Printed from CheckTick DSPT Compliance Documentation
Procedure: Handling Individual Rights Requests
Version: 1.0 Owner: DPO ([DPO Name])
1. Scope
This procedure applies to all requests made under UK GDPR Articles 15-22, including Subject Access Requests (SARs), Right to Erasure, and the Right to Object.
2. Receipt of Request
- Requests may arrive via [email protected] or [email protected].
- Any staff member receiving a request must forward it to the DPO within 24 hours.
3. Verification & Triage
- Identify the Subject: Verify the requester's identity (e.g., via registered email or transaction ID).
- Identify the Role: * If the request concerns Account Data, CheckTick (Controller) handles it.
- If it concerns Survey Data, we notify the Customer (Controller) and assist them in fulfilling the request.
4. Handling an Objection (Article 21)
If an individual objects to processing:
- Step 1: Stop any non-essential processing of that specific data record immediately.
- Step 2: Assess if there are "compelling legitimate grounds" that override the objection (rare in healthcare surveys).
- Step 3: If the objection is valid, delete or anonymize the data as requested.
- Step 4: Confirm completion to the individual within 30 days.
5. Logging
All requests are logged in our Data Rights Request Tracker (Internal) including date of receipt, action taken, and date of completion.