The Subject Access Request process: how it should work
As a data subject you have the right to ask for information from an organisation about whether or not it holds any personal data which concerns you.
If the organisation does hold personal data concerning you then you have the right to access that data, be provided with a copy of the data and receive a lot of other relevant information about what they’re doing with your data, why and who they are sharing it with.
The way you go about accessing this information is to make what is called a Subject Access Request to the data controller which is processing your personal data.
Remember, the right to access your personal data is mentioned explicitly in the EU Charter of Fundamental Rights.
This right is in Article 15 of the GDPR. The full text of this article is at the bottom of this page, along with the text of recitals 63 and 64 which also relate to Subject Access Requests.
How to make your request
You can make a data subject access request in writing (via email, letter or social media) or verbally.
You do not have to use a form provided by the data controller, though this may assist them in locating the personal data you are requesting access to.
You do not have to give the data controller any reason why you are requesting access to your personal data. They cannot use your motivation for requesting access to your data as a reason to reject your request. It’s your data, and using your right of access is frequently the only way you can confirm it is being processed lawfully.
If you make your subject access request by electronic means e.g. by email, then the personal data requested should be supplied to you by email in a commonly used electronic format, unless you request otherwise.
You should specify that you are making a Subject Access Request under Article 15 of the GDPR and then go on to describe the personal data which you wish to receive a copy of. The Data Protection Commission (DPC) has a simple template on their Right of Access page.
Depending on the sensitivity of the personal data you are requesting, the data controller may ask you to provide evidence of your identity. They should not have to do this if they are already sure of your identity.
What they have to do
When you send a data controller a Subject Access Request they must:
Respond to you within one month
They must respond to you and do one of the following
- give you a copy of the data you have requested, or
- tell you that they are extending the period by another two months and give you the reasons for this delay, or
- refuse your access request and give you the reasons why they are refusing your request, or
- if they are not processing your personal data, tell you this
Data controllers are not permitted to ignore subject access requests. They can extend or refuse, but they must tell you they are doing this within one month of receiving your request.
If a data controller does not respond to your subject access request within one month you can complain to the DPC.
Give you all the personal data you have requested
Controllers are allowed ask you if you would like to narrow the scope of your request. They are not allowed decide this for themselves. If you ask for all the personal data they hold on you then they must give you a copy of all the personal data.
If you feel a data controller has not given you a copy of all the personal data you have asked for you can complain to the DPC.
Give you the personal data you have requested in an intelligible form
If the response to your access request doesn’t make sense to you then it isn’t compliant.
Handbook on European data protection law, 2018 edition, EU Agency for Fundamental Rights, page 218
Give you additional information about the processing of your personal data
If they are processing your personal data then the data controller must give you the following information
- What are the purposes of the processing
- What categories of your personal data are being processed.
- Who the personal data has been disclosed to, or will be disclosed to, especially if these recipients of your personal data are located in third countries (countries outside the EEA)
- If your personal data has been or will be disclosed to recipients in third countries, what safeguards are in place to ensure your personal data is protected
- How long your personal data will be stored for. If this is not possible, what criteria are being used to determine how long your personal data will be retained for.
- The existence of your right to rectification, your right to restrict processing, your right to erasure and your right to object
- That you have a right to complain to the DPC
- If the controller is processing personal data which was not obtained directly from you, they must give you any available information about how they acquired your information
- If automated decision-making, including profiling, is being used. If this is the case then they must give you meaningful information about how decisions are made and the logic involved, as well as the envisaged consequences for you.
If you wish you can request this information without asking for a copy of the personal data the the controller holds.
Common issues
We’ll be adding to this over time as our Keeping Track collection of responses to subject access requests grow.
Third party or mixed data
Sometimes data controllers may refuse to give you access to your personal data because to do so would also reveal the personal data of somebody else.
The GDPR allows for this by stating that you obtaining a copy of your information should not “adversely affect the rights or freedoms of others”.
This means that if your data is mixed with personal data of other people then the data controller has to do a balancing of rights exercise. You have a right to access your personal data; the other person whose data is intermingled with yours has their own data protection rights and possibly other rights such as intellectual property rights.
Since the GDPR says that the result of this balancing exercise “should not be a refusal to provide all information to the data subject”, the controller should be able to provide you with most of your personal data while redacting that of other individuals.
1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
a. the purposes of the processing;
b. the categories of personal data concerned;
c. the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
d. where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
e. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
f. the right to lodge a complaint with a supervisory authority;
g. where the personal data are not collected from the data subject, any available information as to their source;
h. the existence of automated decision-making, including profiling, referred to in Article 22 (1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
A data subject should have the right of access to personal data which have been collected concerning him or her, and to exercise that right easily and at reasonable intervals, in order to be aware of, and verify, the lawfulness of the processing. This includes the right for data subjects to have access to data concerning their health, for example the data in their medical records containing information such as diagnoses, examination results, assessments by treating physicians and any treatment or interventions provided. Every data subject should therefore have the right to know and obtain communication in particular with regard to the purposes for which the personal data are processed, where possible the period for which the personal data are processed, the recipients of the personal data, the logic involved in any automatic personal data processing and, at least when based on profiling, the consequences of such processing. Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data. That right should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software. However, the result of those considerations should not be a refusal to provide all information to the data subject. Where the controller processes a large quantity of information concerning the data subject, the controller should be able to request that, before the information is delivered, the data subject specify the information or processing activities to which the request relates.
The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers. A controller should not retain personal data for the sole purpose of being able to react to potential requests.
Where next?
Read more elsewhere
‘How can I access my personal data held by a company / organisation?’, European Commission. This short piece from the European Commission stresses that using the right of access should be easy.
‘The Right of Access’, Data Protection Commission of Ireland
‘How long will it take?’, Data Protection Commission of Ireland
Topics
Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)