the Company have an understanding of the Data Protection Legislation, their obligations and rights under it as it applies to their job role(s).

Data subjects have rights with respect to their personal data under the Data Protection Legislation, including:

The right of access (Article 16)
The right to erasure (Article 17)
The right to restrict processing (Article 18)
The right to data portability (Article 20)
The right to object (Article 21)
Rights relating to automated decision making (Article 22)

This Policy should, where appropriate, be read in conjunction with the Company’s Data Protection Policy.

Any questions relating to this Policy, the Company’s collection, processing, or holding of personal data, or to the Data Protection Legislation should be referred to the Data Protection Lead or nominated person, by emailing: info@cheynewalkclub.co.uk.

How Requests are Made

Requests may be made verbally or in writing and do not need to reference data protection legislation or quote the rights, Staff should be trained in how to recognise requests. This may include requests or queries relating to:

What personal data is held;
Third parties with whom data is shared;
Data retention periods;
Data deletion queries;
Use of automated software, such as AI;
How and why data is used

Requests may instead use more general terminology, using terms such as ‘information’ rather than ‘personal data’. For example, a message sent to the Company via social media such as ‘please provide details of all the information you have about me’ will be a valid SAR and must be treated in the same way as a more formal communication referring specifically to a ‘subject access request’ and data subjects’ rights under the UK GDPR.

Individuals may make SARs on their own behalf. It is also possible to make an SAR via a third party:

This may be a solicitor making a request on behalf of a client, or it may be one private individual making the request on behalf of another. This is permissible, but you must be satisfied that the individual making the request has the authority to act on behalf of the data subject concerned.
- In certain limited cases, an individual may not have the mental capacity to manage their own affairs. In these cases, the Mental Capacity Act 2005 enables a third party to make a SAR on behalf of that individual.
  - Adults, such as parents or guardians, may make SARs on behalf of children, although this is not automatically permitted. When dealing with a request relating to a child’s data, it is important to consider whether that child is mature enough to understand their rights and if a response directly to the child is appropriate. If so, a response directly to the child should be considered. It may, however, be permissible to allow the adult to exercise the child’s right on the child’s behalf if the child has given their authorisation, or if it is evident that doing so is in the child’s best interests

All staff should immediately forward any data subject rights requests to the Data Protection Lead.

The Company will:

Log the request;
Verify the identity of the requester, if necessary, and assess any authority granted by third parties;
Clarify scope, if necessary;
Assess applicable exemptions;
Respond within one month (or notify of extensions where applicable)
Document decisions and outcomes

Right of Access (Subject Access Requests)

The right of access allows individuals to understand how their data is being processed and to receive a copy of that data

Upon receipt of a Subject Access Request (SAR) the Company will:

Enter the request onto the Data Subject Rights Log, which must be updated with the relevant information throughout the full process.

Confirm the scope of the request and seek clarification where required;
Identify systems, records and business areas that may hold personal data;
Retrieve personal data relating to the individual;
Review information to identify third party data, confidential business information or legally privileged information
Redact necessary information, such as that of third parties;
Provide the data securely, in a commonly used electronic format, unless otherwise requested.

The Company is not required to provide information that does not constitute the individual’s personal data, or any data where an exemption applies

Decisions to withhold or redact information must be documented.

What to do When a Subject Access Request is Received

The Company has a limited timeframe within which to respond to a SAR, so it is important to act quickly.

Unless you are authorised to handle a SAR, it must be forwarded to the Data Protection Lead or nominated individual immediately,

No further action should be taken without authorisation.

SARs may come in any form. This will determine how to forward the SAR to the appropriate member of staff:

For SARs received in writing, including via social media, the message must be forwarded immediately to the Company’s Data Protection Lead or nominated person at: info@cheynewalkclub.co.uk. For SARs made verbally, the name and contact details of the data subject should first be recorded before informing the data subject that the Company’s Data Protection Lead or nominated person will contact them for full details of their SAR. The data subject’s details and any other information provided by the data subject should be emailed immediately to the Data Protection Lead including details of the time and date on which the SAR was made.
The Company’s Data Protection Lead or nominated person should respond, confirming receipt of the SAR, within two business days of receipt. If you do not receive a response within this period, you must contact them again to confirm receipt.
All SARs are to be recorded and updated, as relevant.

