Subject Access Requests

Context:

At the core of the GDPR is the intention to give control of personal data to the individual to who it relates. In order to do this the GDPR describes certain ‘rights’ that the data subject has in controlling their data. One of the main ways in which these rights can be enacted is via the submission of a subject access request – also widely referred to currently as a SAR. Via this process an individual can request to see any information that you hold on them and the purposes for which it is used. (See Right of Access)

Considerations:

Your SAR process, like other areas of the GDPR needs to demonstrate transparency and accountability. It must be clear to the individual what the process is and the response and information provided also needs to be clear and in plain language.

There are some circumstances where you do not have to provide the personal information that is requested, usually for legal reasons and in these situations it would be best to seek legal advice.

An individual can make requests for information at reasonable intervals and responses should be provided electronically where the request has been made online. If requests are made too frequently or are unfounded then your organisation can charge a reasonable fee to cover the administrative costs of the requests. If however the information is provided via an online service or if it is automated the regulators have indicated that it is very unlikely you will charge for multiple requests.

How to:

Implement the following systems and processes to support the rights of data subjects:

  • Provide information that describes your Subject Access Request process in clear plain language. This should ideally be online but also in hard copy if you communicate with stakeholders in this way.
  • Make available a simple request form (ideally online) that enables individuals to make a SAR
  • Ensure that responses to requests are timely, completed within one month and that the individual is kept informed of progress.
  • If for any reason (usually legal or unfounded/too frequent) the request is reject you should contact the individual and let them know the reasons for this rejection along with the process if they wish to lodge a complaint

Common Scenarios:

A customer asks to see what information you hold on them

  • Upon receipt of the SAR you should acknowledge that it has been received and inform the individual of the process/next steps. You should inform them of when they can expect a response to be provided. Ideally you should be able to provide all information relating to an individually easily as you will have an existing process to cover the requirement for data portability.

A customers asks how you made a decision about them

  • Within one month of the request, provide details of the criteria used in making a decision. In the case of automated decision making any logic and profiling that is used should also be described.

References:

  • GDPR Recitals: 31, 58, 59, 63, 66
  • GDPR Articles 12

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts