Data Subject Access Requests – FAQs

The majority of complaints and queries the Data Protection Commission (DPC) receives concern individuals, or ‘data subjects’, seeking to exercise their ‘right of access’ to their personal data.

The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data being ‘processed’ (i.e. used in any way) by ‘controllers’ (i.e. those who decide how and why data is processed), as well as other relevant information (as detailed below).

These requests are often called ‘data subject access requests’ or ‘access requests’.

A similar right exists under section 91 of the Data Protection Act 2018, where personal data is processed for law enforcement purposes.

These requests must be responded to free of charge and in an accessible form.

Controllers should facilitate access requests being made and responded to quickly, including electronically where appropriate and where the individual wishes.

The following guide should answer some of the most frequently asked questions by controllers struggling to deal with the access requests they are receiving.

When is an individual entitled to make an access request?

No special conditions need to be satisfied for an individual to be entitled to make an access request.

Individuals can request access to any controller they think might be processing their personal data.

What information is an individual entitled to when they make an access request?

There are a few aspects to the right of access under Article 15 GDPR.

First, individuals are entitled to confirmation of whether the controller is processing any of their personal data, which means any information that concerns or relates to them.

Where that is the case, they are entitled to a copy of their personal data.

Individuals are also entitled to additional information about processing their personal data.

The additional information includes:

• the purposes of the processing;
• the categories of personal data processed;
• whom the personal data is shared with;
• how long the personal data will be stored;
• the existence of various data subject rights;
• the right to lodge a complaint with the DPC;
• information about where the data were collected from;
• the existence of automated decision-making (such as ‘profiling’);
• and the safeguards in place if the personal data are transferred to a third country or international organisation.

In many cases, controllers will already provide this information to data subjects through their privacy notice.

How broad can the scope of an access request be?

Whilst an individual is entitled to access to any or all of their personal data, where a controller processes a large quantity of information concerning the individual, the controller should be able to request that the individual clarify the request by specifying the information or processing activities which they want access to or information on.

This should only be done where it is necessary to clarify a request and not delay responding to it.

When a controller asks individuals to clarify their request, they should let them know as soon as possible.

If the individual refuses to clarify the request, the controller must still comply with the original request.

Does an access request have to be made in writing?

The GDPR does not set out any particular method for making a valid access request.

Therefore, an individual may make a request in writing or verbally.

Where an access request is made verbally, the DPC recommends that controllers record the time and details of the request so they can comply with and understand the request.

Controllers may want to follow up with individuals in writing to confirm they have correctly understood the request.

The DPC would also encourage individuals to submit written access requests where practical to avoid disputes over the details, extent, or timing of an access request.

Some controllers may wish to use standard or online forms for individuals to submit access requests through.

Whilst such forms can help streamline the process and support consistency and timely responses, controllers should remember that access requests can still be validly made by other means, such as letters, emails, telephone calls, or even through social media.

Where an access request is made, a controller may invite or encourage the individual to submit it through their designated form instead.

However, they should make it clear that this is optional, and the deadline for responding to the access request begins to run from the time the valid request is made by any means, not only through the designated form.

Nevertheless, an online form will often be the most efficient method for an individual to make their request and have it responded to in a timely manner.

Does an access request have to be made to a specific contact point designated by the controller?

Where controllers have a particular contact point or staff member designated for handling access requests, contacting them will generally be the most efficient way for an individual to respond to their request promptly, but it should be optional.

A valid access request may be made to any controller staff member.

This may present a challenge, particularly without sufficient awareness or training regarding data protection obligations.

Controllers should ensure that systems are in place so that all valid access requests are actioned appropriately – particularly regarding staff who regularly interact with customers or the public.

A controller may encourage data subjects to contact the designated contact point, but they cannot oblige them to do so.

So, where a request is made to another member of staff, the best approach may be to forward the request to the correct contact point while copying in the individual and explaining the process for handling the request.

Are there other formalities required for a valid access request?

There are no other formal requirements for an access request to be valid other than that the request is sufficiently clear to act upon and that the requester’s identity is sufficiently clear.

Individuals should be sufficiently clear about what information they seek, and proof of their identity should only be requested where reasonable and proportionate.

Where the controller requires more information or proof of identity, they should inform the requester as soon as possible.

The time limit for responding to the request begins when they receive the additional information.

Seeking proof of identity would be less likely to be appropriate where there was no real doubt about identity, but where there are doubts or the information sought is particularly sensitive, then it may be appropriate to request proof.

Controllers should only request the minimum amount of further information necessary and proportionate to prove the requester’s identity.

Further, there is no need for an individual to use a particular form of words or even to specifically mention data protection legislation, to make a valid access request; however, it may be helpful for the sake of clarity to mention that the request is an access request, under the relevant data protection legislation.

How long does a controller have to respond to an access request?

Controllers who receive a valid subject access request must respond to the request without undue delay and, at the latest, within one month of receiving the request.

Controllers can extend the time to respond by a further two months if the request is complex or they have received several requests from the same individual.

However, they must still let the individual know within one month of receiving their access request and explain why the extension is necessary.

Further, it is good practice for controllers to keep requesters regularly updated on the progress of their requests and give them sufficient notice of any potential delays or requests for clarification or proof of identity.

How should controllers provide the information to individuals?

The general rule is that a controller should respond to an individual’s access request in the same way the request was made or the way the requester specifically asked for a response.

Where a request is made electronically, controllers should provide the required information in a commonly used electronic format unless the individual requests otherwise.

Where an individual makes a verbal access request, they may want or be satisfied with a verbal response to their access request, depending on the nature of the request.

Controllers should consider keeping a record of the verbal response issued and what they understood the request to be.

Controllers should respond in writing if a request asks that the response be made in writing to the address provided.

Can controllers charge a fee for responding to an access request?

In most cases, individuals cannot be required to pay a fee to make a subject access request.

Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive’ (which the controller must prove), can a controller charge a ‘reasonable fee’ for the administrative costs of complying with the request.

Controllers are also allowed to charge a reasonable fee, based on administrative costs, when an individual requests additional copies of their personal data undergoing processing.

Are there any other limitations on the right of access?

Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, a controller may also, where appropriate, refuse to act on the request.

This is, however, a high threshold to meet, and the controller must be able to prove that the request was manifestly unfounded or excessive, in particular, taking into account whether the request is repetitive.

There should be very few cases where a controller can justify a refusal of a request on this basis.

There is a general limitation on the exercise of the right of access under Article 15(4) GDPR, which states that the right to obtain a copy of the personal data undergoing processing should not negatively impact (‘adversely affect’) the rights and freedoms of others, such as privacy, trade secrets, or intellectual property rights.

However, when a controller has concerns about the impact of complying with a request, their response should not simply be a refusal to provide all information to the individual but endeavour to comply with the request insofar as possible whilst ensuring adequate protection for the rights and freedoms of others.

Whilst the right of access to personal data is a fundamental data protection right, it is not an absolute one and is subject to a number of limited exceptions. Article 23 GDPR allows data subject rights to be restricted in certain circumstances.

Any such restrictions must be set out in a ‘legislative measure’, respect the essence of the fundamental rights and freedoms, be necessary and proportionate in a democratic society, and safeguard an interest of public importance.

The Data Protection Act 2018 contains specific provisions dealing with the restrictions of the rights of data subjects, including sections 59, 60, and 61 in particular, which give further effect to the provisions of Article 23 GDPR.

Accordingly, if a controller considers that it is justified in withholding certain information in response to an access request, it must identify an exemption under the GDPR or the 2018 Act, explain why it applies, and demonstrate that reliance on the exemption is necessary and proportionate.