Every data subject has a right to obtain:

  • Confirmation that their data is being processed.
  • Access to their personal data.
  • Other supplementary information such as its’ purposes, the categories of data etc.

Under existing legislation individuals have a right to access their personal data, however, these rights will be enhanced by the GDPR. The procedure for making and responding to subject access requests remains similar but the GDPR introduces some changes:

Information must be provided for free

The previous fee of €6.35 is no longer required and, in most circumstances, organisations must provide subjects with a copy of the information they request free of charge. However, they are permitted to charge a “reasonable fee” when a request is manifestly unfounded, excessive or repetitive.

30 Days to respond

The current period for processing is to be shortened from 40 days to 30 days. Where requests are complex or numerous, organisations will be able to extend the deadline for providing the information to three months. However, they must still respond to the request within 30 days, explaining why the extension is necessary.

Electronic requests must be available

Organisations must provide data subjects with the option of making requests electronically (e.g. by email) as well as physically. Where a request is made electronically, the information must be provided in a commonly used file format.

How should you prepare?

The changes to the rules regarding subject access requests mean that organisations will have to deal with requests more quickly and provide individuals with additional information. This, along with the fact that in most instances information must now be provided for free, means that organisations should dedicate more resources to responding to subject access requests.