The Irish Data Protection Commission (DPC) has issued a guidance note that answers some of the most frequently asked questions regarding Data Subject Access Requests (DSARs).
Some FAQs are as follows:
- How broad can the scope of the request be? The guidance confirms that a controller is entitled to request an individual to clarify their request, by specifying the information or processing activities which they want access to or information on. It should be done though where reasonably necessary to clarify a request and not to delay responding to it. However, if an individual refuses to clarify the request, the controller must still comply with the original request.
- Does the request have to be in writing? The GDPR does not set out a particular method for making a valid DSAR - so, it can be made in writing or orally. The DPC recommends that a controller record the time and details of the DSAR. Where a controller invites individuals to submit a DSAR through a designated form, the guidance states that the controller should make it clear that this is not compulsory and that the deadline for responding to the DSAR runs from the time the valid request is made by any means, not only through the designated form.
- Does the request have to be made to a specific contact point designated by the controller? While this is the most efficient way of ensuring that a DSAR the request is dealt with promptly, it is not mandatory. As a DSAR can be made to any staff member, controllers should have adequate systems in place to ensure that such requests are actioned appropriately.
- Any limitations on the right of access? The right is not absolute and is subject to a number of exemptions. Article 12(5) of the GDPR permits a DSAR to be refused where it is “manifestly unfounded or excessive”. However, the guidance states that this a high threshold and so, a refusal on this ground will only be justified in "very few cases”. Furthermore, Article 15(4) of the GDPR states that the right to obtain a copy of personal data should not adversely affect the rights and freedoms of others. The guidance states that where a controller has concerns about the impact of complying with a DSAR, instead of a blanket refusal, they should "endeavour to comply with the request insofar as possible ensuring adequate protection" for third party's rights. If a controller considers it is justified to withhold certain information, it must identify the relevant exemption, provide an explanation as to why it applies and demonstrate that reliance on the exemption is necessary and proportionate.
- Any formalities required for a valid access request? No, other than that the request must be sufficiently clear to be acted upon and that the identity of the requester is sufficiently clear. Where the controller requires more information or proof of identity, they should advise the requester promptly and the time limit for responding to the request begins when they receive the additional information or proof of identity.
Hopefully, the guidance will help both individuals who are seeking copies of their personal data as well as controllers who are struggling to deal with DSARs.