In this first article of our "How To" series, we will look at what an organisation needs to consider when it receives a Data Subject Access Request ('DSAR') pursuant to the General Data Protection Regulation ('GDPR').
The Legislative Framework
The GDPR was transposed into Irish law by the Data Protection Act 2018 ('2018 Act').
Article 15 of the GDPR gives individuals the right to request a copy of any of their personal data which is being "processed" by "controllers". Personal data refers to any information about a living person where they either are, or could be, identified.
Article 15 (1)(c) GDPR provides the data subject with a right to access information about "the recipients...to whom the personal data have been or will be disclosed". The Court of Justice of the EU ('CJEU') in RW v Österreichische Post AG (Case C –154/21) considered that information in this regard must be as precise as possible about the specific recipients to whom the data has been or will be disclosed.
Any entity receiving a DSAR should bear in mind that there are no special conditions that need to be satisfied in order for an individual to be entitled to make an access request.
What Information is an Individual Entitled to When They Make a DSAR?
Firstly, individuals are entitled to confirmation of whether the controller is processing any of their personal data. Secondly, they are also entitled to a copy of that personal data.
Further, where personal data relating to the data subject is being processed, there is an entitlement to additional information, including:
- Why the personal data is being used
- The types of personal data held
- The identity of those with whom the personal data will be shared
- How long the personal data will be stored. If this is not possible, the data controller is required to provide additional information regarding the retention time
- Where the personal data has not been collected by the data controller directly from the data subject, the controller must outline any available information on the source of that personal data, e.g., if disclosed by a third party
- Where the personal data will be subject to automated decision-making, the data controller is required to set out the logic used in the decision-making process
In many cases, data controllers will already be providing this information, for example, through their privacy notice.
What Constitutes a Valid DSAR?
The GDPR does not set out any particular method for making a valid DSAR and so, a request may be made in writing or verbally.
Where an access request is made, a controller may invite the individual to submit it through their designated form, but it should be made clear that this is not compulsory for a DSAR to be valid. Similarly, while it may be encouraged that a DSAR be made to a designated contact point within an organisation, a valid DSAR may be made to any member of staff of a data controller.
Time Limits
Data controllers must respond without undue delay and at the latest within one month. The deadline for responding to the DSAR begins to run from the time the valid request is made by any means.
Data controllers can extend the time to respond by a further two months if the DSAR is complex, or if several requests have been received from the same individual. An explanation as to why the extension is necessary is required.
Provision of Information
The general rule is that a data controller should respond to a DSAR in the same way the request was made, or in any manner specifically requested by the data subject. Where a request is made electronically, data controllers should provide the required information in a commonly used electronic format, unless the individual requests otherwise.
In most cases, individuals cannot be required to pay a fee for making a DSAR. Only in certain very limited circumstances, as per Article 12(5) GDPR, where the initial request is 'manifestly unfounded or excessive' can a data controller charge a 'reasonable fee' for the administrative costs of complying with the request.
Exemptions
There are some restrictions that exist to the provision of personal data pursuant to a DSAR. For example, pursuant to the 2018 Act, a data controller can restrict documents which would attract either legal advice privilege or litigation privilege. Therefore, data controllers may not have to provide data that is processed:
- In contemplation of litigation
- In relation to a legal claim, a prospective legal claim or confidential communication which takes place between a lawyer and their client in which legal advice is sought.
Health Data is a special category of personal data that is generally prohibited from being processed. However, Article 9 of the GDPR and Section 47 of the 2018 Act allow for the processing of special categories of personal data (including health data and other categories such as racial or ethnic origin, political opinions and religious beliefs) for the purposes of providing or obtaining legal advice or in connection with legal proceedings.
If it is intended to exclude certain information on the basis of legislative exemptions, it is still necessary to provide details, including:
- A reference number for the restricted document
- A description of the personal data (subject matter)
- The date on which the data was created
- The reason for the refusal/restriction
- The section of the 2018 Act under which the right of access is restricted.
There is a further requirement to inform the data subject of their right to lodge a complaint with the Data Protection Commissioner ('DPC').
Key Takeaways
- Verify the identity of the data subject
- Keep in mind time limits and whether time can be extended
- Consider the complexity of the DSAR as soon as it is received and whether it needs to be clarified
- Know your data and work on collating the data as quickly as possible
- Review and approve data, and ascertain whether exemptions apply
- Provide accessible data to the data subject in a secure manner
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
