Data Subject Access Requests – Rights and Process

This policy sets out how Kudocs Limited handles requests from individuals (data subjects) exercising their rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). It applies to all personal data processed by Kudocs in its roles as both data controller and data processor.

1. Introduction and Purpose

Kudocs is committed to upholding the rights of individuals in relation to their personal data. This document provides a clear, consistent, and accountable process for receiving, verifying, and responding to data subject requests in accordance with UK GDPR Articles 12–23.

The policy ensures:

• Requests are handled promptly, transparently and free of charge (unless manifestly unfounded or excessive).
• Appropriate distinction is made between controller and processor activities.
• All requests are logged for accountability (UK GDPR Article 5(2)).

2. Data Subject Rights under UK GDPR

Individuals have the following rights:

1. Right to be informed: Transparent information about how their data is used (provided via Privacy Notice).
2. Right of access (Subject Access Request (“SAR”)): Confirmation whether their data is processed and access to a copy plus supplementary information.
3. Right to rectification: Correction of inaccurate or incomplete personal data.
4. Right to erasure (“right to be forgotten”): Deletion of personal data in specified circumstances.
5. Right to restrict processing: Limitation of processing while accuracy or legality is contested.
6. Right to data portability: Receipt of data in a structured, machine-readable format and transmission to another controller.
7. Right to object: Objection to processing based on legitimate interests or for direct marketing.
8. Rights in relation to automated decision-making and profiling: Safeguards against solely automated decisions with legal or significant effects.

3. Scope

• Controller activities: Requests relating to Kudocs’ own users (e.g. user account data, payment data (for customers who pay by card), support records, website analytics).
• Processor activities: Requests relating to an entity stakeholder (e.g. company officer, PSC, shareholder, LLP member, etc.) or uploaded document data processed on behalf of clients. In processor cases, Kudocs will normally forward the request to the client (controller) for instruction, while providing reasonable assistance.

4. How to Submit a Request

Data subjects may exercise their rights by emailing info@kudocs.co.uk. Requests do not need to use specific wording but must clearly identify the right being exercised and the individual concerned.  Kudocs may contact you asking for more information to enable it to investigate, validate and support the request.

5. Verification of Identity

Before processing any request (except simple “right to be informed” enquiries), Kudocs will verify the identity of the requester using reasonable means, such as:

• Matching provided details against account records.
• Requesting government-issued photo ID and proof of address (where necessary and proportionate).
• For processor data, confirming the requester’s relationship to the client company.

Verification will be completed within 5 working days where possible.

6. Response Timescales

• Standard response: One calendar month from receipt of a valid, verifiable request.
• Extension: Up to two additional months for complex or multiple requests (data subject must be informed within the first month with reasons).
• Refusals or partial refusals: Explained clearly with appeal rights to the ICO.

Where Kudocs is acting as Processor (ie where the data has been added to the system by a third part – i.e a company, professional advisor or other intermediary who is using Kudocs to manage company information (all of whom would be Kudocs’ direct customer), Kudocs may be required to contact the direct customer under legal and contractual obligations.  In such cases, Kudocs’ ability to respond substantively may be limited by the rights and obligations of the direct customer.  In such a case, Kudocs will make all reasonable efforts to share relevant information with the requestor.

7. Step-by-Step Handling Procedure

1. Receipt & Logging: All requests are logged in the Data Subject Rights Register (secure, access-controlled record) with a unique reference.
2. Acknowledgement: Sent within 5 working days, confirming receipt and expected response date.
3. Verification: Identity and validity checked.
4. Assessment:
   • Controller data: Handled directly by the DPO.
   • Processor data: Request forwarded to the relevant client with a request for instructions within 7 days. Kudocs provides reasonable assistance.
5. Gathering Information: Search all relevant systems (Kudocs platform, backups, logs, Companies House filings where applicable).
6. Review & Decision: DPO reviews for exemptions (e.g., legal privilege, third-party data, manifestly unfounded requests).
7. Response Preparation: Provide data in a clear, structured format (usually PDF + CSV where portable).
8. Dispatch & Closure: Response sent securely. Request closed and logged with outcome.

8. Specific Guidance per Right

• Right of Access: Provide a copy of all personal data + supplementary information (purpose, recipients, retention, rights, source, etc.). Redact third-party data where necessary.
• Right to Rectification: Correct data within the one-month period and notify recipients where practicable.
• Right to Erasure: Apply unless overridden by legal obligation (e.g., Companies Act filing requirements or statutory retention). For processor data, obtain client instruction.
• Right to Restrict: Flag records internally to prevent further processing until resolved.
• Right to Portability: Provide data in structured, commonly used format (e.g., CSV, JSON).
• Right to Object: Cease processing unless compelling legitimate grounds override (documented).
• Automated Decision-Making: Currently not used by Kudocs; any future implementation will include human intervention safeguards.

9. Recording and Accountability

All requests are recorded in the Data Subject Rights Register including:

• Request details, date, requester, right exercised
• Verification method and outcome
• Decision and reasoning (including any exemptions applied)
• Response date and method
• Any follow-up or complaints

The register is reviewed 6-monthly by the Data Protection Lead and retained for 6 years.

10. Refusal or Limitation of Requests

Requests may be refused or limited if:

• Manifestly unfounded or excessive
• Exempt under legislation (e.g., crime prevention, legal claims)
• Compliance would breach another legal obligation

All refusals are documented with clear reasons and the individual’s right to complain to the ICO.

11. Responsibilities

• Data Protection Officer: Overall ownership, decision-making, register maintenance, and ICO liaison.
• Technical Lead: Assisting with data extraction and secure provision.
• All staff: Immediate escalation of any received request to info@kudocs.co.uk.
• Clients (as controllers): Responsible for instructing Kudocs on processor-role requests.

12. Training and Awareness

All relevant staff receive annual training on this procedure and data subject rights.