All organisations that process personal data are required to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The Data Protection Laws give individuals (known as ‘data subjects’) certain rights over their personal data whilst imposing certain obligations on the organisations that process their data.


The Company is a recruitment business and collects and processes both personal data and sensitive personal data.  It is required to do so to comply with other legislation.  It is also required to keep this data for different periods depending on the nature of the data.

This policy sets out how the Company complies with the requirements of Subject Access Requests in accordance with the General Data Protection Regulation. It should be read in conjunction with the Privacy Policy, Data Protection Policy and the Data Protection Procedure.


In this policy the following terms have the following meanings:

‘The Company’ refers to Athona Ltd, Athona Education Limited and Athona Clinical Services Ltd.

‘data controller’ means an individual or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal data;

‘processing’ means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage (including archiving), adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘sensitive personal data’* means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data, data concerning health, an individual’s sex life or sexual orientation and an individual’s criminal convictions.

* For the purposes of this policy we use the term ‘personal data’ to include ‘sensitive personal data’ except where we specifically need to refer to sensitive personal data.

‘subject access request’ means the rights an Individual has to request access to their personal data on request, free of charge except in certain circumstances.

‘Supervisory authority’ means an independent public authority which is responsible for monitoring the application of data protection.  In the UK the supervisory authority is the Information Commissioner’s Office (ICO).


The Company processes personal data in relation to its own staff, work-seekers and individual client contacts and is a data controller for the purposes of the Data Protection Laws.

The Company has registered with the ICO and its registration number is Z8156454

The Company may hold personal data on individuals for the following purposes:

  • Staff administration;
  • Advertising, marketing and public relations
  • Accounts and records;
  • Administration and processing of work-seekers’ personal data for the purposes of providing work- finding services, including processing using software solution providers and back office support
  • Administration and processing of clients’ personal data for the purposes of supplying/introducing work-seekers


The right to access (‘subject access request’)

Individuals are entitled to obtain access to their personal data on request, free of charge except in certain circumstances.

An individual will be entitled to the following information:

  • Confirmation that their personal data is or is not being processed;
  • Access to the personal data undergoing processing;
  • The purposes of the processing;
  • The categories of personal data concerned;
  • The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular; recipients in third countries or international organisations;
  • Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  • The existence of the right to request from the Company rectification or erasure of personal data or restriction of processing of personal data concerning the individual or to object to such processing;
  • The right to lodge a complaint with the ICO or any other relevant supervisory authority;
  • Where the personal data are not collected from an individual, any available information as to the source of that information;
  • The existence of automated decision-making, including profiling, based on a public interest or a legitimate interest and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.

If the Company transfers the individual’s personal data to a third country or to an international organisation, the individual shall have the right to be informed of the appropriate safeguards in place relating to the transfer.

If the Company processes a large quantity of information concerning the individual making the request, the Company might request that the individual specify the information or processing activities to which the request relates to specifically before the information is delivered. If such a request is required by the Company then it shall be delivered promptly to the individual, taking into consideration the timeframes that subject access requests must be completed.

The individual’s right to access their information shall not adversely affect the rights and freedoms of others and they will not be able to access the personal data of third parties without the explicit consent of that third party or if it is reasonable in all the circumstances to comply with the request without that third party’s consent, taking into consideration any means to redact the personal data of any third party. Persons listed in the Appendix will decide whether it is appropriate to disclose the information to the individual on a case by case basis. This decision will involve balancing the individual’s right of access of their personal data against the third party’s rights in respect of their own personal data.

Data Subject Access Request (SAR) Procedure

Data Subjects submitting a request for information must follow this Procedure:

  1. a) Make a request in writing to the Data Protection Officer (DPO) at
  2. b) The request should include documents confirming the identity of the Data Subject such as a driving licence, passport or birth certificate. If sufficient ID is not submitted with the original request, the Data Protection Officer will request this identification, and no documentation will be released until identification is confirmed; and
  3. c) The request should provide detail about the information the Data Subject wishes to request such as where and whom the information is believed to be held by. These details allow for efficient location and retrieval of the information requested.

The company reserves the right not to disclose any information about a third party to whom the company owes a duty of confidentiality or privacy. Information given will only be that relating to the Data Subject.

Any queries about requests should be directed to the Data Protection Officer at

Dealing with Requests

Once the company receives a request, the Data Protection Officer will issue a response within one month of receipt. If, however, the request is complex or numerous, an extension by a further two months could be made.

Should an extension be required, the Data Subject will be notified of the extension and the reasons as to why it is required, within one month of receipt of the request.

Information Gathering

If you have provided enough information in your SAR to collate the personal information held about you, we will gather all documents relating to you and ensure that the information required is provided in an acceptable format. If we do not have enough information to locate your records, we may contact you for further details. This will be done as soon as possible and within the timeframes set out below.

Information Provision

Once we have collated all the personal information held about you, we will send this to you in writing (or in a commonly used electronic form if requested). The information will be in a concise, transparent, intelligible and easily accessible format, using clear and plain language.

The company will provide a copy of the information in response to a request free of charge.

Should a request be manifestly unfounded or excessive, particularly because it is repetitive, a reasonable fee can be charged. A reasonable fee may also be charged for further copies of the same information but not all subsequent requests.

Refusing a Request

If a request is manifestly unfounded or excessive, particularly where it is repetitive, then the request can be refused.

Should a request be refused, the Data Subject will be informed of the reasons why it is refused and will be informed of their right to complain to the Regulatory Authority within one month of receipt of the request.

Your Other Rights

Under the UK GDPR, you have the right to request rectification of any inaccurate data held by us. Where we are notified of inaccurate data, and agree that the data is incorrect, we will amend the details as directed by you and make a note on the system (or record) of the change and reason(s). We will rectify any errors within 30-days and inform you in writing of the correction and where applicable, provide the details of any third-party to whom the data has been disclosed.

If for any reason, we are unable to act in response to a request for rectification and/or data completion, we will always provide a written explanation to you and inform you of your right to complain to the ICO.

In certain circumstances, you may also have the right to request from the company, the erasure of personal data or to restrict the processing of personal data where it concerns your personal information; as well as the right to object to such processing. You can use the contact details below to make such requests.

Submission and Lodging a Complaint

To submit your subject access request, you can email your request to us at or write to the Data Protection Officer at the following address:

The Data Protection Officer

Athona Ltd

2nd Floor Kingsgate House

1 King Edward Road



CM14 4HG

To raise a complaint with the Information Commissioner’s Office

You can contact the ICO directly on 0303 123 1113 or at