page-banner

Practice Areas

Data Subject Access Request

Has a member of your staff made a data subject access request or are they exercising any other right under data protection laws? EM Law are experts in dealing with individuals exercising their rights under data protection laws. Our lead data protection lawyer is Neil Williamson who has extensive experience in advising clients on a wide range of data protection matters.

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new and updated rights for individuals.

What rights do individuals have?

Individuals have a number of rights under the GDPR. These rights are:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

The right of access

The right of access gives individuals the right to obtain a copy of their personal data as well as other supplementary information. The right of access can help individuals understand how and why you are using their data and is often submitted in the form of a data subject access request.

What is a data subject access request?

Put simply, a data subject access request is a request that allows individuals to find out what personal data an organisation holds about them, why they hold it and who the information is disclosed to. For information to be personal data, it must relate to an identified or identifiable natural person. Such information, either on its own or in combination with other data, may include personal contact details about that individual, information about their appearance, or information about sick leave.

How do I make a data subject access request?

For a data subject access request to be valid, it must come from an individual or from someone acting on their behalf. Often, this will be a solicitor acting on behalf of a client but can also be a family member or a friend.

Individuals can make data subject access requests verbally or in writing. The ICO even suggests that individuals can make data subject access requests through social media sites such as the organisation’s Facebook or Twitter. A data subject access request does not have to include the phrase ‘subject access request’ or refer to Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.

As an organisation, how do I respond to a data subject access request?

To avoid inadvertently disclosing personal information to the wrong person, an organisation should first seek to establish that the individual making the data subject access request is who they say they are. If there are doubts, organisations can request proof of ID or request proof of a relationship with the individual.

In addition to a copy of an individual’s personal data, organisations must provide other information. This information includes the retention period for storing the data, the individual’s right to request erasure of their data, and the safeguards in place when their data is transferred to an international organisation.

Organisations should be mindful where an individual’s personal data includes information about other individuals. The Data Protection Act 2018 states that an organisation does not have to comply with a data subject access request if it means disclosing information about other individuals unless the other individual has consented to the disclosure or it is reasonable to comply with the request without that individual’s consent. In determining whether it is reasonable to comply, there are a number of factors that should be taken into consideration. These include the type of information being disclosed, any duty of confidentiality owed, and any express refusal of consent. If the other individual does not give their consent and it is not reasonable in the circumstances to disclose the data without their consent, an organisation should consider removing or redacting the data about that other individual.

What will happen if I don’t respond to a data subject access request?

The ICO has a range of enforcement tools available to it under the GDPR including issuing warnings, notices, ordering compliance and imposing fines. These fines can be very large; up to 20 million euros or, if higher, 4% of an organisations worldwide annual turnover.

If you are looking for assistance with a data subject access request or more generally with individuals exercising their rights under data protection laws contact Neil Williamson.

EM Law Neil Williamson

Make An Enquiry

Reviews

Make An Enquiry Now

Please call us now on 0203 637 6374 or Make An Online Enquiry and we will soon be in touch with you

Close

Make An Enquiry

Can We Help You?

We are here to help with any of your questions.
Just click "Yes" below.

Yes
No
+

Please enter your question below

Send Your Question

Please enter your name and email address so than we can send you a response

Thank You!

Technical issue

Thank you for sending us your question. We will contact you shortly to discuss this.

Sorry, there is a technical issue. Please contact us by telephone: 0203 637 6374

Close