How to Handle GDPR Subject Access Requests

How to Handle GDPR Subject Access Requests

Receiving a subject access request from one of your users can be a stressful experience. It's easy to appear unprofessional if you don't respond appropriately.

The UK Information Commissioner's Office reports annually on the most common type of complaints it receives. Every year, the number one spot goes to complaints about the improper handling of subject access requests.

To avoid enforcement action, reputational damage, and legal issues, you need to get this right.

This article will help you understand the rules on how to properly handle a subject access request, the information you need to provide and how to create a system that saves time for you and your users.

Key Concepts

One of the chief goals of the GDPR is to provide data subjects with more control over how data controllers process their personal data.

This brings us to three of the GDPR's key definitions:

  • Data subject - a living individual who can be identified by personal data
  • Data controller - an entity that decides why and how to process personal data
  • Personal data - information associated with a data subject

Your business is almost certainly a data controller in at least some respects.

From the perspective of your business, data subjects can be:

  • Your customers
  • Your potential customers
  • Your employees
  • Your ex-employees
  • Your job candidates
  • Users of your mobile app
  • Visitors to your website
  • Anyone else whose personal data your business might collect

The GDPR gives data subjects eight powerful data subject rights over their personal data:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights related to automated decision-making

A subject access request is how data subjects can exercise their right of access.

Carrying Out a Subject Access Request

Carrying Out a Subject Access Request

A subject access request allows data subjects to request a copy of their personal data from data controllers, along with information about how the data controller uses their personal data.

Data processors can also be involved in carrying out a data subject request. A data processor may need to retrieve the relevant personal data on behalf of its data controller. But a data processor does not provide personal data to the data subject directly.

What Personal Data Do I Need to Provide?

To know what sorts of information you need to provide a data subject following a subject access request, you need to understand what "personal data" means.

Under the GDPR, all sorts of information can be personal data, including:

  • Contact details
  • ID numbers
  • Online identifiers such as username, IP address, or cookie ID
  • Information about a person's preferences or habits (cookies can reveal this)
  • Subjective information about a person (emails about them)

There are no exceptions for particular types of personal data. You must provide all the personal data you hold about the data subject.

Can I Ask for ID?

You can request ID if you're uncertain about the identity of the data subject.

Act proportionately. If the data subject has an account with you, you might only need to request they log into it. Don't be obstructive.

What If the Request Includes Information About Other People?

What If the Request Includes Information About Other People?

You must take care only to provide information about the data subject making the request.

However, avoiding revealing the personal data of others can be difficult in some cases. For example, the data subject might want copies of emails that name other people.

You shouldn't automatically refuse to provide the data subject with documents that mention other people. You might be able to redact such documents.

Where it is impossible to redact information, or where it would require disproportionate effort to do so, you should seek advice from your Data Protection Authority.

What Other Information Do I Need to Provide?

People usually think of subject access requests as a way for data subjects to request a copy of the personal data that a data controller holds on them.

However, the GDPR also requires data controllers to provide extensive information about how and why they process a data subject's personal data.

The GDPR lists eight types of information that data controllers must make available to data subjects on request.

Think of this as a custom Privacy Policy. You don't need to supply every piece of information every time someone makes a subject access request. But you must be prepared to do so.

Here's a breakdown of the information you might have to provide:

Text from the GDPR Translation Example
The categories of personal data concerned What types of personal data do you hold on the data subject? We collect your full name, email address, shipping address. We also collect information about how you use our website and app.
The purposes of the processing Why are you holding this personal data? What are you actually doing with it? We use your personal data for activities such as processing your payment, and sending you your product. We also want to learn how you use our website and app so we can make improvements to it.
The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations

What types of companies do you share personal data with? Are any of them based outside of the EU?

(Note that you aren't actually required to reveal the names of specific companies, but you can do so.)

We may share your personal data with trusted business partners such as payment card processors, mail carriers, email marketing companies, and data analytics companies.

We may also need to share your personal data with legal authorities upon receipt of a valid court order.

Our email marketing partner, MonkeyMail, is based in Canada, a non-EU country.

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period

How long do you intend to keep hold of the data subject's personal data?

You might not have a predetermined period of months or years. So, how else do you decide when to delete personal data?

We store your name and email address for two years from the date of your last purchase.

We store your shipping address until you close your account with us.

We store part of your IP address for three days following your most recent visit to our website.

The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing You must inform the data subject about their other data subject rights.

You have the right to request that we erase your personal data or amend any inaccurate personal data. We'll consider your request and respond within one month.

In the meantime, we can temporarily move your personal data to a separate system. This serves to minimize access to your personal data while we consider your request. Let us know if you want us to do this.

If you object to any of the ways in which we use your personal data, just let us know. We'll consider your objection and respond within one month.

The right to lodge a complaint with a supervisory authority You must inform the data subject of their right to complain to a Data Protection Authority, and tell them which they would use to complain about your company (see our guidance on determining your data protection authority). If you're not happy with the way we've carried out your request, or any other aspect of how we use your personal data, you can make a complaint to the Information Commissioner's Office.
Where the personal data are not collected from the data subject, any available information as to their source The data subject will probably have provided most of the personal data you store on them. However, you might receive their personal data from other people too. If so, let them know. As well as the personal data you provide us with, we also receive some personal data about you from other sources. When you applied for a job with us, we received information about you from the people you provided as your references.
The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject If you make certain automated decisions, you need to tell the data subject about this. Include some information about your decision-making algorithm, and the consequences of its decisions.

