Among the many rights the GDPR (General Data Protection Regulation) gives data subjects is the right to access their personal data, along with certain information relating to how it is processed.
If your organisation processes personal data, do you understand when the right of access applies? Do you have processes in place to ensure you can facilitate this right? And do you know exactly what information you are obliged to provide – and when you can refuse a SAR (subject access request)?
What the GDPR says
Article 15 of the Regulation explains what you, as a data controller, need to do.
On request, you must confirm to data subjects whether their personal data is being processed, and, where it is, provide them with a copy of that personal data (providing it doesn’t adversely affect the rights and freedoms of others), as well as the following information:
- The purpose(s) of the processing.
- The categories of personal data involved.
- The recipients (or categories of recipients) you disclose the personal data to.
- The period for which you intend to store the personal data (or, if this is not possible, the criteria you use to determine that period).
- The existence of their rights to request the rectification, erasure or restriction, or to object to processing.
- Their right to lodge a complaint with a supervisory authority.
- Any available information about the source of the data if you didn’t collect it direct from the data subject.
- The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of processing.
Where data is transferred to a third country or international organisation, data subjects also have the right to be informed of the appropriate safeguards relating to the transfer (pursuant to Article 46).
You may not charge data subjects a fee for exercising these rights, unless their request is “manifestly unfounded or excessive”, but you can charge a reasonable fee for administrative costs and for additional copies requested by the same data subject.
What you actually need to do
The GDPR itself doesn’t explain what a valid SAR is, so they can take any form – including oral. Requests don’t need to be directed at a particular person or contact, and don’t even have to contain the phrases ‘subject access request’, ‘Article 15’ or ‘GDPR’. They just need to ask for their personal data.
If you are a data controller, it’s therefore worth defining a process for SARs so that any staff member who receives one knows how to act on it – especially as you only have a month to respond to each one. Training your staff on handling SARs is also prudent.
Complying with SARs
The GDPR Implementation Bundle provides all the resources and tools you need to kick-start your GDPR compliance project, including the GDPR Documentation Toolkit.
It contains a complete set of easy-to-use documentation templates, including a customisable SAR form and procedure.