What data can an individual request?
Consumers and members of the public who make a subject access request (SAR) often simply want to find out what information is held on them by an organisation. However, they are also entitled to find out:
details of the personal data that is being processed (ie a copy of the data)
the reasons why this data is being processed
how this data was sourced (if available)
which other organisations or individuals have access to their data
For more information, read Making subject access requests.
Under the GDPR and DPA, they can additionally request information about data retention periods and have the right to have inaccurate data corrected. Individuals can also ask for data to be erased if there is no longer any legal basis for processing that data, ask that the processing of that data be restricted or object to the use of their data.
Individuals can make data protection requests from both the data controller and data processor.
What are the safeguards regarding automated decision making?
Individuals can request information (via a SAR) about the reasoning behind any automated decisions taken on the basis of data held about them (eg when applying for a credit card). Under the GDPR they must be provided with a simple way of challenging automated decisions. For more information, see the Information Commissioner's Office (ICO) guidance.
How does an individual make a data protection request?
How must a company respond to a data protection request?
The recipient of a data request must respond without undue delay and, in any event, within one month. This starts on the day the organisation receives the request (even if this is a weekend or bank holiday) and ends on the corresponding date of the next month.
If the corresponding calendar date does not exist because the following month has fewer days, the end date is the last day of the month. If the end date falls on a weekend or bank holiday, the calendar month ends on the next working day.
If a number of requests have been made, or the request is complex, organisations may require extra time. Where this is the case, they can generally take up to an extra two months to respond. Organisations should inform the person making the request within one month of receiving the request if they need more time and explain why.
See the ICO guidance on time limits for more information.
The recipient of the request is required to provide the information requested in an 'intelligible form' - which essentially means in a form that most people would be able to understand using clear, plain language.
Proof of ID
Organisations may require proof of ID to carry out identity verification for security reasons. Such checks will often form part of an organisation’s measures to protect personal data from unauthorised access.
If the recipient of the request has doubts about the identity of the person making the request they can ask for more information. However, it is important that they only request information that is necessary to confirm who the individual is. The key to this is proportionality.
Where more information is needed to confirm the individual’s identity before their request can be responded to, they should be informed of this as soon as possible. If proof of identity is requested, the one-month time limit doesn’t start until the proof of ID has been received by the organisation.
For more information, see the ICO guidance on responding to data protection requests.
In most situations, organisations should comply with data protection requests free of charge. However, an organisation may be able to charge a fee:
to cover their administrative costs, if the organisation finds the request to be ‘manifestly unfounded or excessive’ (eg the request was made to harass or disrupt the organisation or the person doesn’t have a genuine intention of accessing their information)
if the individual asks for additional copies of the information after a request
If an organisation can charge a fee, the one-month time limit doesn’t start until the fee has been paid by you and received by the organisation.
Read the ICO guidance on responding to data protection requests for more information.
Are there any exemptions?
Certain requests are subject to exemptions or restrictions, including:
if it is being processed in connection with crime, taxation or another regulatory activity
if it comprises a confidential reference given by an organisation in connection with education, training or employment, appointing officeholders, or providing services
where personal data is processed for management forecasting or management planning (if the request would prejudice the business or other activity of the organisation)
if it would prejudice ongoing negotiations
where it could threaten freedom of expression in journalism, art and literature
if the data is being processed by an individual for their personal affairs
Under the GDPR, if a request is ‘manifestly unfounded or excessive’ data controllers may, instead of charging a fee, choose to refuse to comply with the request, providing evidence as to why the request has been refused.
What if organisations don’t respond or the response is unsatisfactory?
If an organisation doesn’t respond to your data protection request or you are dissatisfied with their response, you should contact the organisation. Where possible, this should be done in writing, setting out what it is you are trying to achieve. For example, if you are dissatisfied with their response, and believe personal information to be missing, set out the personal information you believe them to hold.
If you complain to an organisation and do not receive a response, or remain dissatisfied with the response, you can complain to the ICO. This should typically be done within three months of your last contact with the organisation.
You can also consider seeking enforcement through the courts. However, due to the complexity and cost of court proceedings, you should first seek advice from a lawyer. Ask a lawyer for more information.