Tweet
SAR & GDPR 2018
Now that we're ready for the GDPR, did you know that you no longer need to pay for requesting a Subject Access Request (now known as a Right of Access)? Similarly, you no longer need to actually write in anymore - you can use any formal means of contact such as requesting your information via phone, Facebook (and other social media outlets) or via email, if the firm can adequately identify you of course.
So with that in mind this page is to help deal with any Right of Access queries that may come up, and to highlight firms who are not accepting requests and trying it on!
The official line from the ICO is as follows:
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
What is an individual entitled to?
Individuals have the right to obtain the following from firms:
In addition to a copy of their personal data, firms must also provide individuals with the following information:
How does the ICO recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to a firm verbally or in writing. It can also be made to any part of the organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.However, even if the firm has a form, you should note that a subject access request is valid if it is submitted by any means, so they will still need to comply with any requests received in a letter, a standard email or verbally.
Therefore, although a firm may invite individuals to use a form, they must also make it clear that it is not compulsory and must not try to use this as a way of extending the one month time limit for responding.
Right of Access Template
If you'd like to stick to the norm and send a written request for information in, which we still recommend (as you have a paper copy / evidence of the request), then you could consider using the template below which should be ample for the firm to comply with your request:
Yes, it really is that basic - that is all you need to send for the firm to adequately respond to your request.
If you have any queries or questions please post them below...
So with that in mind this page is to help deal with any Right of Access queries that may come up, and to highlight firms who are not accepting requests and trying it on!
The official line from the ICO is as follows:
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request verbally or in writing.
- Firms have one month to respond to a request.
- Firms cannot charge a fee to deal with a request in most circumstances.
What is the right of access?
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.
What is an individual entitled to?
Individuals have the right to obtain the following from firms:
- confirmation that their personal information is being processed;
- a copy of any personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice.
In addition to a copy of their personal data, firms must also provide individuals with the following information:
- the purposes of their processing;
- the categories of personal data concerned;
- the recipients or categories of recipient they disclose the personal data to;
- their retention period for storing the personal data or, where this is not possible, the criteria for determining how long they will store it;
- the existence of your right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards provided if they transfer personal data to a third country or international organisation.
How does the ICO recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to a firm verbally or in writing. It can also be made to any part of the organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.However, even if the firm has a form, you should note that a subject access request is valid if it is submitted by any means, so they will still need to comply with any requests received in a letter, a standard email or verbally.
Therefore, although a firm may invite individuals to use a form, they must also make it clear that it is not compulsory and must not try to use this as a way of extending the one month time limit for responding.
Right of Access Template
If you'd like to stick to the norm and send a written request for information in, which we still recommend (as you have a paper copy / evidence of the request), then you could consider using the template below which should be ample for the firm to comply with your request:
Dear Sirs,
Ref: {enter your account details}
In line with article 15 of the General Data Protection Regulation 2018 (GDPR) I hereby formally request that you provide me a copy of all information held about me on your systems, in paper format or other means.
This is a data subject request so please send me everything that you hold about me to my home address as detailed below:
{enter your address}
I look forward to receiving the requested information within the next 30 days, as per the GDPR.
Yours faithfully
Ref: {enter your account details}
In line with article 15 of the General Data Protection Regulation 2018 (GDPR) I hereby formally request that you provide me a copy of all information held about me on your systems, in paper format or other means.
This is a data subject request so please send me everything that you hold about me to my home address as detailed below:
{enter your address}
I look forward to receiving the requested information within the next 30 days, as per the GDPR.
Yours faithfully
If you have any queries or questions please post them below...
Comment