This policy represents our practice and procedures on handling Subject Access Requests
(SARs) under the General Data Protection Regulation (GDPR) (EU) 2016/679.
SAR represents a formal request from an individual obligating us to assess all the personal data we hold and collate which is relevant to the requester. According to the GDPR, individuals obtain the right to access their personal data as well as any other relevant information held by our company (i.e. how their personal data are processed).
A SAR is a written request for personal data held about an individual. Generally, individuals have the right to see what personal information concerning them is held and processed and they are entitled to be given a description of the information, what it is/was used for and who it may have been shared with. However, this right is subject to certain exemptions that are set out in the GDPR.
Please click here to download a copy of Subject Access Request Application Form.
The first step is to acknowledge the request in writing seven (7) days. At the time of acknowledgement, individuals will be advised to submit an official SAR Application Form, if they haven’t done so already.
Next, we will have to ensure the identity of the requester. Individuals will be required to provide proof of identity (identity card, driver’s license or passport) before any information will be disclosed. This is to prevent unauthorized disclosures to third parties. Where a request is made by a representative on behalf of an individual, in addition to the proof referred to above, a certified proof of authority to act on the individual’s behalf will also be required. Any written authorization will also be verified by calling the person who has given the authorization.
Once received and identification is validated, the process of gathering any data held will begin. Once we have enough information from a requester to identify any relevant records, we will collate all the details we hold. If we feel we need more information from the requester we will contact them promptly asking for this. Every department will have a nominated Data Protection contact person who will assist during the fulfilment of subject access requests.
Once we have completed the data gathering a permanent copy of the relevant data will be forwarded to the requester, usually via the method they submitted their original request. In case there is a significant amount of data requested, we may suggest that the data subject visits our premises and views the original documents in order to avoid disproportionate effort.
According to the legislative document representing the GDPR, personal data is defined as ”any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
In other words, personal data means data which relate to a living individual who can be identified from those data alone or combined with other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data means personal data consisting of information about the data subject related to:
Any information which falls under any of the above headings will be deemed relevant when handling a SAR.
No fee is charged to reply to a SAR, unless the request is deemed manifestly unfounded or excessive, particularly if it is repetitive and occupies large part of the company’s resources [Article 12 of the GDPR (EU) 2016/679]. In such cases, the fee will be based on the administrative cost of providing the information and always in compliance with relevant law.
Our company is obliged to follow GDPR guidelines, according to which we should reply to the requester as soon as the requested information is gathered and latest within one calendar month from the request.
In case the request is complex or involves significant amount of data, the response deadline may be extended to three months from initial request, given the necessary justification has been addressed to the requester.
If you are not satisfied with any aspect of how we collect and use your data, we will take the necessary action to resolve this. Please contact us by:
However, in case you need to file a complaint regarding the way we handled your request
and you are not satisfied with our response, you may contact the Hellenic Data Protection
Authority as described in below link: