Subject Access Request Policy and Procedure
Last Updated: August 25th, 2025
Introduction
The UK General Data ProtectionRegulation (UK GDPR) gives you the right to find out what information an organisation stores/holds about you. A Subject Access Request (SAR) gives an individual the right to find out what personal data an organisation holds about them, why it is held, and with whom it is shared.
This policy and procedure set out howCoSyne Therapeutics identified and manages its SAR responsibilities in accordance with its legal and regulatory obligations. This policy sets out the minimum standards which must be complied with by the company.
Definitions
Data Subject - Individual who CoSyne holds Personal Data about.
Personal Data -Information which relates to a Data Subject, and which is identifiable to them.
Corresponding Information - Information relating to the processing of Personal Data, which is usually contained within Privacy Notices.
Privacy Notices - Notices five the Data Subjects, usually when they provide Personal Data to the company, which informs then about how their data will be used, whom it will be shared with and how long it will be held for.
Regulatory Authority - Information Commissioners Office.
Purpose
The UK GDPR clarifies the reasons for allowing individuals to access their Personal Data. This is to help individuals understand how and why an organisation is using their data, and check it isdoing so lawfully.
Right to Access Data
The data an individual has the right to obtain is as follows:
· Confirmation that their data is being processed;
· Access to/copies of their Personal Data; and
· Other supplementary information – this largely corresponds to information that should be provided in a privacy notice (seeArticle 15 of the UK GDPR).
Data Subjects have the right to receive copy of their Personal Data which is held by CoSyne. In addition, an individual is entitled to receive further information about the processing of theirPersonal Data as follows:
1. the purposes
2. the categories ofPersonal Data being processed
3. recipients/categories of recipient
4. retention periods
5. information about their rights
6. the right to complain to the ICO,
7. details of the relevant safeguards where Personal Data is transferred outside the EEA
8. any third-party source of the Personal Data
CoSyne is not required, in response to a. subject access request, to disclose information about another individual who can be identified from that information, except where the other individual has consented to the disclosure, or it is reasonable in all of the circumstances to disclose this information without that individual's consent. Data Subjects are only entitled to request access to their own personal data, any third-party personal data will be removed.
Validity
A SAR can be made verbally or in writing, including on social media. A request is valid if it is clear an individual is asking for their own Personal Data. There is no specific form of words or reference to legislation that makes a request valid, nor does it need to be directed to a specific contact within CoSyne.
Verification
When a SAR is submitted, an individual must provide verification of their identity using ‘reasonable means’. CoSyne must be satisfied of the identity of an individual to protect unauthorised access to Personal Data. If the company does not have sufficient information to verify the identity of the individual and requests further proof of ID, the one-month time limit referred to in section xx does not begin until the required ID has been received.
An individual can ask a third party(e.g. friend, solicitor, relative) to make a SAR on their behalf. In instances such as these, CoSyne must be satisfied that the third-party is entitled to acton the individual’s behalf. It is the third party’s responsibility to provide evidence of their authority.
Fees
SARs should be dealt with free of charge, unless the request is unusually large, complex, or an individual requests further copies of their data. If this is the case (the decision will be made by CoSyne) a reasonable fee may be charged. If a fee is charged, the one-month time limit does not begin until the fee is received.
Response time
Under the UK GDPR, CoSyne must comply with a SAR without undue delay and at the latest within one month of receiving the request. The time to respond to a SAR can be extended by up to a further two months if the request is unusually large or complex. The SLT will make this decision and where it deems that this is the case, will explain to the individual, within the original one-month timeframe, its rationale for why there is a need for an extension and when they can reasonably expect to receive a response.
Seeking clarification
CoSyne are allowed to seek clarification from an individual, asking them to specify the information or processing activities their request relates to, if the remit of their request is not clear. This is especially helpful in circumstances where CoSyne processes a large amount of information about an individual. The time limit for responding to the request is paused until clarification is received.
CoSyne will not require the applicant to narrow the scope of the request (they are entitled to ask for all the information we hold), but may ask them to provide some context around the information they’re seeking such as relevant dates or if they want a particular document or type of document (for example, letter, email, application form),which may help us to locate the data).
Refusing a SAR
If a request is manifestly unfounded or excessive, particularly where it is repetitive, then the request can be refused.
Should a request be refused, the DataSubject will be informed of the reasons why it is refused and will be informed of their right to complain to the Regulatory Authority and to a judicial remedy, within one month of receipt of the request.
SAR Procedure
To help CoSyne to facilitate a SAR as expeditiously as possible, we request that all Data Subjects wishing to engage their right of access to follow this procedure:
1. Where possible, make a request in writing, using this form:
2. The form will ask you to verify your identity. A copy of original documentation is acceptable. If sufficient ID to enable us to verify your identity is not submitted with the original request, we will request further information from you. Personal Data will not be released until verification of identification is confirmed.
3. The request should provide detail about the information you wish to request such as where and whom the information is believed to be held by. These details allow for efficient location and retrieval of the information requested.
Shoulda request not be clear, or the scope too broad, CoSyne may need to seek clarification. The time limit for responding to a request is paused until clarification is received.
4. Once CoSyne receives a request, the team will issue a response within one month of receipt. If, however, the request is complex or numerous, an extension by a further two months could be made.
Should an extension be required, the Data Subject will be notified of the extension and the reasons as to why it is required, within one month of receipt of the request.
5. Data Subjects are only entitled to information which relates to them. A response may sometimes contain redactions (documents showing blanked-out text) or information may be removed entirely if an exemption under the Data Protection Act (DPA) 2018applies.
Exemptionsprotect particular types of information, or, for example, other Data Subjectsor information about a third party to whom CoSyne owes a duty of confidence orprivacy. A Data Subject’s right to seetheir personal data shall not adversely affect the rights and freedoms of otherpeople.
6. CoSyne will usuallyprovide a copy of the information in response to a request free of charge. If,however, a request is unusually large, complex, or an individual requestsfurther copies of their data, a reasonable fee may be charged. If a fee is charged, the one-month time limitdoes not begin until the fee is received.
7. If a request ismanifestly unfounded or excessive, particularly where it is repetitive, thenthe request can be refused. Should arequest be refused, the Data Subject will be informed of the reasons why it isrefused and will be informed of their right to complain to the RegulatoryAuthority and to a judicial remedy, within one month of receipt of the request.
8. CoSyne shall keep a copy of the information provided until ithas confirmation from the data subject that it does not require any furtherinformation or for a period of 6 months from completion of the request.
