The General Data Protection Regulation (GDPR) is a new EU data protection law that came into effect on May 25, 2018. The GDPR replaces the 1995 EU Data Protection Directive. It strengthens EU data protection rules by giving individuals more control over their personal data, and establishing new rights for individuals.
One of the most significant changes under the GDPR is the introduction of the right for individuals to access their personal data (known as a “data subject access request” or DSAR). This is a powerful tool that individuals can use to find out what personal data an organization holds about them, why that organization is processing their personal data, and to receive a copy of their personal data.
Organizations must respond to DSARs within one month, free of charge.
What is a DSAR?
A data subject access request (DSAR) is a way for individuals to find out what personal data an organization holds about them, why that organization is processing their personal data, and to receive a copy of their personal data.
Under the GDPR, individuals have the right to make a DSAR at any time. Organizations must respond to DSARs within one month, free of charge.
Organizations can only refuse to comply with a DSAR if they can demonstrate that complying would be “manifestly unfounded or excessive”. If an organization refuses to comply with a DSAR, it must explain its reasons for doing so to the individual.
The right to make a DSAR is not absolute, and there are some exceptions. For example, an organization can refuse to comply with a DSAR if complying would reveal personal data about another individual (known as the “data protection principle of confidentiality”).
What personal data can be accessed?
An individual has the right to access any personal data that an organization holds about them. This includes information that the organization has collected, generated, or created about the individual.
How to make a DSAR?
There is no specific form that individuals must use to make a DSAR. However, it is advisable to make the request in writing (e.g. by email) so that there is a record of the request.
Organizations can provide a DSAR form on their website, but they are not required to do so.
Individuals must provide enough information to allow the organization to identify them (e.g. name, address, date of birth). They should also specify what personal data they want to access.
Organizations must respond to DSARs within one month, free of charge.
What happens if an organization does not respond?
If an organization does not respond to a DSAR within one month, the individual can make a complaint to the supervisory authority.
The supervisory authority is the national data protection authority in each EU member state. In the UK, the supervisory authority is the Information Commissioner’s Office (ICO).
The supervisory authority can order the organization to comply with the DSAR, and can impose fines if the organization does not comply.
Can an organization charge a fee?
Organizations can only charge a fee if the DSAR is “manifestly unfounded or excessive”. If an organization charges a fee, it must explain its reasons for doing so to the individual.
What should an organization do if it receives a DSAR?
If an organization receives a DSAR, it should:
- Check that the request is valid (e.g. that the individual has provided enough information to allow the organization to identify them)
- Check whether any of the exceptions apply (e.g. whether complying with the request would reveal personal data about another individual)
- Collect the requested information
- Provide the information to the individual within one month
- Keep a record of the DSAR and the response
Conclusion:
The GDPR requires organizations to have processes in place to deal with DSARs. These processes should be designed to make it easy for individuals to make DSARs, and to ensure that DSARs are dealt with promptly and efficiently.
Organizations can use data protection impact assessments (DPIAs) to help them design processes for dealing with DSARs. DPIAs are a way of identifying risks associated with processing personal data, and taking steps to mitigate those risks.
