The Irish Data Protection Commissioner (DPC) has released new guidance on Subject Access Requests (SARs) for individuals and controllers. Unsurprisingly, the majority of queries and complaints the DPC receives concern individuals exercising their “right of access” under Article 15 of Regulation (EU) 2016/679 (General Data Protection Regulation- GDPR). It is critical that controllers are ready to respond to SARs – without adequate preparation, an access request can cause major disruption and expense. This article highlights some of the Frequently Asked Questions the DPC has received in the past year.
What information is an individual entitled to when they make an access request?
- Purposes of the processing
- Retention periods
- The right to lodge a complaint with the DPC
- Transfers of personal data to a third country
Where a controller processes a large quantity of information concerning the data subject, the DPC confirms that a controller may request that the data subject clarify the SAR– for example by specifying the information sought or the period of time during which the personal data was collected. However, the data subject is not required to limit their SAR.
Does an access request have to be made in writing to the DPO?
The GDPR does not set out any particular method for making a valid access request. A request may be made by an individual in writing, or verbally, to any member of the controller’s staff. Controllers should ensure that systems are in place so that valid SARs are recorded and actioned appropriately in timely manner.
How long does a controller have to respond to an access request?
Controllers must respond to the request without undue delay and at the latest within one month of receiving the request. Controllers can extend the time to respond by a further two months if the request is complex or they have received a number of requests from the same individual, but they must still let the individual know within one month of receiving their access request and explain to them why the extension is necessary.
Other points to note
- In most cases, individuals cannot be required to pay a fee to make a subject access request.
- Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, a controller may, refuse to act on the request.
- There is also a general limitation on the exercise of the right of access under Article 15(4) GDPR, which states that the right to obtain a copy of the personal data undergoing processing should not negatively impact the rights and freedoms of others, such as privacy, trade secrets, or intellectual property rights.
Lawfully handling the rights of data subjects, including the right to access personal data, is an important piece of the GDPR’s accountability principle. In some circumstances, receiving a SAR may expose weaknesses in organisations’ policies and procedures handling personal data. Therefore, organisations should implement appropriate technical and organisational measures that strengthen their overall privacy culture.
If you need any assistance with preparing for, or responding to, a Subject Access Request, please visit our Data Governance and Cyber-Risk Service and do not hesitate to contact one of our advisors.