What is a Subject Access Request?
A Subject Access Request (SAR) is a legal request from a customer asking to see all the personal data you hold about them.
Under UK GDPR and the Data Protection Act 2018, you are required to respond within one month of receiving the request to send the data. This can be extended to two months in some cases, but you must inform the customer if that is the case.
Before you action an SAR
It is worth checking whether the customer actually needs a full SAR, or whether they simply want their data deleted.
In many cases, deletion is all someone is looking for. If that is the case, follow this guide instead: How to delete a contact
How to action an SAR
Contact us at success@airship.co.uk as soon as you receive an SAR so we can assist with gathering the contact's data within the legal timeframe.
What data does Airship hold on a contact?
Airship holds the personal data that your customers have shared with you, which may include:
Name and contact details (email address, mobile number)
Opt-in preferences
Groups they're in
A history of emails they have been sent
Any other data collected at the point they joined your database (for example, wifi login data if you use a wifi marketing integration)
Note: Airship only holds data that has been passed into your account. You will also need to consider any other systems that hold personal data about the individual, such as your booking system, EPOS, or wifi provider.
How to send the data to the customer
Once the Airship team has compiled the data we'll send it to you in a PDF and/or spreadsheet so it is easy for the customer to read.
You will then need to send the files to the contact. Please do this securely if you can, such as password-protecting the files and sending the contact the password separately.
In your email reply to the contact it is good to also include:
A covering note explaining what the data is, where it came from, and who to contact if they have questions. This does not need to be lengthy, but it shows the customer you have taken their request seriously.
Deadline: Make sure the data reaches the customer within one month of their original request. If you need more time, contact the customer before the deadline to let them know, and give them a new expected date.
The Data Preferences Centre
Customers can also manage and request their own data through the Data Preferences Centre. This is accessible via the "Preferences" link in the footer of any email you send through Airship.
If a customer uses this to invoke their right to deletion, Airship will automatically send you a notification email that looks something like this:
"The customer below has invoked their right to be deleted from your database. As your data processor we will automatically carry out a deletion of this customer's details on your Airship account. This deletion will occur 30 days after this request."
This email is genuine and is sent automatically by Airship. It is not spam.
โ ๏ธ Important: Airship will help you with gathering information for an SAR (and you can deal with deleting the contact, if needed, on your Airship dashboard).
But you are responsible as the data controller for removing that customer from any other systems you use, such as your booking system, EPOS, loyalty scheme, or wifi provider.