What is a subject access request or SAR?
How should a company handle a data subject’s right of access under GDPR?
What data should a company provide the data subject?
In this article, we will break down the subject access request representing the data subject’s right of access to personal information under GDPR.
We will discuss how a company should handle it, what information to give data subjects, how to evaluate and process a request and even possible sanctions in case of violation of GDPR.
Are you ready?
Let’s get started!
What is a subject access request?
A subject access request or SAR is a way for a person to exercise his or her right to obtain a copy of their personal data as well as additional information about the processing of their data from a company.
When a person makes a request to access his or her information, an organization must respond as soon as possible and take no more than one month.
In its response, the company should:
- Provide a copy of the personal data
- Get details as to the company’s processing operations
- Be informed as to the purpose of the processing
- Understand how long the company may need to process and store the data
- Who are other recipients of their personal data
- If personal data was collected from another source
- If there are automated decision-making systems
What can be shared with the data subject?
When a company receives a data subject access request, what information should the company provide?
GDPR is clear on this topic.
A person is entitled to receive a copy of his or her personal data.
Companies should be careful to make sure to only provide the data subject’s personal information and not that of another person.
When a data subject submits a SAR to a company, the company should gather the personal data strictly related to the individual in question.
If the company accidentally shares the personal data of another person, the company will be in breach of its GDPR obligations for disclosing personal data to a person outside of the purpose for which that data was initially collected and without any other lawful basis to justify.
The error can be costly!
It may also be challenging sometimes to define if a data is ‘personal data’.
Companies subject to GDPR must define a process allowing them to effectively qualify the data as personal data before giving access to it.
How to respond to a GDPR subject access request?
A person has the right to access the personal data collected, used, processed and stored by a company related to him or her.
By submitting a Subject Access Request or a SAR, a person exercises his or her right of information.
When a person requests access to their personal information, companies have a duty and obligation to provide such access.
Here are the steps in responding to a SAR in compliance with GDPR:
- Evaluate and recognize the request
- Assess your timeline
- Assess the effort required or fees you may charge
- Gather the requested data
- Determine what information to withhold
- Respond to the data subject
Let’s look at each of these steps.
Evaluate and recognize the request
A data subject can make a request to access information in writing or even verbally.
GDPR does not define the mechanics for how a data subject should make a request to access his or her information.
When a data subject makes a request to access their data, generally speaking, you should consider the request as valid from a GDPR standpoint.
Once a request for access has been received by a company, the recipient should make sure to route the request to the right stakeholder in accordance with the company policy.
An access request can be submitted by any data subject, whether an employee of the company, a client, a vendor or any other individual for whom the company processes personal data.
A subject access request can also be made through the company’s social media platforms.
There is no right or wrong way of submitting a data subject access request.
Assess your timeline
Once a SAR has been identified and transferred to the right stakeholder to handle, you should evaluate your timeline.
How much time do you have to respond to the request?
Time starts ticking from the moment the request is made.
According to Article 12 GDPR, a data controller must provide the information requested by a data subject without undue delay and in any event within one month of the request.
What this means is that from the day a person submits a request for information to a company, the company must respond as soon as possible but should not take more than 30 days to respond.
In some cases, a data controller may need more time to process a request due to the complexity of the request.
GDPR allows a data controller to extend the response period by an additional two months.
To extend the delay, the data controller must inform the data subject of the extension along with the reasons why.
Assess the effort required or fees you may charge
A person should be able to exercise his or her right to access information free of charge.
So as a general rule, there should be no fees.
In practice, when you get a SAR, you should evaluate the effort required to respond to the request and assess the possibility of charging a fee.
In the following cases, a fee can be charged:
- When a request is manifestly unfounded
- When a request is excessive
If a request is excessive or unfounded, a company can either reject processing the request or charge an administration fee to cover the costs in complying with the request.
Gather the requested data
If a request is valid and it is accepted by the company, the next step is to gather the information.
Depending on the data subject’s request, it may either be easy to identify the personal data needed or more time-consuming.
Remember, no matter the type of request, you have one month to respond and you have the ability to extend the request by an additional two months.
The data about the data subject should be gathered and communicated to the person in charge of assessing the data.
Depending on how much personal data is gathered on a person, this exercise may be the most time consuming of all the steps in responding to a SAR.
If an organization has worked on a data flow map and has identified how it processes data, where the data is stored and how it is managed, handling a subject access request may be easier.
Determine what information to withhold
When the information about a person is compiled, the company must go through the data to make sure if any information should be withheld or not.
GDPR allows a data subject to access his or her information.
However, the company has a duty to protect the personal data of other data subjects.
A person’s right cannot be invoked to the detriment of another.
GDPR makes it clear that “the right to obtain a copy [of personal data] shall not adversely affect the rights and freedoms of others”.
A company may also need to withhold other pieces of information to comply with a legal obligation.
What’s important is for the company to do a triage of the data compiled before releasing it to the data subject.
Respond to the data subject
The final step is to respond to the data subject and provide the information requested and access to the personal data.
