arrow_back All policies

Subject Access Request (SAR) Procedure

How we respond to requests from individuals to exercise their data protection rights.

Version 1.0 · 5 May 2026 · Adopted 19 May 2026

1. Purpose

This procedure sets out how Tenpin Ireland handles requests from individuals to exercise their rights under the GDPR and the Data Protection Act 2018, in particular the right of access (‘Subject Access Request’ or SAR) under Article 15. It also covers requests to exercise the other rights listed in Section 2, since they are usually handled in a similar way and often arrive together.

2. The rights covered by this procedure

RightWhat the requester is asking for
Right of access (Article 15)A copy of the personal data we hold and information about how it is processed.
Right to rectification (Article 16)Correction of inaccurate or incomplete personal data.
Right to erasure (Article 17)Deletion of personal data in defined circumstances (‘right to be forgotten’).
Right to restriction (Article 18)A pause on processing in defined circumstances.
Right to portability (Article 20)A copy of personal data in a structured, commonly used format, where processing is by automated means and based on consent or contract.
Right to object (Article 21)An objection to processing based on legitimate interests, including direct marketing.
Rights re. automated decision-making (Article 22)Rights in relation to solely automated decisions producing legal or similarly significant effects.

3. How a request can be made

A data subject can make a request:

  • In writing to the DPO at (DPO email — to be confirmed; in the meantime [email protected])
  • By post to: Data Protection Officer, Tenpin Ireland, Irish Sport HQ (NGB Building), National Sports Campus, Blanchardstown, Dublin 15
  • Verbally — in which case the recipient must record the request and pass it to the DPO without delay

A request does not need to mention ‘GDPR’, ‘SAR’ or any specific article. Anything that reasonably looks like a request to exercise a right is treated as one. If in doubt, refer it to the DPO.

4. Identifying the requester

Before responding, we satisfy ourselves that the request is from the data subject (or someone properly authorised to act on their behalf, such as a parent of a child). We ask only for what is reasonable in the circumstances. Excessive identity checks are not appropriate. For an existing member who emails from their registered email address, this may require no more than confirmation of basic membership details.

Where a request relates to a child:

  • Children are entitled to make requests in their own right where they have the capacity to do so.
  • Parents may make requests on behalf of younger children, where this is in the child’s best interests.
  • For older juniors, the DPO may engage directly with the child while keeping the parent appropriately informed.

5. Acknowledgement and logging

Within 3 working days of receiving a request, the DPO acknowledges it in writing and logs it in the SAR Log with:

  • Date received and channel
  • Name of requester and how identity was verified
  • Nature of the request and the rights involved
  • Target response date
  • Owner (DPO is default)

6. Timeline

We respond to requests within one calendar month, as required by Article 12(3) GDPR. Where a request is complex or there are multiple requests from the same person, we may extend by up to two further months, in which case we tell the requester within the first month and explain why.

WhenStageAction
Day 0Request receivedAcknowledge to requester within 3 working days. Log the request. Verify identity if needed.
Days 1–7Scope and searchIdentify systems and individuals likely to hold the data. Issue search instructions.
Days 7–21Collect and reviewGather data; review for third-party data, legal privilege, and other exemptions.
Days 21–28Redact and assemble responseProduce the response pack and the explanation of processing.
By Day 30Send responseIssue response to the data subject. Update the SAR Log.
If extendingBy Day 30Notify the requester within the first month, explain the reason, and complete within a further 2 months.

7. Searching for personal data

On receiving a request, the DPO works out where the requester’s data is likely to be held — for example:

  • Membership records and renewal forms
  • Email correspondence (officers’ mailboxes)
  • Competition and ranking systems
  • Coaching and qualification records
  • Vetting records
  • Photographs and video
  • Any back-ups or archives

Officers and volunteers asked to search are given clear instructions including the scope of the request, what categories of data to look for, and a deadline. Personal devices used for Tenpin Ireland business are within scope.

8. Reviewing what we find

Before sending data to the requester, the DPO reviews it for:

  • Third-party data: personal data about other people that appears alongside the requester’s data. This is normally redacted unless the third party has consented or it is reasonable to disclose.
  • Legal privilege: communications subject to legal privilege are exempt under the Data Protection Act 2018.
  • Confidential reference data and other DPA 2018 exemptions: considered case by case.
  • Manifestly unfounded or excessive requests: we may charge a reasonable fee or refuse, but we explain why.

9. The response

A complete response includes:

  • Confirmation of whether we are processing the requester’s personal data
  • A copy of the personal data, in a commonly used electronic form unless the requester asks otherwise
  • Information about the purposes of processing, categories of data, recipients (or categories of recipients), retention periods, the requester’s rights, and the right to lodge a complaint with the DPC
  • Information about the source of the data where it was not collected from the requester
  • Information about any automated decision-making and its logic

Much of this is already in our Privacy Policy; the response refers to it as well as confirming any details specific to the requester.

10. When we can refuse or restrict

We may refuse, charge for, or restrict a response only in the limited circumstances permitted by law — for example where the request is manifestly unfounded or excessive (Article 12(5)), where an exemption in the Data Protection Act 2018 applies, or where complying would adversely affect the rights and freedoms of others. Where we do refuse or restrict, we explain why and tell the requester about their right to complain to the DPC.

11. Right to erasure (‘right to be forgotten’)

On receiving a request for erasure, the DPO assesses whether one of the grounds in Article 17(1) applies, including whether the data is no longer necessary, whether consent has been withdrawn and there is no other lawful basis, or whether the data was unlawfully processed. Specific consideration is given to children’s data, where the right to erasure has additional weight. If we decline to erase, we explain on what lawful basis processing continues, and the requester’s right to complain to the DPC.

12. Right to object to direct marketing

Where a requester objects to direct marketing, we stop without delay. There is no balancing test.

13. Records

The SAR Log records every request received, the action taken, and the date the response issued. The Log is reviewed at each Executive meeting in summary form, alongside the Breach Log.

14. Training

All officers and volunteers who handle correspondence with members are briefed to recognise potential rights requests and to refer them to the DPO without delay.

15. Review

This procedure is reviewed at least annually by the DPO and the Board.

16. Adoption

This Subject Access Request Procedure was adopted by the Executive Board of Tenpin Ireland on 19 May 2026.