Subject Access Request Procedure

← Back to all legal documents

UK GDPR Art. 15 · DPA 2018 s.45-51 Public
Download as PDF

You have a statutory right under UK GDPR Article 15 to ask for a copy of the personal data we hold about you, plus an explanation of how we are using it. This procedure tells you how to make the request and what to expect.

1. Who can make a request

A subject access request (SAR) is a personal-data right and can only be made by the data subject — the person the data is about. For Credicorp this is most often the company's director.

The director can ask for: their identity-verification documents, contact records, communications log, marketing preferences, the company's loan and payment history (as it relates to them personally), audit-log entries showing actions they took, and any record of vulnerability flags or accessibility settings.

2. How to make a request

You have three routes. All three are equivalent — pick whichever is easiest:

  • Self-service portal (fastest). Sign in to your portal at my.credicorp.co.uk → "Your data" tab → "Download my data". Returns a JSON file immediately.
  • Email. Email privacy@credicorp.co.uk with "Subject Access Request" in the subject line. Include the company name, company number and your name as the director on file.
  • Post. Write to the Data Protection Officer at Suite 53C Unimix House, Abbey Road, London NW10 7TR, marking the envelope "Subject Access Request".

3. What we need to verify your identity

We have to be sure we are sending the data to the right person. If you make the request through the signed-in portal, your identity is verified by your active session. If you make it by email or post and we have not corresponded with you recently, we will ask for ONE additional piece of identifying information that we already hold (e.g. last 4 digits of the registered bank account, year of birth) before we release the file.

4. What you will get

  • A copy of every personal-data record we hold about you in a structured format (JSON for self-service, PDF for postal requests).
  • An explanation of the purposes for which we are using the data (the lawful bases under UK GDPR Article 6).
  • The recipients we share the data with (e.g. business credit reference agencies, the servicing agent CM Beyer Limited, our identity verification provider).
  • How long we keep each category of data (the retention periods in our Privacy Notice).
  • Your other UK-GDPR rights and how to exercise them.

We do not include third-party data (e.g. someone else's identifying information that happens to appear in a shared record). Where redaction is required we tell you so.

5. How long it takes

  • Self-service portal: immediate.
  • Email or post: up to 1 calendar month from the date we receive a verified request. If your request is complex or you have asked for several different things at once, we may extend by up to 2 months, but we will tell you within the first month if that applies.

6. Cost

SARs are free. The only exception is a manifestly unfounded or excessive request, where we may charge a reasonable administrative fee or refuse. This is rare and we will explain in writing if it applies to your request.

7. If you are not satisfied

If we have refused your request, or if you are not satisfied with what we have provided, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. We would always prefer to resolve concerns directly first — please write to dpo@credicorp.co.uk.

This procedure was last reviewed in May 2026.

ICO Registration No. ZC157682

Version 1.0, last revised 25 May 2026. We update this document in place when the policy changes, and we change the version number and date when we do. If you need a copy of an earlier version, please email compliance@credicorp.co.uk.

Credicorp Limited · Company No. 16093826

Contact Us

Quick actions

Common tasks one tap away.

Apply for a loan Make a payment Help with payments Contact us
Accessibility

Adjust how this site looks. Your choice is remembered on this device.