1. Purpose

Hickory (“we”/”us”) have this procedure is in place to provide a standardised response to any data subject access requests (“DSARs”) that we receive, and ensure that DSARs are appropriately managed and responded to in accordance with the law and best practice.

Data subjects have the right to request access to their personal data processed by us and are entitled to obtain:

  • Confirmation that their data is being processed;
  • Access to their personal data;
  • Any related information;

2.  Scope

This procedure only applies to data subjects whose personal data we process.

For the purposes of this procedure, “personal data” means any information relating to an identified or identifiable data subject. An identifiable data subject is anyone who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number or online identifier. “Processing” means any operation or set of operations that is performed on personal data, such as collection, use, storage, dissemination and destruction.

3. Procedure

  • If you receive a DSAR direct from a data subject please forward the details onto Stephanie Stubbs.
  • When a data subject makes an DSAR we shall take the following steps:
    • log the date on which the request was received to ensure that the relevant timeframe of one month (unless the DSAR is found to be excessive) for responding to the request is met;
    • confirm the identity of the data subject who is the subject of the personal data. For example, we may request additional information from the data subject to confirm their identity;
    • search databases, systems, applications and other places where the personal data which are the subject of the request may be held; and
    • confirm to the data subject whether or not personal data of the data subject making the DSAR are being
  • If personal data of the data subject are being processed, we shall provide the data subject with the following information in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in writing or by other (including electronic)means:
    • the purposes of the processing;
    • the categories of personal data concerned (for example, contact details, bank account information and details of sales activity);
    • the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients overseas (for example, US-based service providers);
    • where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
    • the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data or to object to such processing;
    • the right to lodge a complaint with the Information Commissioner’s Office(ICO);
  • where the personal data are not collected from the data subject, any available information as to their source;
  • the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject; and
  • where personal data are transferred outside the EU, details of the appropriate safeguards to protect the personal
  • We shall also, unless there is an exemption (see below), provide the data subject with a copy of the personal data processed by us in a commonly used electronic form (unless the data subject either did not make the request by electronic means or has specifically requested not to be provided with the copy in electronic form) within one month of receipt of the request. If the request is complex, or there are a number of requests, we may extend the period for responding by a further two months. If we extend the period for responding we shall inform the data subject within one month of receipt of the request and explain the reason(s) for the delay.
  • Before providing the personal data to the data subject making the DSAR, we shall review the personal data requested to see if they contain the personal data of other data subjects. If they do, we may redact the personal data of those other data subjects prior to providing the data subject with their personal data, unless those other data subjects have consented to the disclosure of their personal
  • If the DSAR is manifestly unfounded or excessive, for example, because of its repetitive character, we may charge a reasonable fee, taking into account the administrative costs of providing the personal data, or refuse to act on the
  • If we are not going to respond to the DSAR we shall inform the data subject of the reason(s) for not taking action and of the possibility of lodging a complaint with the

4. Exemptions

Before responding to any request we shall check whether there are any exemptions that apply to the personal data that are the subject of the request. Exemptions may apply where it is necessary and proportionate not to comply with a DSAR to safeguard:

  • national security;
  • defence;
  • public security;
  • the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security;
  • other important objectives of general national public interest, in particular an important national economic or financial interest, including monetary, budgetary and taxation matters, public health and social security;
  • the protection of judicial independence and judicial proceedings;
  • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
  • a monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in Paragraph 9.1(a) and Paragraph 9.1(g) above;
  • the protection of the data subject or the rights and freedoms of others; or
  • the enforcement of civil law