Orange Aero / News
Subject Access Request Policy
Date of Last Review – May 2025
Review Frequency – 1 year
Review Date – May 2026
​
Purpose
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals have the right to access their personal data that Orange Aero Ltd processes about them. This policy outlines how we handle Subject Access Requests (SARs) to ensure legal compliance and transparency.
What is a Subject Access Request (SAR)?
A SAR allows an individual to obtain:
-
Confirmation that their personal data is being processed
-
Access to a copy of the data
-
The purposes for processing
-
The categories of personal data concerned
-
The recipients or categories of recipients the data has been or will be disclosed to
-
The retention period or criteria used to determine how long data is stored
-
The source of the data (if not collected from the individual directly)
-
Whether automated decision-making or profiling is used, including its logic, significance, and consequences
How to Make a Request
SARs can be made:
-
Verbally (in person or by phone)
-
In writing (by letter or email)
To ensure accurate processing, individuals are encouraged to submit their request to the Managing Director’s PA:
Contact Details:
Hannah Parson
Orange Aero Ltd
Unit 0, Howland Road Business Park
Howland Road
Thame
OX9 3GQ
Email: hparson@orange.aero
Information Required to Process the Request
To assist us in processing SARs efficiently, please include:
-
Full name of the requester
-
Relationship to Orange Aero Ltd (e.g. employee, customer, contractor)
-
Contact details (email and telephone)
-
Correspondence address
-
Description of the information sought (e.g. payroll records, CCTV footage, emails)
​
Identity Verification
Before disclosing personal data, we may ask for two forms of identification, such as:
-
Passport or driving licence
-
Utility bill or official letter showing current address
This is to protect against unauthorised disclosures.
Our Responsibilities
Upon receiving a SAR:
-
Acknowledgement will be sent within 3 working days
-
Response will be provided within 1 calendar month of receipt
-
If the request is complex or multiple, the timeframe may be extended by up to 2 months, and the requester will be informed within the initial month
-
Information will be provided free of charge, unless the request is manifestly unfounded or excessive
Grounds for Refusal or Charges
We may:
-
Refuse a request if it is manifestly unfounded or excessive (e.g. repetitive or malicious in nature)
-
Charge a reasonable fee based on administrative costs for:
-
Repeated requests for the same data
-
Requests for additional copies
-
If a request is refused, we will explain the reason in writing and inform the individual of their right to complain to the Information Commissioner’s Office (ICO).
Limitations to Disclosure
We may withhold some data where:
-
Disclosure could cause serious harm to the physical or mental health of the individual or another person
-
The rights and freedoms of others would be adversely affected
-
The data contains legally privileged information or confidential references provided by a third party
Data Portability
Where applicable, Orange Aero Ltd will provide personal data in a structured, commonly used and machine-readable format, allowing the individual to transfer it to another data controller.
Additional Data Subject Rights
In addition to SARs, individuals have the right to:
-
Withdraw consent to data processing
-
Request rectification or erasure of personal data
-
Request restriction of processing
-
Object to processing (in certain circumstances)
-
Prevent processing for direct marketing purposes
-
Challenge processing based on legitimate interests or public interest
-
Request data portability (as above)
-
Object to automated decision-making and profiling
-
Be informed of a personal data breach (in certain circumstances)
-
Lodge a complaint with the ICO at www.ico.org.uk
Requests should be submitted to any staff member, who must forward them without delay to the Managing Director’s PA.
Responsibilities and Training
All staff must be familiar with this policy and trained to:
-
Recognise SARs
-
Forward requests promptly to the Managing Director’s PA
-
Assist with data collection where necessary
-
Failure to comply may result in disciplinary action.
Monitoring and Review
This policy will be reviewed annually, or earlier if there are significant regulatory changes.