Under Chapter III of the General Data Protection Regulation (EU) 2016/679 (GDPR), data subjects are entitled to exercise a wide range of rights, including the right to access their personal data.
However, in some cases, data subject requests can come from third-parties. This is often the case where:
- a solicitor or a family member acts on behalf of the data subject upon his or her request and consent,
- where an elected representative acts upon the request of one of his or her constituents or
- where a data subject does not have the mental or legal capacity to manage his or her affairs.
The Regulation does not specifically refer to these cases, yet, this lack of an explicit statutory provision under the GDPR should not be interpreted as a hindrance to data subjects’ rights being exercised by a third party.
In this article, we consider both the cases of the Irish Data Protection Act 2018 (IE DPA 2018) and the UK Data Protection Act 2018 (UK DPA 2018).
The IE DPA 2018 specifically provides that elected representatives can submit data subjects’ requests on behalf of their constituents under Section 40. In this context, the Irish Data Protection Commission has released the following guidelines, which provide clarifications, guiding principles and compliance suggestions for data controllers to act in line with this provision.
Like its Irish counterpart, the UK DPA 2018 includes a similar provision under Schedule 1 Part 2 paras 23 and 24, replacing the previous Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 under the DPA 1998 which has now been revoked.
This article addresses the key new elements of these GDPR implementing acts together and summarises the steps that data controllers should take when handling data subjects’ requests from elected representatives. Although the below analysis refers to the case of elected representatives, it provides useful insights into the legal obligations of data controllers and best practices when they handle data subjects’ requests made by or on behalf of third-parties.
Prior to replying to such data subjects’ requests, data controllers should make sure that:
- The elected representative has a valid, up-to-date and genuine request or representation from the data subject or a request or a representation from another person on behalf of the data subject;
- This request or representation is based on the data subjects’ consent or lack of capacity of the data subject;
- Replying to these data subjects’ requests implies the provision – and processing- of personal data. This processing must comply with the data protection principles enshrined in the GDPR.For example, the data processing should be necessary and proportionate to enable the elected representatives to perform their constituency functions. Moreover, the disclosed personal data should be minimal, accurate and strictly necessary to the representatives’ mandate and the nature and type of the data subject request;
- The type of the disclosed data should be within the remit of the request and representation. For example, personal data irrelevant to the request or outside the scope and mandate of the representation should not be disclosed;
- Appropriate mechanisms and safeguards are in place to ensure that data subjects’ requests are handled in a timely and responsible manner and to prevent any risks to the rights of data subjects. For instance, consider whether you should contact the data subject directly given the sensitivity of the disclosed information;
- In addition to the standard obligations of data controllers when dealing with data subjects’ rights, such as the one-month deadline, data controllers may bear further obligations. For example, the UK DPA 2018 provides that the data controller should design an appropriate policy document to explain compliance with the data protection principles in this context;
- Accountability is respected as a core element under the GDPR. Data controllers should keep any communication and documentation regarding these data subjects’ requests and update their records of processing. Specific retention periods should be set for the relevant evidence and documents, such as power of attorney, email communications and statements by the data subjects.
- The disclosure of special categories personal data or personal data relating to criminal offences or convictions meets the legal requirements under the national legislation;
- The right to obtain a copy shall not adversely affect the rights and freedoms of others, where the disclosed data includes personal data of third-parties;
- Elected representative and data subjects are contacted for further clarifications, if necessary; and
- Your appointed DPO is consulted in the case of complex queries.
As the article highlights, the takeaway message is that data controllers should update their policies and procedures on handling data subjects’ rights to address and monitor data subjects’ requests made by or on behalf of third parties.
For more information please refer to our service pages or contact our Data Governance team