Talk To Us
Talk To Us

Subject Access Request Policy

These legal guidelines outline your rights, responsibilities, and how we handle your data.

Last updated: 1st December 2025

1. Purpose

Artifax Software Limited acknowledges its responsibilities as a Data Controller under the UK GDPR and Data Protection Act 2018. This policy outlines how we manage Subject Access Requests (SARs) in a compliant, timely, and secure manner.

2. Data Subject Rights

Individuals (data subjects) have the right to request:

  • Confirmation of whether we are processing their personal data

  • A description of the personal data processed

  • The purposes of the processing

  • Recipients or categories of recipients of the data

  • The sources of the data, if known

  • A copy of the personal data, provided it is a valid and verifiable request

Customers Using Artifax Products

Where data is held within Artifax products, our customers are the Data Controllers. Artifax acts as a Data Processor and will support customers in responding to SARs as required.

3. Valid Requests

To be valid under the UK GDPR:

  • SARs must be submitted in writing

  • Sufficient information must be provided to identify the data subject

  • A Subject Access Request Form will be issued to the requestor to clarify details and verify identity

  • A SAR Privacy Notice will also be provided

Upon validation, Artifax will respond within one calendar month.

4. Communication

We aim to:

  • Engage the data subject to help refine the scope

  • Provide all relevant data upon request

  • Make the process transparent, efficient, and secure

5. Scope of Search

Unless narrowed by the requestor:

  • All relevant digital systems and structured manual files will be searched

  • Backup systems are excluded unless specifically required

The Data Protection Officer (DPO) typically acts as SAR coordinator.

6. Manual Files

Manual records must:

  • Be part of a structured filing system (e.g., alphabetical by name)

  • Be assessed against the SAR criteria

7. Data Accuracy and Restrictions

We do not alter, delete, or update records during the SAR process, even if data is inaccurate. SARs are based on what is held at the time of request.

8. Third-Party Data

We protect the rights of other individuals by:

  • Redacting third-party identifiers where appropriate

  • Withholding information only if disclosure would breach another’s rights

9. Exemptions

SAR exemptions include:

  • Negotiations in progress

  • National security or crime detection

  • Medical data disclosure without professional oversight (where harmful)

  • Requests that include disproportionate effort

10. Delivery of Information

SAR responses will:

  • Be provided in a permanent, intelligible form

  • Include explanations of codes or terms if needed

  • Be securely dispatched and tracked

  • Be copied and retained securely for record-keeping

11. Rights Handling

We uphold and document the following data subject rights:

Right to Be Informed (Articles 12–14)

We ensure privacy information is clear, timely, and accessible. It is reviewed regularly.

Right to Access (Article 15)

We provide details on:

  • Processing purpose, categories, recipients

  • Retention periods

  • Rights and source of data

Right to Rectification (Article 16)

Inaccuracies will be corrected or completed, where validated.

Right to Erasure (Article 17)

We will erase data unless:

  • Required for legal claims, freedom of expression, or compliance

  • Still necessary for legitimate original purposes

Right to Restrict Processing (Article 18)

Processing will be limited when:

  • Accuracy is contested

  • Processing is unlawful

  • Data is no longer needed but required for legal claims

Right to Data Portability (Article 20)

We provide data in machine-readable format when:

  • Processing is automated

  • Consent or contract is the lawful basis

Right to Object (Article 21)

We will respect objections to:

  • Legitimate interest processing

  • Direct marketing

  • Profiling or automated processing

12. Breach or Delay

Failure to respond within one month constitutes a GDPR breach and may result in a complaint to the ICO. A full copy of the SAR response is retained by Artifax.

Contact

Data Protection Officer
dpo@artifax.com

Policy Review

This policy will be reviewed annually or in response to legislative changes.

See Artifax in Action

Explore how our venue and event management software helps you simplify scheduling, streamline operations, and deliver standout experiences — all in one place.
Book Your Demo