Responding to a Subject Access Request Part 1: Identifying Data Subjects and Clarifying Requests

Before responding to a SAR, all reasonable steps must be taken to verify the identity of the individual making the request and, particularly if the Company is processing a large amount of personal Information requested for such purposes must be reasonable and proportionate. Individuals must not be asked to provide any more information than is reasonably necessary, nor can a request for clarification be used to narrow the scope of a SAR.

If additional information is required to confirm an individual’s identity, the individual must be informed as soon as possible. If additional information is required, the time limit for responding to a SAR does not begin until that information is received.

If additional information is required to clarify the scope, the individual must be informed as soon as possible. If such additional information is required, the time limit for responding to the SAR is paused until a response is received. The time limit is measured in whole days. If, therefore, a response is received on the same day, the time limit for response is unchanged. (

If a SAR is made by a third party on behalf of a data subject the individual acting on behalf of the data subject must be required to provide sufficient evidence that they are authorised to act on the data subject’s behalf.

Examples of information that may be requested to confirm an individual’s identity include (note that formal identity documents should not be requested unless it is necessary to do so):

A copy of the individual’s passport;
A copy of the individual’s driving licence;

If, having requested additional information to verify an individual’s identity, it is still not possible to do so (if, for example, the individual does not comply), the Company may refuse to comply with a SAR.

If, having requested additional information to clarify a SAR, the individual does not comply (e.g. does not respond, or refuses to provide further information), the Company must still endeavour to comply with the SAR by making reasonable searches for the personal data relating to the request. It will also generally be possible to provide some or all the supplementary information required by the Data Protection Legislation.

The Company does not retain personal data for the sole purpose of being able to respond to a potential SAR.

Responding to a Subject Access Request Part 2: Fees

Under normal circumstances, the Data Protection Legislation prohibits the charging of a fee for handling a SAR. The Company does not normally charge for SARs.

In limited cases, it is permissible to charge a ‘reasonable fee’ in order to cover the administrative costs of complying with a SAR if that SAR is ‘manifestly unfounded’, ‘excessive’, or if a data subject requests further copies of their data following the SAR. In certain cases, it may also be permissible to refuse to comply with a SAR.

The following factors should be considered when calculating a reasonable fee:

Administrative costs involved in:

Assessing whether or not the Company is processing the data subject’s information;
Locating, retrieving, and extracting that information;
Providing a copy of the information; and
Sending the Company’s response to the data subject.

Specific costs to be considered include:

Photocopying, printing, postage, and any other costs incurred when sending the information to the data subject;
Equipment and supplies; and
Staff time.

Responding to a Subject Access Request Part 3: Time Limits

Under normal circumstances, the Company must respond to a SAR ‘without undue delay’ and, at the latest, within one month of receipt. The date of receipt of all SARs must be recorded, along with the due date for response.

Under the Data Protection Legislation, the one-month period begins on the calendar day – not business day – that the request is received and ends on the corresponding calendar day in the following month (or, if the following month is shorter and does not have a corresponding day (e.g. January 31^st to February 28^th), the last day of that month). Consequently, the time limit set by the Company for responding to SARs is 28 calendar days.If the last day of the time limit falls on a weekend or bank holiday, the time limit is extended to the next business day.

If additional information is required from the individual making the SAR to confirm an individual’s identity, the time limit begins on the day that such information is received.

If additional information is required from the individual making the SAR to clarify the scope of the SAR, the time limit is paused until the information is received (unless the response is received on the same day, in which case the time limit is not affected).

If the SAR is complex, or if the same data subject makes a number of SARs, it is permissible to extend the time limit by up to two months. If such an extension is necessary, the data subject must be informed, in writing, of the reason(s) for the extension within the original one-month time limit.

Responding to a Subject Access Request Part 4: Information to be Provided

Data subjects must be provided with the following information in response to a SAR:

the purposes for which the Company collects, holds, and processes their personal data;
the categories of personal data involved;
the recipients or categories of recipient to whom the Company discloses their personal data;
details of how long the Company retains their personal data or, if there is no fixed period, our criteria for determining how long it will be retained;
details of the data subject’s right to ask the Company to rectify or erase their personal data, or to restrict or object to our processing of it;
details of the data subject’s right to make a complaint to the ICO;
if any of the personal data in question was not obtained from the data subject, details of the source of that data;
if the Company carries out any automated decision-making (including profiling), details of that automated decision-making, including a meaningful explanation of the logic involved and the significance and envisaged consequences for the data and
if the Company transfers their personal data to a third country or international organisation, details of the safeguards in place to protect that data.