We make certain decisions on an automated basis.

If you apply for a loan, we may use information about your credit history to determine your eligibility automatically. This will include consideration of the number of payments you've missed.

If our automated system determines that you're unlikely to be able to repay a loan, we may deny you credit.

Please let us know if you would like one of our employees to manually review an automated decision.

How Long Do I Have to Respond?

How Long Do I Have to Respond?

You have one calendar month to respond to a subject access request.

  • If you get a request on June 15th, you must respond by July 15th
  • If you get a request on August 31st, you must respond by September 30th (there's no September 31st)
  • If you get a request in a short month such as February get a move on! A month is a month no matter how many days it contains.

You can extend this period by a further month in exceptional circumstances. You should reserve this extension for exceptionally complex requests. You must let the data subject know that you need more time before the first month is up.

Can I Charge a Fee?

You may not charge a fee unless the request is:

  • "Manifestly unfounded" - for example, If the data subject is making the request in bad faith, or they are obviously trying to harm your business
  • "Excessive" - if the data subject makes many requests or makes requests that overlap

There's no clear definition of these concepts. If you think a request might be manifestly unfounded or excessive, you'll have to make a judgment call.

If the data subject seems to be asking for an excessive amount of information, this doesn't necessarily make the request itself "excessive."

You can always ask the data subject for further clarification if their request seems very broad.

There's no set amount for the fee. It must be reasonable considering the cost of carrying out the request.

Can I Refuse a Request?

Can I Refuse a Request?

Under certain conditions, you may be entitled to refuse a subject access request.

Again, this is only appropriate where the request is manifestly unfounded or excessive.

When refusing a subject access request you must inform the data subject about:

  • The reasons you're refusing
  • Their right to make a complaint to a Data Protection Authority
  • Their right to take legal action against you

Consider how you could justify the decision made in court if things go that far.

Isn't This All a Huge Hassle?!

Let's face it. Receiving a subject access request can create a significant burden on your business. But there are steps you can take to reduce this burden.

The subject access request process will be easier if you:

  • Don't collect unnecessary personal data
  • Erase any personal data you don't need
  • Keep personal data well-organized and accessible
  • Train your staff so that they recognize a subject access request and forward it to the responsible person

Your Subject Access Request Solution

Your Subject Access Request Solution

It's in your interest to make this process as easy as possible for data subjects. Depending on the context of your business, the best solution could be:

  • Setting up a dedicated email address
  • Providing a subject access request form
  • Creating a user interface solution

It's important to set up a system to help data subjects make requests. But you can't insist that data subjects do things your way. If you receive a subject access request through another channel, you'll still have to respond.

Amending Your Privacy Policy

Amending Your Privacy Policy

You must refer to the right of access in your Privacy Policy.

There are two main reasons why you need a Privacy Policy:

✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Excerpt from TermsFeed Testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P.
Generated a Privacy Policy

Generate a Privacy Policy, 2020 up-to-date, for your business (web, mobile and others) with the Privacy Policy Generator from TermsFeed.

This can be as simple as briefly describing the right of access and providing a contact email address. Her's an example from Arq:

ARQ Privacy Policy: Individual Rights clause - Subject access request excerpt

If your subject access request solution is more elaborate, like Facebook's, you'll still need to use your Privacy Policy to let data subjects know about it.

Facebook Data Policy: How to exercise your GDPR rights clause

We'll take a look at Facebook's subject access request process below.

Creating a Subject Access Request Form

Creating a Subject Access Request Form

You might sometimes receive vague or confusing subject access requests. Creating a subject access request form is a good way to avoid this.

By asking the right questions of data subjects, you can elicit a more precise and meaningful subject access request.

Here's an example from CWT:

CWT Subject Access Request Form screenshot

CWT also uses this form to facilitate other user rights - erasure and rectification.

A form like this helps users know exactly what information they need to submit to you, which makes it easier for both them and you.

Provide a User Interface Solution

Provide a User Interface Solution

If your users can create an account with your service, you can implement front-end account controls to allow them to access their personal data. Automating the subject access request process could save you a lot of work.

Take a look at Facebook's account controls:

Facebook Account Controls: Access Your Information option highlighted

Facebook users can then view their personal data by category:

Facebook: Your Information main menu screenshot

Facebook also allows access to the information it holds about the user:

Facebook: Information About You menu screenshot

Facebook's account controls let users access all the personal data they could realistically want.

But don't forget - you might hold personal data associated with people who don't have active accounts with your service. You'll also need to facilitate requests from non-users via a different channel.

Summary

To make the subject access request process as painless as possible, both for you and your data subjects, you need to:

  • Understand what types of information constitute personal data
  • Understand the other types of information about your data processing practices you need to provide
  • Inform users that they can make a subject access request and how they can do so (such as in your Privacy Policy)
  • Meet the one-month deadline in all but exceptional cases
  • Never charge for or refuse a request without good reason
  • Implement a solution that makes it easy for data subjects to make a request
  • Maintain good data protection practices so it's easy to locate personal data when required
Robert B.

Robert B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.