Data access requests Ireland. The use of data and rights of access to personal data are governed by the General Data Protection Regulation or GDPR. This is an EU Regulation, and has been in force in Ireland since 2018. GDPR governs how your data is collected, how it is used, and how you can access your data.
Article 15 of the GDPR gives individuals a right to request a copy of any of their personal data which is being ‘processed’ or used. This right includes:
- Confirmation of whether your personal data is being used
- A copy of your personal data which is being used
- Any other additional information, such as
- the purpose of processing,
- the categories used,
- who has access to or received your data in third countries or international organisations,
- how long your data will be retained for,
- the source of the data.
- You also have a right where your data is being processed to be informed of the following:
- your rights to raise a complaint,
- if automated decision making or profiling is being used, you have a right to know the significance and consequences of profiling and the rights to rectification,
- Your rights to erasure, objection to processing and restriction of processing.
DSARs are particularly useful in an employment law context and in preparation for bringing a claim to the WRC.
How do I make Data Access Requests?
Data Access Requests are made to the ‘controller’ of your data. In an employment law context for example, your employer is the ‘controller’.
A data access request can be made in writing or verbally, and the GDPR does not specify a particular format for the request. It is important to be as specific as possible in relation to the data you wish to access.
Can the controller refuse my request?
Under Article 12(5) GDPR, an access request may be refused is it is ‘manifestly unfounded or excessive’. This is a high threshold to meet. If this threshold is met, the data controller can refuse to act on the data access request, or can charge a reasonable fee for the administrative costs of providing the information.
There is also a general limitation on the exercise of the right to access if access would negatively impact the rights and freedoms of others. For example, if your right to access would affect another individual’s right to privacy. In these circumstances, the controller should conduct a balancing exercise to endeavour to comply with the request and avoiding an outright refusal.
How long does it take to get a response to Data Access Requests or DSAR?
The controller of your data has one month from the date of your request to provide a response to your request. This may be extended by a further two months if it is a large and complex request. You must be informed of the intention to exercise this extension within one month of the request.
The general rule is that the request will be responded to in the same format it was made. For example, if you made a verbal request, the data controller may respond verbally. If you made a written request, the data controller may respond in writing. If the request is made electronically (by email), where possible the response will be electronic.
How do I make a complaint about Data Subject Access Requests?
Complaints can be made to the Data Protection Commission. An online complaint portal is available on their website.
When can I make a complaint?
You can make a complaint after the one month period (or after the two month extension period if utilised) has expired.
You can also make a complaint after receiving the response if you are not happy with the response. For example, if you believe that you have not received all the personal data which was requested.
Setanta Solicitors are happy to assist you with any queries you may have in relation to your personal data and making Data Subject Access Requests.