GDPR imposes that the organization provide the data subject access to the personal data but also provide the following information:
- The purpose of the processing
- Categories of personal data concerned
- Recipients of personal data or categories of recipients
- For how long data will be stored
- The existence of the data subject’s right to rectification, erasure, restriction of processing or to object to the processing
- Inform the data subject of their right to complain to the supervisory authority
- If personal data was not collected directly from the data subject, information about the source
- If there are automated decision-making systems, the logic used to make decisions and consequences to the data subject
Subject access request form
To facilitate the processing and handling of subject access requests, it may be a good idea for companies to set up a subject access request form.
Using such a method, a company can prompt the data subject to communicate the necessary information relevant for receiving, handling and processing the right to access requests.
Recital 59 GDPR states:
“Modalities should be provided for facilitating the exercise of the data subject’s rights under this Regulation, including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means.”
Companies are encouraged to provide methods to facilitate the exercise of data subject’s rights particularly the right of access under GDPR.
If the person’s data was collected electronically, the data controller should provide electronic means to request access to the data as well.
Creating a subject access form can be quite useful although a company cannot reject a request if the data subject did not use the subject access form or follow a specific process.
How long does a company have to respond to a subject access request?
A company has one month to respond to a data subject’s access request.
When a request is made, a company should have a process whereby the SAR is quickly reviewed and assessed for a timeline.
If the company believes that it can respond to the data subject and provide a copy of the personal data within a month, that’s great.
If not, the company should exercise its right to extend the delay by an additional two months in accordance with the GDPR requirements.
However, the organization must still respond to the data subject within one month and inform the person it needs more time to respond and provide explanations as to why the additional time may be needed.
It may be a good idea that a company appoint at least two people trained on SAR requests so that when a request comes in, there’s always a person available to handle it.
If one of the two is absent, on vacation, sick or not available, the SAR request will be handled no matter what.
Some companies may end up breaching GDPR compliance by having only one person appointed to handle the subject access request and when a request comes in, the person was on vacation for instance and the company ends up inadvertently breaching its GDPR obligations.
How much explanation should be given to a data subject?
A data subject is entitled to receive a copy of his or her personal data in an intelligible manner.
Whatever supplementary information given to the data subject must be concise, clear and using plain language.
Based on CIO’s guidance, a company is not required to ensure that the information provided is in a form that can be understood by the particular individual making the request.
Refusing a subject access request
The general rule is that a company must comply with a data subject’s access to information.
This is an important right granted to data subjects under GDPR.
Should a company comply with all SAR requests?
The answer is yes unless the data subject’s request is manifestly unfounded, excessive or repetitive.
Article 12(5) GDPR states that:
“where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request”.
Based on this article, a data controller or data process has the right to refuse or reject a subject access request provided it has the ability to demonstrate that the request is excessive or unfounded.
What is a manifestly unfounded request?
GDPR allows a data controller or data processor to either charge a fee or reject a data subject’s right of access to personal data if the request is manifestly unfounded.
The term ‘manifestly’ refers to a request that is obvious or leaves no doubt that it is unfounded.
Companies should carefully assess a subject access request before rejecting it to ensure that the request is indeed manifestly unfounded.
Here are some examples of manifestly unfounded requests:
- A person has filed a request to get monetary advantages from the company
- The person’s request clearly shows that the objective is to disrupt the company operations
- The request is a person’s way to attack an employee of your company
- The person’s request is malicious
- The person is using the SAR as a means to harass the organization
What is an excessive request?
A data subject request can also be excessive in nature justifying its rejection.
An excessive request is when a person’s demands are excessive in nature or repetitive.
Companies should carefully assess a request before qualifying it as an excessive request though.
The burden to demonstrate that a request was excessive is on the organization’s shoulder.
Here are some examples of an excessive request:
- Repeatedly requesting the same information
- Requesting information that was already communicated
- Requesting a significant amount of information
- Repeatedly wanting to get additional copies of what they have gotten before
- Submitting the same requests through multiple channels
What’s advisable is that a company assesses the request carefully before rejecting it.
It may be a good practice to reach out to the data subject in order to clarify the request or better scope the request in such a way to eliminate its excessive nature.
If a data subject is unaware of the excessive nature of the request, they may request information in good faith not knowing any better.
Granted, some other individuals may know exactly what they are doing.
Rather than rejecting a request outright, it may be worth considering the option to have the request clarified.
Data subject complaints
According to the Data Protection Commission of Ireland, the majority of complaints and queries made by data subjects with them relate to the individual’s right to exercise their right of access.
Based on this, companies should give the subject access request the importance it deserves not only to remain in compliance with GDPR but also to reduce the risk of a complaint to the relevant supervisory authority.
When a data subject requests access to information and does not receive a response from the organization, they may have a higher likelihood of filing a complaint with the supervisory authority.
On the other hand, if a company keeps a transparent and open communication with the data subject, they may be able to manage the data subject access request in a much more streamlined and friendly manner.
Infringement of data subject’s right of access
Article 83 GDPR allows the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.
Depending on the nature of the infringement, GDPR classifies it in two categories.
One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover.
The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.
The violation of Article 15 GDPR having to do with the data subject’s right to information is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to GDPR fines in the amount equal to the greater of €20,000,000 or 4% of a company’s global annual turnover.
In addition, failure to observe the Article 12 GDPR requirements with regards to providing a data subject with supplementary information in response to a data subject exercising his or her right of access is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to fines in the amount representing the greater of €20,000,000 or 4% of a company’s global annual turnover.