[ICAP PEOPLE SOLUTIONS SA]
SUBJECT ACCESS REQUEST PROCEDURES
- INTRODUCTION
This document supplements the provisions of the Subject Access Requirements (SARs) to their data set out in ICAP People Solutions’ (hereinafter “Company” or “ICAP”) Data Protection Policy & Procedure and outlines the general and specific guidelines for activating the procedure when a request is made to ICAP.
At ICAP we collect and process personal information / data (e.g. contact details, demographic data, financial and business data, etc.) for the efficient and lawful execution of our daily business operations. Accordingly, we have a responsibility to comply with the provisions of the new General Data Protection Regulation (GDPR) for the protection of such information, its collection, use, processing, transfer, storage and destruction, as well as to fulfil the rights of the subjects where permitted.The General Data Protection Regulation
The General Data Protection Regulation (GDPR) gives individuals (data subjects) the right to know what personal information and data we process about them, to access that information and to exercise further rights, including the right to correct inaccurate data, transfer to another organisation, erasure, and to object to further processing.ICAP, as a data controller, fully complies with the principles and requirements of the new GDPR by ensuring that the personal data of individuals (customers, candidates, staff, partners):- processed in a fair, objective and transparent manner in relation to the data subject (“lawfulness, objectivity and transparency”)
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (“purpose limitation”)
- are appropriate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”)
- are accurate and, where necessary, updated, taking all reasonable steps to delete or correct them in relation to the purposes of the processing (“accuracy”)
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage period limitation”)
- processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or alteration, using appropriate technical and organisational security measures (“integrity and confidentiality”).
As part of the principle of corporate responsibility and accountability, the Company has adequate and effective measures, controls and procedures in place to protect and safeguard your personal information and to ensure that it is collected, processed and disclosed only in accordance with relevant data protection laws and regulations.
- PERSONAL DATA
Information protected under the GDPR is known as “personal data” and is defined as:
“Any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one whose identity can be verified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.”More information on what constitutes personal data and your rights under the Regulation and data protection laws can be found on the website of the Hellenic Data Protection Authority (www.dpa.gr). - THE RIGHT OF ACCESS
In accordance with Article 15 of the GDPR, any natural person has the right to request ICAP (controller) to confirm or not the processing of personal data concerning him or her. At ICAP we are committed to supporting the rights of the individuals we work with and have specific procedures in place to provide access to information about them. When requested, we will provide the following information:
- The different purposes of the processing of personal data
- The categories of personal data we process
- The recipients / recipients or categories of recipients to whom the personal data have been or will be disclosed
- Cross-border transfer, if the data have been transferred to a third country or international organisation (and, where applicable, the appropriate safeguards in place)
- The intended period for which the personal data will be kept (or the criteria used to determine this)
- The existence of automated decision-making, including profiling and important information about its rationale, as well as the relevance and potential consequences of such processing for you, when and if applicable
- Any available information as to the origin of the personal data, where it was not collected directly from the data subject.
3.1 How can you submit a Subject Access Request (SAR)?
The completion of the Subject-Access-Request (SAR) is the basic, first step in expressing the natural person’s desire for information and access to the data concerning him/her. You can submit this request in writing using the information provided in section [8] or you can submit the access request electronically. Where a request is received by electronic means, we will provide the requested information in the electronic format you have requested (unless you have requested otherwise).
3.2 Actions to Receive an Access Request and Verify Identity.
Each Subject Access Request (SAR) that we receive is recorded / logged in a special file and forwarded to the [relevant Data Protection Officer]. The relevant Data Protection Officer will use all reasonable measures to verify the identity of the individual requesting access, especially when the request is made via electronic services.
We will use the request information to ensure that we can verify your identity and where we are unable to do so, we may contact you for more information or to ask you for further evidence before we carry out any access request relating to your personal data. This is to protect both your personal data and your rights.
If a third party, relative or proxy requests the information on your behalf, we will verify their authorisation and again, we may contact you to confirm their identity in order to obtain your authorisation before we carry out any request.
Collection of information
If as part of your relationship with ICAP you have made different categories of personal information available through different means, we will aggregate all available information we hold and ensure that the information in the access request is provided in a commonly accepted format (paper, electronic, combination). If we do not have sufficient information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframe set out below.
4. MANAGEMENT RESPONSE TIMES
The Subject’s Access Request to IFRS shall be completed within 30 days and shall be provided free of charge. When the request is submitted electronically, we provide the information in a commonly used electronic format, unless otherwise requested in a different format.
Although we provide the requested information at no charge, any additional copies and/or duplication of the same request by the Subject may incur a reasonable administrative cost.
The Company always aims to provide the requested information as soon as possible, but no later than 30 days from the date of receipt of the request. However, where the retrieval or provision of information is particularly complex or subject to a valid delay, the deadline may be extended by an additional month. In this case, we will inform you by letter within 30 days and keep you informed of the reasons for this delay.
5. OTHER RIGHTS
In accordance with the GDPR, you have the right to request the correction of any inaccuracies in the data we hold about you. If we are notified of inaccurate data and find that the data is incorrect, we will correct it immediately in accordance with your instructions and note (or record) the change and the reasons for it in our records.
We will correct any inaccurate or incomplete data within 30 days and will notify you in writing of the correction and, where applicable, provide the corrected data to any third party who has also been provided with the relevant data.
If for any reason we are unable to comply with a request to correct and/or complete data, we will provide you with a full written explanation within 30 days of the reasons for denying the request, and inform you of your right to lodge a complaint with the relevant supervisory authority (www.dpa.gr).
In certain circumstances, you may also have the right to request the Company to delete personal data, transfer it to another company or restrict the processing of it when it relates to your personal data, as well as the right to object to such processing. You may use the contact details in section [7] to complete similar requests relating to the exercise of your rights and the processing they receive.
7. DOCUMENTATION AND DISPATCH OF THE REQUEST/COMPLAINT
To submit a request for access to your IPRs, you may contact us at [ps-privacy@icap.gr or peoplesolutions@icap.gr] or visit the Access Request page on our website [SAR Form]. You may also submit your request in writing using the form in section [8], and send it, to the mailing address:
Customer Service Department:
ICAP People SolutionsA.E. 2 Eleftheriou Venizelou 2, 17676 Kallithea, Attica, Attica, +302107200000, peoplesolutions@icap.gr
ICC Protection Officer (DPO):
ICAP People Solutions S.A. 2 Eleftheriou Venizelou 2, 17676 Kallithea, Attica, +302107200419, ps-privacy@icap.gr
If you are not satisfied with our actions or wish to make an internal complaint, you can contact the relevant DPO at: 1-3 Kifissia Avenue, P.O. Box 11523, Tel: 30-210 6475600 Fax: +30-210 6475628, Email: contact@dpa.gr