DSAR Policy

This document defines how we handle subject access requests under the GDPR (General Data Protection Regulation). It highlights the rights of the data subject and our responsibilities when dealing with that requests.


Personal rights

Every individual has the full right to know what information is stored about them. This information must be: - Accurate and up to date - Processed fairly, lawfully and in a transparent manner - Adequate, relevant and not excessive - Not kept for longer than necessary - Processed for specific, legitimate and lawful purposes - Processed in accordance with individual’s rights - Securely stored - Not transferred other than in accordance with agreed terms and conditions

Personal data

Personal data is information which relates or refers to an individual. Data refers to an individual if that individual can be identified such as by using their name, identification number, location data or factors specific to the individual such as physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

ADSuisse’s policy on providing information

We are committed to respond to all reasonable requests for access in accordance with GDPR, whilst protecting our own intellectual property.

How to make a data subject access request (DSAR)?

A data subject access request is a written request for personal information held about you by ADSuisse. You have the right to see what personal information we hold about you. You are entitled to be given confirmation as to whether we hold or process your personal information, and if so you are entitled to access all your personal information as well as details of: - The purposes for which we process your data; - The categories of your personal data we process; - The recipients, or categories or recipient to whom personal data has been or will be disclosed, in particular recipients in third countries or who are international organisations; - How long we expect to store and process your data; - Where you did not give us the personal data, the source from which we collected the personal data; and - Whether we use any automated decision making in relation to the processing of your personal data. You are entitled to: - get access (see or view) to your own personal data - have any mistakes in your personal data rectified withdraw a previously given consent for processing of your personal data for a specific purpose - have the data deleted if you would no longer like us to store or process your personal data - request restriction of our processing of your personal data. Тo exercise the GDPR rights granted to you, you can send us a request by contacting


What do we do when we receive a subject access request?

1. We will verify your identity We will ask for additional information to verify it. For example, we may ask you for a piece of information held in your records that you might reasonably be expected to know. We cannot disclose personal information to anyone other than the individual in question. 2. We will collect information We will gather any manual or electronically held information and identify any information provided by a third party or which identifies a third party. 3. We will identify if third parties will be affected Before sharing information that relates to third parties, we will, where possible, anonymise or edit information that might affect another party’s privacy. We may also summarise information rather than provide a copy of the whole document. The GDPR requires us to provide information, not documents.

Issuing a response

Once any queries around the information requested have been resolved, copies of the information will be sent on your e-mail.

Will we charge a fee?

The service is free of charge. However, if your data subject access requests are excessive or manifestly unfounded we will charge $10 to cover the administrative costs involved in dealing with your request. In extreme circumstances, we reserve the right to refuse your requests.

What is the timeframe for responding to subject access requests?

It is 30 calendar days, starting from when we received the information necessary to identify you, to identify the information you requested, and provide you with the information (or explain why we were unable to provide the information). Wherever possible, we will aim to complete the request in advance of the deadline.