In cases where a SAR relates to automated decision-making, the following shall apply:

Where a SAR relates to the logic underlying an automated decision that has been taken with respect to important matters relating to the data subject, the data subject must be provided with an explanation of the logic involved, subject to the following conditions:

the decision-making process in question must be solely automated (i.e. there must be no human involvement in the process); and
the information should be provided in such a way as to protect the Company’s intellectual property rights and trade secrets.

The data subject may also request information related to the automated decision itself, they may seek to exercise the right to human intervention (i.e. for the Company to appoint a person to review the automated decision), to express their own point of view about the decision, and/or to contest it. If a data subject making a SAR seeks to exercise their rights with respect to automated decisions, the Company shall handle the same in accordance with the Data Protection Legislation. The information must be provided:

in a concise, transparent, intelligible, and easily accessible form, using clear and plain language;
in writing;
if the data subject has made the SAR electronically, in a commonly used electronic format (unless the data subject requests otherwise)
where possible, by using password protected or encrypted electronic transfer
It is important to note that data subjects are only entitled to access personal data that the Company holds about them. If information located in the process of responding to a SAR does not meet the definition of “personal data” , the Data Protection Legislation does not entitle the data subject to access it. In certain cases, it may be necessary to separate personal data from non-personal data when responding to a SAR.

Responding to a Subject Access Request Part 5: Locating Information

The Data Protection Legislation requires the Company to make ‘reasonable efforts’ to find and retrieve personal data in response to a SAR. The right of access is not limited to that information which is easy to find. The search conducted must be recorded,

Each relevant department is required to:

Undertake a reasonable and proportionate search for the personal data
Clearly document the search parameters and strategy used in every case
Return the required information by the internal deadline provided

Review of the information

Once the relevant information has been located, the Data Protection or nominated person will review the data and will decide whether any exemptions or, if there are legitimate reasons why we are unable to action a request

With regards specifically to the right of access, the subject access right is to information (i.e. personal data) and not to documentation. Accordingly, it is possible to extract the applicant’s personal data from documentation or redact information, which is not the applicant’s personal data when preparing the response. Where appropriate, provide relevant contextual information to assist the applicant.

For complex requests the Data Protection Lead or nominated person and/or a member of the Management team will review the information prior to deciding. In the most sensitive cases, further escalation and review may be necessary.

The Data Subject Rights log is to be fully completed once the SAR has been fulfilled.

Refusing to Respond to a Subject Access Request

In certain cases, it is permissible for the Company to refuse to comply with a SAR:

if it is not possible to identify the individual making the SAR after requesting additional verification. or;

if the request is ‘manifestly unfounded’ or ‘manifestly excessive’, taking into account a range of factors including (but not limited to) whether the request is repetitive in nature, the nature of the information requested, the context of the request, and the relationship between the Company and the individual making the request. In such cases, it is also possible to request a ‘reasonable fee’ to provide the SAR.

If either of the above grounds applies, the Company’s refusal to comply with the SAR must be justified and an explanation must be provided to the individual making the SAR within one calendar month after receiving the SAR. The individual must also be informed of their right to complain to the ICO and of the possibility of seeking a judicial remedy.

Certain exemptions to the right of access are also included in the Data Protection Legislation.

Exemptions to the Right of Access

The Data Protection Legislation provides a number of exemptions which apply to SARs and therefore justify the Company refusing to comply with a SAR. Those most likely to be applicable within the Company are situations in which the personal data in question is:

subject to legal or litigation privilege; or
purely personal or exists for a household activity; or
a reference given (or to be given) in confidence for purposes of employment, training, or education; or
is processed for management forecasting or management planning purposes in relation to a business or other activity (but only to the extent that complying with the SAR would prejudice the conduct of the business or activity); or
consists of records of intentions with respect to negotiations between employer and employee (but only to the extent that complying with the SAR would prejudice such negotiations); or
contains personal data concerning a third party; or

is of a type likely to prejudice the prevention or detection of a crime, or the apprehension or prosecution of offenders if it is disclosed/ Additional exemptions relate to more specific (and generally public) matters such as national security. If any concerns or questions arise with respect to exemptions which may or may not apply during the process of handling a SAR (including, but not limited to those set out above), those questions should be referred to [the Company’s Data Protection Lead and/or to the ICO.

Erasure or Disposal of Personal Data

If any personal data relevant to a SAR is amended, deleted, or otherwise disposed of between the time at which a SAR is received and the time at which a response is made, the Company is able to take this into account in our response provided that amendment, deletion, or disposal would have been made irrespective of our receipt of the SAR in question.

