Under Article 15 of the GDPR, an individual has the right to obtain from the controller, confirmation as to whether or not personal data concerning them is being processed. We are committed to upholding the rights of individuals and have dedicated processes in place for providing access to personal information. Where requested, we will provide the following information:
A subject access request (SAR) is a request for access to the personal information that OneSelect holds about an individual, which we are required to provide under the GDPR (unless an exemption applies).
You can make this request in writing using the details provided later on this page, or you can submit your access request electronically. Where a request is received by electronic means, we will provide the requested information in a commonly used electronic form (unless otherwise requested by the data subject).
Subject Access Requests (SAR) are passed to the Privacy Team as soon as received and a record of the request is noted. The person in charge will use all reasonable measures to verify the identity of the individual making the access request, especially where the request is made using online services.
We will utilise the request information to ensure that we can verify your identity and where we are unable to do so, we may contact you to provide evidence of your identity prior to actioning any request. This is to protect your information and rights.
If a third party, relative or representative is requesting the information on your behalf, we will verify their authority to act on your behalf and may again contact you to confirm their identity and authorisation prior to acting the subject access request.
If you have provided enough information in your SAR to collate the personal information held about you, we will gather all forms (hard-copy, electronic etc) and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the Regulation timeframes set out below.
Once we have collated all of the personal information held about you, we will send this to you in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
SARs are always completed within 30-days and are provided free of charge. Where the request is made by electronic means, we provide the information in a commonly used electronic format, unless an alternative format is requested.
Whilst we provide the information requested without a fee, further copies requested by the individual may incur a charge to cover administrative costs.
OneSelect always aim to provide the requested information at the earliest convenience, but at a maximum, 30 days from the date the request was received. However, where the retrieval or provision of information is particularly complex or is subject to a valid delay, the period may be extended by two further months. If this is the case, we will write to you within 30 days and keep you informed of the delay and the reasons.
Under the GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of an inaccuracy and agree that the data is incorrect, we will amend the details immediately as directed by you and make a note on the system (or record) of the change and reasons. We will rectify the errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.
If for any reason, we are unable to act in response to a request for rectification and/or completion, we always provide a written explanation to you and inform you of your right to complain to the Supervisory Authority and to a judicial remedy.
Individuals also have the right to request from OneSelect, the erasure of personal data or to restriction of the processing of personal data where it concerns the data subject; as well as the right to object to such processing.
The GDPR contains certain exemptions from the provision of personal information. If one or more of these exemptions applies to your subject access request or where OneSelect does not act on the request, we shall inform you at the earliest convenience, or at the latest, within one month of receipt of the request.
Where possible, we will provide you with the reasons for not acting and any possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Details of contacting the supervisory authority are set out later on in this page.
If you are unsatisfied with our actions or wish to make an internal complaint, you can contact us in writing at: –
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO), who can be contacted at;