Data Subject Access Request Policy

Last Updated: June, 2026

A Data Subject Access Request (DSAR) is a request made by an individual to obtain a copy of the personal data held about them by an organisation, together with supplementary information about how that data is used. Under UK GDPR Article 15, all individuals have the right to make a DSAR. This chapter sets out how Cyber Universe Europe Ltd. receives, verifies, and responds to DSARs.

1. Who Can Make a DSAR?

A DSAR may be submitted by:

  • Any individual (data subject) whose personal data is processed by Cyber Universe Europe Ltd. in its capacity as a data controller.
  • A parent or legal guardian acting on behalf of a child under the age of 18.
  • An authorised representative acting on behalf of a data subject, provided written authorisation from the data subject is provided.

DSARs relate only to personal data for which Cyber Universe Europe Ltd. is the data controller. Where we process personal data as a processor on behalf of a client, DSARs relating to that data must be directed to the relevant client (the controller). We will assist clients in fulfilling DSARs in accordance with our obligations under the client Data Processing Agreement.

2. How to Submit a DSAR

DSARs may be submitted by any of the following methods:

  • By email: info@cyberuniverse.uk
  • By post: Chief Operating Officer, Cyber Universe Europe Ltd., Landmark House, 12 Chorley New Road, Bolton, Greater Manchester, England, BL1 4AP

DSARs do not need to use any specific format or language. Any written request that identifies the individual and indicates that they are seeking access to their personal data will be treated as a DSAR.

3. Identity Verification

Before processing a DSAR, we must be reasonably satisfied that the individual making the request is who they claim to be. We may request proof of identity, such as a copy of a passport, driving licence, or other suitable document. We will handle identity verification documents securely and will not retain them beyond what is necessary for verification purposes.

Where a DSAR is submitted by a representative on behalf of a data subject, we will require written authorisation signed by the data subject confirming that the representative is authorised to act on their behalf.

4. Timescales

We will acknowledge receipt of a DSAR within five business days of receipt. We will provide a full response within one calendar month of receipt. Where the request is complex, involves a large volume of data, or where we have received multiple requests from the same individual, we may extend this period by a further two calendar months. Where an extension is applied, we will notify the individual within the initial one-month period, explaining the reason for the extension.

5. What We Will Provide

In response to a DSAR, we will provide:

  • Confirmation of whether or not we process personal data about you.
  • A copy of the personal data we hold about you in a commonly used electronic format.
  • Information about the purposes for which the data is processed.
  • The categories of personal data held.
  • The recipients or categories of recipients to whom the data has been or will be disclosed, including any third countries and the safeguards in place.
  • The retention period or the criteria used to determine the retention period.
  • Your rights to rectification, erasure, restriction, and to object to processing.
  • Your right to lodge a complaint with the ICO.
  • The source of the data where it was not collected directly from you.
  • Information about any automated decision-making, including profiling, and the logic involved.

6. Exemptions and Redactions

There are circumstances in which we may withhold personal data from a DSAR response. These include where disclosing the data would reveal personal data relating to another individual who has not consented to disclosure, where the data is subject to legal privilege, or where an exemption under the Data Protection Act 2018 or UK GDPR applies. Where we apply an exemption, we will explain the reason for the exemption in our response.

7. Fee

We will not charge a fee for the first copy of information provided in response to a DSAR. Where a request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee reflecting our administrative costs, or we may refuse to act on the request. We will inform you of this decision and the reason for it within one calendar month.

8. If You Are Dissatisfied

If you are dissatisfied with our response to your DSAR, you have the right to:

  • Contact us to request a review of the response: info@cyberuniverse.uk
  • Make a complaint to the Information Commissioner's Office: ico.org.uk | 0303 123 1113
  • Apply to the court for an order requiring us to comply with the request.