21 July 2020
Receiving a subject access request from one of your users can be a stressful experience. It's easy to appear unprofessional if you don't respond appropriately.
The UK Information Commissioner's Office reports annually on the most common type of complaints it receives. Every year, the number one spot goes to complaints about the improper handling of subject access requests.
To avoid enforcement action, reputational damage, and legal issues, you need to get this right.
This article will help you understand the rules on how to properly handle a subject access request, the information you need to provide and how to create a system that saves time for you and your users.
One of the chief goals of the GDPR is to provide data subjects with more control over how data controllers process their personal data.
This brings us to three of the GDPR's key definitions:
Your business is almost certainly a data controller in at least some respects.
From the perspective of your business, data subjects can be:
The GDPR gives data subjects eight powerful data subject rights over their personal data:
A subject access request is how data subjects can exercise their right of access.
A subject access request allows data subjects to request a copy of their personal data from data controllers, along with information about how the data controller uses their personal data.
Data processors can also be involved in carrying out a data subject request. A data processor may need to retrieve the relevant personal data on behalf of its data controller. But a data processor does not provide personal data to the data subject directly.
To know what sorts of information you need to provide a data subject following a subject access request, you need to understand what "personal data" means.
Under the GDPR, all sorts of information can be personal data, including:
There are no exceptions for particular types of personal data. You must provide all the personal data you hold about the data subject.
You can request ID if you're uncertain about the identity of the data subject.
Act proportionately. If the data subject has an account with you, you might only need to request they log into it. Don't be obstructive.
You must take care only to provide information about the data subject making the request.
However, avoiding revealing the personal data of others can be difficult in some cases. For example, the data subject might want copies of emails that name other people.
You shouldn't automatically refuse to provide the data subject with documents that mention other people. You might be able to redact such documents.
Where it is impossible to redact information, or where it would require disproportionate effort to do so, you should seek advice from your Data Protection Authority.
People usually think of subject access requests as a way for data subjects to request a copy of the personal data that a data controller holds on them.
However, the GDPR also requires data controllers to provide extensive information about how and why they process a data subject's personal data.
The GDPR lists eight types of information that data controllers must make available to data subjects on request.
Here's a breakdown of the information you might have to provide:
|Text from the GDPR||Translation||Example|
|The categories of personal data concerned||What types of personal data do you hold on the data subject?||We collect your full name, email address, shipping address. We also collect information about how you use our website and app.|
|The purposes of the processing||Why are you holding this personal data? What are you actually doing with it?||We use your personal data for activities such as processing your payment, and sending you your product. We also want to learn how you use our website and app so we can make improvements to it.|
|The recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations||
What types of companies do you share personal data with? Are any of them based outside of the EU?
(Note that you aren't actually required to reveal the names of specific companies, but you can do so.)
We may share your personal data with trusted business partners such as payment card processors, mail carriers, email marketing companies, and data analytics companies.
We may also need to share your personal data with legal authorities upon receipt of a valid court order.
Our email marketing partner, MonkeyMail, is based in Canada, a non-EU country.
|Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period||
How long do you intend to keep hold of the data subject's personal data?
You might not have a predetermined period of months or years. So, how else do you decide when to delete personal data?
We store your name and email address for two years from the date of your last purchase.
We store your shipping address until you close your account with us.
We store part of your IP address for three days following your most recent visit to our website.
|The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing||You must inform the data subject about their other data subject rights.||
You have the right to request that we erase your personal data or amend any inaccurate personal data. We'll consider your request and respond within one month.
In the meantime, we can temporarily move your personal data to a separate system. This serves to minimize access to your personal data while we consider your request. Let us know if you want us to do this.
If you object to any of the ways in which we use your personal data, just let us know. We'll consider your objection and respond within one month.
|The right to lodge a complaint with a supervisory authority||You must inform the data subject of their right to complain to a Data Protection Authority, and tell them which they would use to complain about your company (see our guidance on determining your data protection authority).||If you're not happy with the way we've carried out your request, or any other aspect of how we use your personal data, you can make a complaint to the Information Commissioner's Office.|
|Where the personal data are not collected from the data subject, any available information as to their source||The data subject will probably have provided most of the personal data you store on them. However, you might receive their personal data from other people too. If so, let them know.||As well as the personal data you provide us with, we also receive some personal data about you from other sources. When you applied for a job with us, we received information about you from the people you provided as your references.|
|The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject||If you make certain automated decisions, you need to tell the data subject about this. Include some information about your decision-making algorithm, and the consequences of its decisions.||
We make certain decisions on an automated basis.
If you apply for a loan, we may use information about your credit history to determine your eligibility automatically. This will include consideration of the number of payments you've missed.
If our automated system determines that you're unlikely to be able to repay a loan, we may deny you credit.
Please let us know if you would like one of our employees to manually review an automated decision.
You have one calendar month to respond to a subject access request.
You can extend this period by a further month in exceptional circumstances. You should reserve this extension for exceptionally complex requests. You must let the data subject know that you need more time before the first month is up.
You may not charge a fee unless the request is:
There's no clear definition of these concepts. If you think a request might be manifestly unfounded or excessive, you'll have to make a judgment call.
If the data subject seems to be asking for an excessive amount of information, this doesn't necessarily make the request itself "excessive."
You can always ask the data subject for further clarification if their request seems very broad.
There's no set amount for the fee. It must be reasonable considering the cost of carrying out the request.
Again, this is only appropriate where the request is manifestly unfounded or excessive.
When refusing a subject access request you must inform the data subject about:
Consider how you could justify the decision made in court if things go that far.
Let's face it. Receiving a subject access request can create a significant burden on your business. But there are steps you can take to reduce this burden.
The subject access request process will be easier if you:
It's in your interest to make this process as easy as possible for data subjects. Depending on the context of your business, the best solution could be:
It's important to set up a system to help data subjects make requests. But you can't insist that data subjects do things your way. If you receive a subject access request through another channel, you'll still have to respond.
✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.
Excerpt from TermsFeed Testimonials:
This can be as simple as briefly describing the right of access and providing a contact email address. Her's an example from Arq:
We'll take a look at Facebook's subject access request process below.
You might sometimes receive vague or confusing subject access requests. Creating a subject access request form is a good way to avoid this.
By asking the right questions of data subjects, you can elicit a more precise and meaningful subject access request.
Here's an example from CWT:
CWT also uses this form to facilitate other user rights - erasure and rectification.
A form like this helps users know exactly what information they need to submit to you, which makes it easier for both them and you.
If your users can create an account with your service, you can implement front-end account controls to allow them to access their personal data. Automating the subject access request process could save you a lot of work.
Take a look at Facebook's account controls:
Facebook users can then view their personal data by category:
Facebook also allows access to the information it holds about the user:
Facebook's account controls let users access all the personal data they could realistically want.
But don't forget - you might hold personal data associated with people who don't have active accounts with your service. You'll also need to facilitate requests from non-users via a different channel.
To make the subject access request process as painless as possible, both for you and your data subjects, you need to:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.