Your rights under the General Data Protection Regulation
Writing a GDPR letter
If you are looking for information on how to write a letter requesting your data from a data controller, by a data subject access request under General Data Protection Regulation legislation (GDPR), read on. We have information on what you should ask for and how you should ask. We offer a very useful precedent letter which ensures that you cover all the bases when making your request.
What are my rights as an individual under General Data Protection Regulation (GDPR) ?
The General Data Protection Regulation (GDPR) gives an individual the right to seek a copy of every piece of their personal data which is being processed by Data Controllers, and other relevant information. The term processed refers to data being used in any way. A data processor is a person who decides how and why data is processed. Seeking this information is frequently referred to as “data subject access requests” or simply “access requests”
What is my right of access and how do I exercise it?
Your right of access is covered in Article 15 GDPR. You have the right to receive the following from the data controller:
1) |
Confirmation of whether or not personal data concerning you is being processed. |
|
2) |
Where personal data concerning you is being processed, a copy of your personal data. |
|
3) |
Where personal data concerning you is being processed, other additional information as follows: |
|
a) |
Purpose(s) of the processing. |
|
b) |
Categories of personal data. |
|
c) |
Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and information about appropriate safeguards. |
|
d) |
The retention period or, if that is not possible, the criteria used to determine the retention period |
|
e) |
The existence of the following rights:
as well as information on how to request these from the controller. |
|
f) |
The right to raise a concern with a supervisory authority (in Ireland this is the Data Protection Commission). |
|
g) |
Where personal data is not collected from the data subject, any available information as to its source. |
|
h) |
The existence of automated decision-making, including profiling and meaningful information about how decisions are made, the significance and the consequences of processing. |
How do I make an access request ?
There is no defined method for making an access request. In terms of being able to prove that you made a request and the details of your data subject access request, it is best to make the request in writing. You can make a request verbally, but that could end up as an argument about who said what and when. We have provided a useful precedent letter of access request. Just click on the button below for more details of our subject access request template.
How much does it cost to make a subject data access request ?
Under GDPR rules an individual can only be charged a fee in exceptional circumstances. For most straight forward requests no fee is chargeable. According to the GDPR a fee can only be charged where the request is ‘manifestly unfounded or excessive’. The data controller must prove that the request is unfounded or excessive. Even if this is proven, the controller can only charge a ‘reasonable fee’ for the administrative costs of complying with the request. Where it is proven to be unfounded the controller can refuse to act.
How long does a controller have to respond to an access request?
The controller must respond to a valid access request without undue delay and within one month of receiving the request, at the latest. If the request is complex, or you have made a number of requests, the data controller can extend the response time by another two months, but they must reply to you within the first month and explain the reason for the delay.
In what format should I receive the requested information?
In general, the information should be provided in the same format in which the request was made. For example, if you made the request by Email, that should be the format for reply, unless yu specifically request another format.
What are the limits to my right of access request ?
As mentioned already, if the request is unfounded or excessive, limits apply. The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’.
How do I complain?
If you believe that the data controller has exceeded the time limits for responding to your request , or you are concerned that they may not have complied with your valid request, you should contact the Data Protection Commission.
This is just a summary of your rights under GDPR. If you require specific advice, please contact us using the orange Yes! Tell Me More button below and we will be happy to help,
Spread the knowledge. If you found this article useful, please like and share using any of the social buttons below.