1. Scope 


This procedure covers all personal data that is processed by Glemnet Ltd with the exception of personal data that is routinely requested by data subjects.  

It is the right of all data subjects to ask Glemnet Ltd the following:  

  1. What personal data Glemnet Ltd is being processed about that person, if any;  

  1. To be provided with a description of the personal data processed Glemnet Ltd about that person;  

  1. The purpose or purposes for which the personal data is being processed;  

  1. Confirmation of who will have access to the personal data; and 

  1. To be provided with a copy of the personal data, as well as a confirmation of where Glemnet Ltd acquired that personal data. 


2. Responsibilities 

The Data Protection Officer (“DPO”) shall be responsible for the application and functionality of this procedure and shall handle all Subject Access Requests (“SARs”). The DPO shall report to the Head of IT on all matters relating to SARs.  


3. Procedure  

All SARs are made using form Subject Access Request Form DP007. 

The data subject is required to provide evidence of his or her identity by way of a current passport or driving license and his or her signature must be cross-referenced with the signature provided on the Subject Access Request form.  

The following information must be provided by the data subject on the Subject Access Request Form: the personal data that is being requested, whether specific data or all data held by Glemnet Ltd and where it is being held.  

Glemnet Ltd is required to record the date on which the Subject Access Request Form, with the accompanying identification evidence, is submitted.  

Glemnet Ltd has one month from this date to provide to the data subject the personal data requested. Should Glemnet Ltd fail to provide the requested information within the one month window, this shall be in direct breach of the GDPR. No extension shall be allowed under any circumstances.  

It is vital that the Subject Access Form is sent to the DPO straight away, to ensure that the requested data is collected within the one month window.


The DPO will carry out data collection by one of the following steps:  

  1. Collecting the personal data requested; or  

  1. Carrying out a search of all electronic and hard-copy databases including manual files, backup and archived files as well as email folders and archives.  


The DPO shall at all times have access to a data map which sets out the location of all of Glemnet Ltd’s stored data.  

At no time may personal data ever be altered or destroyed in order to avoid disclosure. 



The DPO is responsible for the following:  

  1. Keeping a record of all SARs made, including the date on which the SAR was received;  

  1. Reviewing all the documents provided to a data subject pursuant to a SAR to check for the mention of any third parties and if a third party is mentioned, to prevent the disclosure of the identity of the third party to the data subject, or to seek written consent from the third party as to the disclosure of their identity. 


Personal data exemption categories 

The following data exemption categories apply, meaning that Glemnet Ltd does not have to provide personal data covered below:  

  • The prevention and detection of crime;  

  • Negotiations with the data subject request maker;  

  • Management forecasts;  

  • Confidential references provided by Glemnet Ltd however not references provided to Glemnet Ltd 

  • Data covered by legal professional privilege;  

  • Data used for research, statistical or historical reasons. 


Personal data provided by Glemnet Ltd to a data subject pursuant to a SAR shall be in electronic format, unless the SAR expressly requests otherwise and all items shall be scheduled, displaying the data subject’s name and the date on which the data item was delivered.  


4. Document owner 

The Data Controller is the owner of this policy document and must ensure that it is periodically reviewed according to the review requirements contained herein. 

The latest version of this policy document dated 20th January 2023 is available to view on the Glemnet Ltd website.  


This policy document was approved by Glemnet Ltd’s Board of Directors and is issued by the Managing Director on a version controlled basis. 



Name of Managing Director: Neil Linter  

Date: 5th March 2019 reviewed 20th January 2023 

Version 1 

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set analytics cookies that help us make improvements by measuring how you use the site. These will be set only if you accept.

For more detailed information about the cookies we use, see our Cookies page. Cookie Control Link Icon

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.