top of page

Orange Aero / News

Subject Access Request Policy

Date of Last Review – May 2025

Review Frequency – 1 year

Review Date – May 2026

​

Purpose

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals have the right to access their personal data that Orange Aero Ltd processes about them. This policy outlines how we handle Subject Access Requests (SARs) to ensure legal compliance and transparency.

 

What is a Subject Access Request (SAR)?

A SAR allows an individual to obtain:

  • Confirmation that their personal data is being processed

  • Access to a copy of the data

  • The purposes for processing

  • The categories of personal data concerned

  • The recipients or categories of recipients the data has been or will be disclosed to

  • The retention period or criteria used to determine how long data is stored

  • The source of the data (if not collected from the individual directly)

  • Whether automated decision-making or profiling is used, including its logic, significance, and consequences

 

How to Make a Request

SARs can be made:

  • Verbally (in person or by phone)

  • In writing (by letter or email)

 

To ensure accurate processing, individuals are encouraged to submit their request to the Managing Director’s PA:

 

Contact Details:

Hannah Parson

Orange Aero Ltd

Unit 0, Howland Road Business Park

Howland Road

Thame

OX9 3GQ

Email: hparson@orange.aero

 

Information Required to Process the Request

To assist us in processing SARs efficiently, please include:

  • Full name of the requester

  • Relationship to Orange Aero Ltd (e.g. employee, customer, contractor)

  • Contact details (email and telephone)

  • Correspondence address

  • Description of the information sought (e.g. payroll records, CCTV footage, emails)

​

Identity Verification

Before disclosing personal data, we may ask for two forms of identification, such as:

  • Passport or driving licence

  • Utility bill or official letter showing current address

This is to protect against unauthorised disclosures.

 

Our Responsibilities

Upon receiving a SAR:

  • Acknowledgement will be sent within 3 working days

  • Response will be provided within 1 calendar month of receipt

  • If the request is complex or multiple, the timeframe may be extended by up to 2 months, and the requester will be informed within the initial month

  • Information will be provided free of charge, unless the request is manifestly unfounded or excessive

 

Grounds for Refusal or Charges

We may:

  • Refuse a request if it is manifestly unfounded or excessive (e.g. repetitive or malicious in nature)

  • Charge a reasonable fee based on administrative costs for:

    • Repeated requests for the same data

    • Requests for additional copies

 

If a request is refused, we will explain the reason in writing and inform the individual of their right to complain to the Information Commissioner’s Office (ICO).

 

Limitations to Disclosure

We may withhold some data where:

  • Disclosure could cause serious harm to the physical or mental health of the individual or another person

  • The rights and freedoms of others would be adversely affected

  • The data contains legally privileged information or confidential references provided by a third party

 

Data Portability

Where applicable, Orange Aero Ltd will provide personal data in a structured, commonly used and machine-readable format, allowing the individual to transfer it to another data controller.

 

Additional Data Subject Rights

In addition to SARs, individuals have the right to:

  • Withdraw consent to data processing

  • Request rectification or erasure of personal data

  • Request restriction of processing

  • Object to processing (in certain circumstances)

  • Prevent processing for direct marketing purposes

  • Challenge processing based on legitimate interests or public interest

  • Request data portability (as above)

  • Object to automated decision-making and profiling

  • Be informed of a personal data breach (in certain circumstances)

  • Lodge a complaint with the ICO at www.ico.org.uk

 

Requests should be submitted to any staff member, who must forward them without delay to the Managing Director’s PA.

 

Responsibilities and Training

All staff must be familiar with this policy and trained to:

  • Recognise SARs

  • Forward requests promptly to the Managing Director’s PA

  • Assist with data collection where necessary

  • Failure to comply may result in disciplinary action.

 

Monitoring and Review

This policy will be reviewed annually, or earlier if there are significant regulatory changes.

bottom of page