Responding to a Data Request

Get compliant today in the European Union, United States, Canada, United Kingdom, Australia, Brazil & South Africa with the only Privacy Suite for WordPress that offers a fully-featured plugin for Worldwide Compliance.

Table of Contents

What is the right of access?

The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

How do we recognize a subject access request (SAR)?

An individual can make a SAR verbally or in writing, including on social media. A request is valid if it is clear that the individual is asking for their own personal data. Although Complianz offers the possibility to use a data request form, an individual does not need to use a specific form of words, refer to legislation or direct the request to a specific contact.

An individual may ask a third party (eg a relative, friend or solicitor) to make a SAR on their behalf. You may also receive a SAR made on behalf of an individual through a data request form. Before responding, you need to be satisfied that the third party making the request is entitled to act on behalf of the individual. It is the third party’s responsibility to provide evidence of their authority.

What about requests for information about children?

Before responding to a SAR for information held about a child, you should consider whether the child is mature enough to understand their rights. If the request is from a child and you are confident they can understand their rights, you should usually respond directly to the child. You may, however, allow the parent or guardian to exercise the child’s rights on their behalf if the child authorizes this, or if it is evident that this is in the best interests of the child. If a child is competent, they may authorize someone else, other than a parent or guardian, to make a SAR on their behalf.

What should we consider when responding to a request?

You must comply with a SAR without undue delay and in most jurisdictions at the latest within one month of receiving the request. You can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual, eg other types of requests relating to individuals’ rights.

If you process a large amount of information about an individual, you may be able to ask them to specify the information or processing activities their request relates to, if it is not clear. The time limit for responding to the request is paused until you receive clarification, although you should supply any of the supplementary information you can do within one month.

Can we ask for ID?

Yes, if necessary. You need to be satisfied that you know the identity of the requester (or the person the request is made on behalf of). If you are unsure, you can ask for information to verify an individual’s identity. The timescale for responding to a SAR does not begin until you have received the requested information. However, you should request ID documents promptly.

Can we charge a fee?

Not usually. In most cases, you cannot charge a fee to comply with a SAR. However, you can charge a ’reasonable fee’ for the administrative costs of complying with a request if it is manifestly unfounded or excessive, or if an individual requests further copies of their data.

How do we find and retrieve the relevant information?

You should make reasonable efforts to find and retrieve the requested information. However, you are not required to conduct searches that would be unreasonable or disproportionate to the importance of providing access to the information.

How should we supply information to the requester?

An individual is entitled to a copy of their personal data and to other supplementary information (which largely corresponds with the information that you should provide in your privacy statement). If an individual makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.

When deciding what format to use, you should consider both the circumstances of the particular request and whether the individual has the ability to access the data you provide in that format. It is good practice to establish the individual’s preferred format prior to fulfilling their request. Alternatives can also include allowing the individual to access their data remotely and download a copy in an appropriate format.

If an individual asks, you can provide a verbal response to their SAR, provided that you have confirmed their identity by other means. You should keep a record of the date they made the request, the date you responded, details of who provided the information and what information you provided.

As the controller of the information, you are responsible for taking all reasonable steps to ensure its security.

When can we refuse to comply with a request?

Where an exemption applies, you may refuse to provide all or some of the requested information, depending on the circumstances. You can also refuse to comply with a SAR if it is manifestly unfounded or manifestly excessive.

If you refuse to comply with a request, you must inform the individual of:

  • the reasons why;
  • their right to make a complaint to a supervisory Data Protection authority; and
  • their ability to seek to enforce this right through the courts.

What should we do if the request involves information about other individuals?

Where possible, you should consider whether it is possible to comply with the request without disclosing information that identifies another individual. If this is not possible, you do not have to comply with the request except where the other individual consents to the disclosure or it is reasonable to comply with the request without that individual’s consent.

You need to respond to the requester whether or not you decide to disclose information about a third party. You must be able to justify your decision to disclose or withhold information about a third party, so you should keep a record of what you decide and why.

What other exemptions are there?

Exemptions only apply on a very few case-by-case bases. The GDPR mentions in article 14.5 the following possibilities:

  1. the data subject already has the information;
  2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
  3. obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  4. where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

You should consult a lawyer before you use these exemptions.

This page contains public sector information licensed under the Open Government Licence v3.0 from the UK Information Commissioner’s Office website.

Recent articles

The Privacy Suite for WordPress
Get compliant today with the only Privacy Suite made for WordPress

Categories

Popular articles

Join our mailing list - 8 Tips & Tricks in your inbox over the next 8 weeks!