5. Data Subject Access Requests (DSARs)
The following apply to DSARs:
- Timescale: DSARs must be dealt with without undue delay and in any event within one month. An extension of a further two months may apply where necessary, e.g. where the requests are particularly numerous or complex, but this extension must be communicated to the data subject within the first month, together with the reasons for the extension of time.
- No fees: In most cases, you will be unable to charge a fee for DSARs. Controllers may be able to charge a reasonable fee relating to the administrative costs of complying with the request where it is manifestly unfounded or excessive in nature, having regard to the number of requests (Article 12(5) GDPR).
- Refusals: Refusals to be carried out on the basis of clear policies and procedures. Reasons for refusals are where the data controller is not satisfied as to the identity of the data subject, or where the request is manifestly unfounded or excessive in nature (Article 12(2) and (5) GDPR).
- Communication: Reasons for refusals to be communicated clearly to the data subject along with information on on the possibility of lodging a complaint with the Data Protection Commission and r seeking judicial remedy (Article 12(4)).
The GDPR does not stipulate that DSARs must be made in writing. However, the Data Protection Commission does encourage data subjects to submit written access requests where possible. Firms should consider having their own template DSAR form for data subjects to complete.
Responses to DSARs must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. The information shall be provided in writing (or electronic means). When requested by the data subject, the information may be provided orally, provided the identity of the data subject has been proven by other means.
The controller may request the provision of additional information necessary to confirm the identity of the data subject.
If a controller refuses to act upon a request on the grounds that it is unreasonable or excessive, it has the burden of proving that the request is manifestly unfounded or excessive in nature (Article 12(5) GDPR).
Note that the above applies to responses to most cases where data subjects exercise their data protection rights and is not solely limited to DSARs.
For DSARs, the data subject has the right to the following information from the controller:
-
whether or not personal data regarding the data subject is (or was) being processed
-
the purpose of the processing
-
the categories of personal data concerned
-
the recipients or categories of recipient to whom the personal data has been or will be disclosed, including recipients in third countries and international organisations
-
the retention period or the criteria used to identify the retention period
-
the existence of the right to rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
-
the right to lodge a complaint with the supervisory authority
-
where the personal data is not collected from the data subject, any available information as to its source
-
the existence of automated decision-making, including profiling, and meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject
-
the safeguards in place relating to transfers to third countries or international organisations, if applicable, and
-
a copy of the personal data undergoing processing.
The controller may charge a reasonable fee based on administrative costs for further copies requested by the data subject but not the first copy. Where the request is made by electronic means, and unless otherwise requested by the data subject the information must be provided in a commonly-used electronic format.
The right to obtain a copy of the data must not adversely affect the rights and freedoms of others. This means, for example, that the personal data of third parties must not be provided to the data subject in response to DSARs. It’s important to note that the data subject is only entitled to personal data relating to them.
Refusals to act upon a DSAR must be communicated to a data subject together with the reasons for not taking action and the possibility of lodging a complaint with the Data Protection Commission and seeking judicial remedy (Article 12(4) GDPR).
Restrictions on data subject rights, including SARs
The Data Protection Act 2018 contains restrictions on the obligations of controllers and rights of data subjects relating to data subject rights, including DSARs.
Section 162 of the Data Protection Act 2018 states that the rights of data subjects and the obligations of controllers relating to data subject rights, including DSARs, ‘do not apply’:
- to personal data processed for the purpose of seeking, receiving or giving legal advice;
- to personal data in respect of which a claim of privilege could be made for the purpose of or in the course of legal proceedings, including personal data consisting of communications between a client and his or her legal advisers or between those advisers; or
- where the exercise of such rights or performance of such obligations would constitute a contempt of court.
Further restrictions to these rights also arise under s.60 and apply to such matters as parliamentary privilege, defence etc. and, most pertinent to law firm, the establishment, exercise or defence of legal claim or prospective legal claim, legal proceedings or prospective legal proceedings. (Although, others may also be relevant to law firms depending on their area of practice) but only where the restrictions are necessary and proportionate. Those restrictions are described in Guidance 4.
Helpful Documents
Resources
Data Protection Commission:
European Data Protection Board:
Access requests checklist
- Are your staff aware of the rules related to data subject access requests?
- Have you appropriate procedures in place to handle DSARs?