The Right of Access allows an individual to obtain information – helping transparency on the lawfulness and accuracy of the information being held. In relation to GDPR, this would include:
- The personal data an organisation holds on them.
- Confirmation it has been processed.
- Supplementary information (for the most part, information that is shown in a privacy policy).
A request to access the above information is called a Subject Access Request.
How long does an organisation have to fulfil the Subject Access Request?
With a standard request, you need to reply without delay and no longer than a month after the original receipt of the request. There are situations when this doesn’t apply however. These include:
- 3 months is allowed if the request includes numerous separate requests or could be deemed complex. On these occasions, the individual needs to be informed within the 1 month deadline and informed why this is the case.
- You can refuse to answer (or charge an administrative fee) if the request is ‘unfounded’ or ‘excessive’. Again, if these routes are chosen, you need to inform the individual of the decision and their right to complain to the supervisory authority within the 1 month deadline.
Within these deadlines, the requested information needs to be provided using ‘reasonable means’ such as a commonly used electronic format.
Why is it important to be aware of Subject Access Requests?
There are several reasons these requests need to be considered in detail by organisations processing data:
- Organisations need to make the ability to make these requests simple for individuals.
- When a request arrives and is receipted, companies will have a strict deadline to adhere to or risk punishment. They therefore need to be able to collect all the necessary information on an individual (leaving nothing behind) and to send this information in a safe and reasonable way to the requestor – all within the deadline.