The Data Protection Commission (DPC) has published guidance which seeks to answer some of the most frequently asked questions in relation to Data Subject Access Requests (DSARs). Some of the key issues addressed in the guidance are set out below:
- Format of Request – The GDPR does not prescribe any particular method for making a valid DSAR. Accordingly, the DPC states that where a controller invites individuals to submit a DSAR through a designated online form, the controller should make it clear that this is not compulsory, and that a DSAR may be made by other means.
- Time limit to respond – Like the UK ICO, the DPC states that the one month time limit to respond to a DSAR runs from the date that the data controller receives proof of identity (if requested) or more information clarifying the request. Proof of an individual’s identity should only be requested where “reasonable and proportionate“ to do so.
- Scope of request – In line with recital 63 of the GDPR, the DPC confirms that a controller is entitled to ask an individual to clarify their request, by specifying the information or processing activities which they want access to. However, if an individual refuses to provide any additional information, the controller will still need to endeavour to comply with the request.
- Specific contact point for DSARs – The DPC notes that a DSAR may be made to any staff member. A controller may encourage data subjects to contact a designated staff member, but it cannot oblige them to do so.
- “Manifestly unfounded or excessive” requests – The DPC highlights that Article 12(5) of the GDPR permits a DSAR to be refused where it is “manifestly unfounded or excessive” but does not provide any guidance on the meaning of these words. However, the DPC warns that a controller will need to be able to meet “a high threshold” in order to prove a request is “manifestly unfounded or excessive“, and a refusal on this ground will be justified in “very few cases”.
- Third party data – The guidance clarifies that there should not be a blanket refusal to respond to a DSAR due to concerns that the request may adversely affect a third party. Instead, the controller “should endeavour to comply with the request insofar as possible” whilst ensuring adequate protection for the third party’s rights.
- Refusing DSARs – Article 12(4) of the GDPR requires a controller to inform an individual of the reasons for refusing a request. The DPC clarifies that the controller must, in particular, identify the relevant exemption under the GDPR or Data Protection Act 2018, provide an explanation as to why it applies, and demonstrate that reliance on the exemption is necessary and proportionate.
This was originally published in the IP & Technology Blog on 8 November 2019.