Data protection requests

What data can an individual request?

Consumers and members of the public who make a SAR often simply want to find out what information is held on them by an organisation. However, they are also entitled to find out:

details of the personal data which is being processed (ie a copy of the data)
the reasons why this data is being processed
how this data was sourced (if available)
which other organisations or individuals have access to their data

Under the GDPR and DPA, they can additionally request information about data retention periods and have the right to have inaccurate data corrected. Individuals can also ask for data to be erased if there is no longer any legal basis for processing that data, or ask that the processing of that data is restricted.

Individuals can make data protection requests from both the data controller and data processor.

What are the safeguards regarding automated decision making?

Individuals can request information (via a SAR) about the reasoning behind any automated decisions taken on the basis of data held about them (eg when applying for a credit card). Under GDPR they must be provided with a simple way of challenging automated decisions.

How does an individual make a data protection request?

SARs must be made in writing - by post, email or social media (verbal requests may be considered if necessary due to a disability). A SAR does not need to mention any legislation or even identify itself as a SAR - and it can be sent to anyone at an organisation.

How must a company respond to a data protection request?

The recipient of a SAR must respond without undue delay and, in any event, within one month. They are required to provide the information requested in an 'intelligible form' - which essentially means in a form that most people would be able to understand and using clean, plain language.

If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.

You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.

Are there any exemptions?

Certain SARs are subject to exemptions or restrictions, including:

if it is being processed in connection with crime, taxation or another regulatory activity
if it comprises a confidential reference given by an organisation in connection with education, training or employment, appointing office holders, or providing services
where personal data is processed for management forecasting or management planning (if the SAR would prejudice the business or other activity of the organisation)
if it would prejudice ongoing negotiations
where it could threaten freedom of expression in journalism, art and literature
if the data is being processed by an individual for their personal affairs

Under GDPR, if a request is 'manifestly unfounded or excessive' data controllers will be able to levy a fee or refuse to comply (but they will need to provide evidence).