Date of publication: November 2016
Individuals who are resident in the EU are entitled to request details of any personal data held about them and any data being processed about them. This is known as a subject access request(“SAR”).
An individual can make a SAR at any time and there are certain obligations on data controllers related to these.
A SAR must be made in writing, however there is no prescribed format for this, so SARs made via email or even social media should be considered as legitimate requests requiring a response.
A third party can make a SAR on behalf of a compliant data subject but they cannot request information on a data subject for their own use.
This means that in most circumstances a parent is unable to request data held by a data controller of which their child is the subject, as the information will generally be for the parent’s use rather than the child’s.
Once a SAR has been made, the data controller must respond within 40 days. Additional information may be requested by the data controller in order to comply with the SAR, and verification can be sought of the requester’s identity.
The maximum amount that can be charged for the provision of information is £10 (in limited circumstances this can be increased to £50 where health or educational records are being requested).
If a third party is identified in any data that is requested by a subject, it will be necessary to assess the impact of disclosing this information or remove/redact any references to, or images of, the third party.
An individual can request compensation for non-compliance with a SAR.
Any publically available information is automatically exempt from a SAR. There are further, more specific forms of data that are exempt from a SAR such as data which is processed for certain crime or taxation reasons where the purpose of such processing is for:
Any references given in respect of an individual for employment, education and training are exempt. However, references received by a business would not be exempt from a SAR.
Data which is processed for management forecasting or management planning is exempt, and anything covered by legal professional privilege will be exempt.
Other information may be exempt due to the nature of the data or the effect of releasing that data. This is particularly relevant for records of an intention to negotiate, which are exempt in order to prevent prejudicing negotiations.
Should you have any queries about SARs then please do not hesitate Oury Clark solicitors where our team can advise on your responsibilities and best practice.
Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please contact us if you have any questions about the information set out above or require any assistance with drafting or reviewing a contract.
Copyright © 2013 - Oury Clark.