Data Subject Access Request (DSAR) Procedure

Compliance & Regulatory Data Protection & Privacy Last reviewed: 2025-07-10 Owner: Data Protection Office

1. Purpose

This procedure (Ref: COMP-DP-002) defines the Bank's process for handling Data Subject Access Requests (DSARs) in compliance with Article 15 of the GDPR and applicable national data protection legislation. It ensures that data subjects can effectively exercise their right of access and that the Bank responds within the statutory timeframe.

2. Scope

This procedure applies to all DSARs received by the Bank, regardless of the channel through which the request is submitted. It covers requests from customers, former customers, employees, former employees, and any other individual whose personal data the Bank processes.

3. How a DSAR May Be Received

A DSAR may be submitted through any channel, including:

  • The Bank's online DSAR portal (preferred method).
  • Email to dpo@bank.com.
  • Written letter addressed to the Data Protection Office.
  • Verbal request to any Bank employee (which must be documented and forwarded to the Data Protection Office immediately).

A DSAR does not need to reference the GDPR or use specific legal terminology to be valid. Any request from an individual to access their personal data must be treated as a DSAR.

4. Procedure

Step 1 — Receipt and Logging

All DSARs must be logged in the DSAR tracking system within one (1) business day of receipt. The Data Protection Office assigns a unique reference number and acknowledges receipt to the data subject within three (3) business days.

Step 2 — Identity Verification

Before disclosing any personal data, the identity of the requestor must be verified. Acceptable verification methods include:

  • Comparison against existing records (e.g., email address, account number, registered address).
  • Request for a copy of a government-issued photo ID (with appropriate redaction of non-relevant data).
  • Security questions based on account information.

If identity cannot be verified, the Data Protection Office may request additional information. The statutory response clock pauses until sufficient verification is received.

Step 3 — Scope Assessment

The Data Protection Office assesses the scope of the request and identifies all systems and repositories where the data subject's personal data may be held. This includes core banking systems, CRM, email, HR systems (for employee DSARs), archived records, and third-party processors.

Step 4 — Data Collection

Relevant business units and IT teams are notified via the DSAR tracking system and must provide the requested data within fifteen (15) calendar days of notification. The Data Protection Office coordinates the collection and consolidation of data.

Step 5 — Review and Redaction

Before disclosure, all collected data must be reviewed to:

  • Ensure it relates to the requesting data subject only.
  • Redact personal data of third parties (unless the third party has consented or disclosure is reasonable in the circumstances).
  • Apply any applicable exemptions (see Section 5).

Step 6 — Response

The response must be provided to the data subject within one (1) calendar month of the date of receipt (or, where identity verification caused a pause, from the date verification was completed). The response must include:

  • Confirmation of whether personal data is being processed.
  • A copy of the personal data in an intelligible, commonly used format.
  • Information on the purposes of processing, categories of data, recipients, retention periods, and the data subject's rights.

In cases of complex or voluminous requests, the response period may be extended by a further two (2) months, provided the data subject is informed of the extension and the reasons within the initial one-month period.

5. Exemptions

The Bank may withhold certain data where an exemption applies, including:

ExemptionBasis
Legal professional privilegeData subject to legal privilege may be withheld
Crime prevention and detectionDisclosure may be restricted where it would prejudice the prevention or detection of crime (e.g., ongoing SAR investigation)
Regulatory functionsData related to regulatory investigations may be exempt
Third-party dataData identifying a third party may be redacted unless consent is obtained or disclosure is reasonable

All exemptions must be documented and approved by the DPO.

6. Fees

DSARs are handled free of charge. The Bank may charge a reasonable administrative fee only where requests are manifestly unfounded or excessive, subject to DPO approval.

7. Record Keeping

All DSAR records, including the request, verification records, data collected, review notes, and the final response, must be retained for three (3) years from the date of the response.

8. Review

This procedure is reviewed annually. Next review: Q2 2027.

Related Articles

Cross-Border Data Transfer Rules

Defines the Bank's requirements and approved mechanisms for transferring personal data outside the European Economic Area, including adequacy decisions, Standard Contractual Clauses, and Binding Corporate Rules.

Updated 2025-10-20

Data Retention Policy

Establishes the Bank's data retention and disposal standards for all categories of personal and business data, including mandatory retention periods, secure destruction methods, and regulatory requirements.

Updated 2025-09-05

GDPR Compliance Overview

Overview of the Bank's compliance framework for the EU General Data Protection Regulation (GDPR), covering data processing principles, lawful bases, data subject rights, and governance responsibilities.

Updated 2025-06-15