Subject Access Rights Policy



This policy​​ and procedure​​ establishes an effective, accountable and transparent framework for ensuring​​ compliance with the​​ requirements for​​ the​​ Data Protection Legislation.


This policy and procedure applies across all entities or subsidiaries owned, controlled, or operated by​​ MSKnote​​ and to all employees, including part-time, temporary, or contract employees.


The Data Protection Legislation details rights of access to both manual data (which is recorded in a relevant filing system) and electronic data for the data subject. This is known as a Data Subject Access Request (DSAR).

Under the Data Protection Legislation, organisations are required to respond to subject access requests within​​ one month. Failure to do so is a breach of the Data Protection Legislation and could lead to a complaint being made to the Data Protection Regulator.​​ 

This policy informs staff of the process for supplying individuals with the right of access to personal data and the right of access to staff information under the Data Protection Legislation. Specifically:


How should​​ DSARs be​​ processed after receiving?

When a subject access request is received from a data subject it should immediately be reported to the Data Protection Officer who will log and track each request. If you are asked to provide information, you will need to consider the following before deciding how to respond:

Under Data Protection Legislation Articles 7(3), 12, 13, 15-22 data subjects have the following rights:



No fee can be charged for providing information in response to a data subject access request, unless the request is ‘manifestly unfounded or excessive’, in particular because it is repetitive.

If​​ MSKnote​​ receives a request that is manifestly unfounded or excessive, it will charge a reasonable fee taking into account the administrative costs of responding to the request. Alternatively,​​ MSKnote will be able to refuse to act on the request.

Subject access requests made by a representative or third party

Anyone with full mental capacity can authorise a representative/third party to help them make a data subject access request. Before disclosing any information, ​​ MSKnote ​​ ​​ must be satisfied that the third party has the authority to make the request on behalf of the requestor and that the appropriate authorisation to act on their behalf is included (see​​ Data Request Form).


If an individual is dissatisfied with the way​​​​​​ MSKnote Ltd have dealt with their subject access request, they should be advised to invoke the​​  ​​​​ MSKnote Ltd complaints process. If they are still dissatisfied, they can complain to the Data Protection Regulator.



Compliance,​​ monitoring and​​ review

The overall responsibility for ensuring compliance with the requirements of the related legislation in relation to performing​​ subject access rights​​ at​​ MSKnoterests with the Data Protection Officer.

All operating units’ staff that deal with personal data are responsible for processing this data in full compliance with the relevant MSKnote ​​policies and procedures.

Records​​ management



General Data Protection Regulation (GDPR):​​ the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and​​ the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

Data Controller:​​ the entity that determines the purposes, conditions and means of the processing of personal data

Data Processor:​​ the entity that processes data on behalf of the Data Controller

Data Protection Authority:​​ national authorities tasked with the protection of data and privacy as well as monitoring and enforcement of the data protection regulations within the Union

Data Protection Officer (DPO):​​ an expert on data privacy who works independently to ensure that an entity is adhering to the policies and procedures set forth in the GDPR

Data Subject:​​ a natural person whose personal data is processed by a controller or processor

DSAR:​​ data subject access request

Personal Data:​​ any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person

Privacy Impact Assessment:​​ a tool used to identify and reduce the privacy risks of entities by analysing the personal data that are processed and the policies in place to protect the data

Processing:​​ any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Profiling:​​ any automated processing of personal data intended to evaluate, analyse, or predict data subject​​ behaviour

Regulation:​​ a binding legislative act that must be applied in its entirety across the Union

Subject Access Right:​​ also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them






​​​​MSKnote ​​ employees​​ may provide feedback​​ and suggestions​​ about this document by​​ emailing tim.simms@msknote.com



Approval and Review


Approval Authority

Board of Directors

Data Protection Officer

Tim Simms

Next Review Date





Data Request Form

MSKnote Subject Access Rights Policy and Procedure