The Right of Access does not, therefore, prevent the Company from managing personal data in accordance with normal procedures, in particular those set out in our Data Protection Policy and Data Retention Policy. It is not, however, permissible to amend, delete, or otherwise dispose of data as an alternative to complying with a SAR.

Right to Rectification (Article 16)

Individuals have the right to request correction of inaccurate or incomplete personal data.

Procedure

Assess whether the data is inaccurate or incomplete
Verify the accuracy of the correction requested
Update systems promptly where correction is justified
Where accuracy is disputed, consider restricting processing instead
Notify third parties where the inaccurate data has been shared, where feasible

Right to Erasure (“Right to be Forgotten”) (Article 17)

Individuals may request deletion of their personal data where:

Data is no longer necessary
Consent is withdrawn and no other lawful basis applies
Processing is unlawful
An objection is upheld
Erasure is required to comply with a legal obligation

Exemptions

The right does not apply where processing is necessary for:

Legal obligations
Establishment, exercise or defence of legal claims
Public interest tasks
Freedom of expression

Procedure

Identify all systems containing the data
Assess whether an exemption applies
Delete data securely where erasure is justified
Apply suppression or restriction where full deletion is not possible
Notify third parties where appropriate

Right to Restriction of Processing (Article 18)

Individuals may request restriction where:

Accuracy is contested
Processing is unlawful but erasure is opposed
Data is no longer needed but required for legal claims
An objection is under consideration

Procedure

Apply technical or organisational restrictions
Ensure restricted data is not processed except for permitted purposes
Clearly mark restricted data in systems
Notify the individual before lifting restriction

Right to Data Portability (Article 20)

Individuals may request their personal data in a structured, commonly used, machine-readable format where:

Processing is based on consent or contract
Processing is carried out by automated means

Procedure

Confirm eligibility of the request

Extract relevant data only

Provide data securely
Transfer data directly to another controller where technically feasible

Right to Object (Article 21)

Individuals may object to processing where:

Processing is based on legitimate interests
Processing is carried out for direct marketing purposes

Procedure

Marketing objections must be honoured immediately
For other objections, conduct a balancing test
Cease processing unless compelling legitimate grounds apply
Inform the individual of the outcome and rationale

Rights Related to Automated Decision-Making (Article 22)

Individuals have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Procedure

Identify whether automated decision-making applies
Provide meaningful information about the logic involved
Enable human intervention where required
Allow individuals to challenge decisions

Complaints/Escalation

If an individual or their representative is not satisfied with the outcome of their request, for example, if they feel information has been withheld or recorded incorrectly, or that they have not been allowed sufficient time to view the information, they should be informed of the options available to them to take further action.

If the individual is not satisfied with the outcome they will be offered the option to escalate the matter to Chairman for review.

An individual can escalate the matter to the ICO using the following contact details:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113
Online: https://ico.org.uk/make-a-complaint/
Website: https://ico.org.uk/

An individual may wish to seek legal independent advice to progress resolution of their concerns. In all cases, wherever possible, local resolution should be sought. However, the individual has the right to pursue any of these channels at any time and may wish to pursue several actions simultaneously.

Internal Reviews and the Information Commissioner’s Office (ICO)

We will, where appropriate, voluntarily review responses that applicants are not happy with, to resolve any complaint or dispute in a proportionate manner. This is called an Internal Review.

Complaints about responses should be referred to the Data Protection Lead and Management.

Failure to Comply with this Policy

All employees will receive training on data subject rights and the procedures for conducting data searches.

Compliance with the Data Protection Legislation is of vital importance to the Company. If we fail to comply within the required time limit or fail to provide a data subject with access to the personal data that we hold about them, we will be in breach of our obligations under the Data Protection Legislation.

Failing to comply with the Data Protection Legislation may put the data subject at risk. It may also result in the following consequences for the Company:

the data subject reporting the Company to the ICO, resulting in an investigation by the ICO;
enforcement action taken against the Company which may result in civil and/or criminal sanctions for the Company and, in certain cases, the individual responsible for the breach;
if the data subject has suffered damage and/or distress as a result of the Company’s breach, the data subject may seek further legal remedies such as damages against the Company; and
a court may order the Company to comply with the I request in any event if the Company is found to have failed in its compliance with the Data Protection Legislation.
Failure by any member of staff to comply with this Policy may result in disciplinary action which may include dismissal for gross misconduct.

Policy Review

This Policy will be reviewed annually or sooner in the case of any breaches or regulatory/legislative changes.