On 10 October 2022, the Irish Data Protection Commissioner (DPC) released its new guidance on Data Subject Access Requests along with Frequently Asked Questions.
This article provides an overview of the guidance that can help companies respond to data subject access requests and comply with the Irish Data Protection Act and the GDPR.
1. Facilitation of Subject Access Requests
The DPC recommends data controllers to ensure a dedicated way for data subjects to make a data subject access request and a system in place to collect all the relevant information to be provided to the data subjects. The DPC recommends controllers to provide an acknowledgement of receipt of the request to the data subject.
The DPC notes that since the GDPR does not specify any particular format for making the DSR request, the controller must be able to recognise a DSR request made through some other mechanism as well, including if a request is made verbally. The controllers are required to undertake reasonable measures in order to facilitate DSR requests from minors and persons with disabilities.
2. Records of Requests and Security Measures
The data controller must keep a proper record system of access requests. The controller must record the time and details of the request, even if a request is made verbally. In addition, data controllers are obliged to implement appropriate technical and organizational measures that ensure that, by default, only personal data which is necessary for each specific purpose of the processing, is processed and in order to respond to an access request. Appropriate security controls will facilitate the controller in the detection of all personal data held about the data subject who is making a request.
3. Data Subjects’ Identity Verification
Data controllers may request additional information from the data subject to confirm the requestor's identity only to the extent necessary for the identity verification. This is permitted only in cases where the controller has reasonable doubts in relation to the requestor’s identity.
The DPC recommends controllers to undertake a proportionality assessment taking into account the type of personal data being processed, the nature of the request, the context within which the request is being made, and any damages that can result from improper disclosure.
4. Clarification of the DSR Request
If a controller processes a large quantity of personal data, it can request the data subject to clarify the scope of the request or specify the information they want to be provided with or the specific processing activities to which they want to access to.
The DPC, however, notes that the clarification should be asked only where it is reasonably necessary to clarify a request and to not unnecessarily delay the response to a request. Data controllers must still respond to an access request even if there is no response to the clarification from the data subject.
5. Response of the DSR Request
Data subjects have the right to seek confirmation of whether the controller is processing any of their personal data and receive a copy of the information that relates to them. In addition, the individuals are entitled to know the following:
- The purposes of the processing,
- The categories of personal data processed,
- Whom the personal data is shared with,
- How long the personal data will be stored,
- The existence of various data subject rights,
- The right to lodge a complaint with the DPC,
- The information about where the data was collected from,
- The existence of automated decision-making (such as profiling), and
- The safeguards in place if the personal data is transferred to a third country.
6. Manner of the Response
As a general rule, the data controller must respond in the way in which the data subject has requested the information. For example, if a request is made electronically, the controller must provide the required information in a commonly used electronic format. Similarly, where an individual makes a verbal access request, the controller must respond verbally. However, controllers must keep a record of the verbal access request along with the response provided to the data subject.
The data subject has the right to access his/her personal data in a durable format, i.e., the personal data requested must be capable of being retained by the requester in accordance with their own needs. All information must be provided in an easily visible, intelligible and clearly legible manner. In certain circumstances, controllers may need to elaborate the information in order to contextualize them with a proper structure or explanation in place, especially if there is a lot of information processed.
7. Timeline to Respond
Data controllers must respond to a subject access request without undue delay and, at the latest, within one month of receiving the request. The request is considered to be received by the controller at the moment the organization becomes aware of the request or has had constructive notice of the access request lodged through their established channels of communication, without the need to take any further steps in order to identify the requester.
The response period ends with the expiry of the last hour of whichever day of the following month falls on the same date as the day which initiates the period. It includes public holidays, Saturdays and Sundays. For example, if an access request is received on 31st August, the response deadline will expire on 30th September. The response period of an access request that is received on 22nd December will expire on 22nd January at 23:59, regardless of the intervening Christmas holidays. An acknowledgement of receipt of the request will allow both the controller and the data subject to identify the date from which the clock starts responding to the request in time.
Even though the maximum time limit to respond to an access request is one month, the Irish DPC recommends controllers to aim at responding to access requests within 15 working days or as soon as possible. Controllers must still respond within one month of the receipt of the request, even if they decide not to take any action in response to the request with reasons for not doing so. However, the data subject must also be informed of the possibility of seeking judicial remedy and lodging a complaint with the DPC.
8. Extension of Response Timeline
The response time period can be extended to two further months in the case of complex requests, provided the controller notifies the data subject that they need more time to respond within one month of the receipt of the request, along with the reasons for the delay. In addition, the data subject must also be informed of the possibility of seeking a judicial remedy and lodging a complaint with the DPC.
The Irish DPC provides a few examples where an access request may be considered complex:
- If the amount of data is not readily available in the system,
- If the controller is required to employ extra resources in order to respond to the access request. However, if a controller normally has access to those technologies or has the resources to easily employ or recover data, the request may not be considered a complex one, or
- If the controller needs considerable redaction of third parties’ data.
9. Fees
As a general rule, data controllers cannot charge data subjects for making a subject access request. However, they can charge a reasonable fee based on administrative costs in exceptional circumstances. These exceptional circumstances are:
- If two or more access requests are manifestly unfounded or excessive, or
- If additional copies of the personal data at issue have been requested.
In both of the above instances, the data controller has the onus to demonstrate that it has incurred administrative costs outside the general expenses of the organization and that the fee charged is reasonable.
10. Limitations on the Right of Access
An access request may be refused if it is considered to be manifestly unfounded or excessive. A request may also be refused if the right to obtain a copy of data undergoing processing negatively impacts the rights and freedoms of others, such as privacy, trade secrets, or intellectual property rights.
If a controller receives an access request that necessarily requires it to disclose the personal data of third parties, it must obtain their consent or, in the absence of their consent, it must undertake an assessment as to the balance between the rights of the requesting individual and the third parties’ rights.
The Irish Data Protection Act provides additional circumstances when a subject access request may be limited, including the following scenarios:
- processing for the purposes of exercising the right to freedom of expression and information, including processing for journalistic purposes or for the purposes of academic, artistic or literary expression,
- processing for election purposes,
- processing for important objectives of general public interest (e.g., to exercise or defend a legal claim or in relation to opinions given in confidence),
- processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes,
- processing of health data under the relevant legislation,
- where it is necessary and proportionate for law enforcement purposes,
- where it is necessary and proportionate to safeguard judicial independence and court proceedings, and
- processing related to legal advice, privileged communications, or court orders.
The data controller may also be required to withhold certain information pursuant to other relevant Irish legislations (such as the Data Protection Act 2018 (Access Modification) (Health) Regulations 2022). Any limitation must be notified to the data subject along with the possibility of the requesting individual lodging a complaint to the Irish DPC and seeking a judicial remedy within one month of the receipt of the request.
How Securiti Can Help?
The obligation to respond to a data subject access request or to retrieve the data requested primarily lies with the data controller. Data processors, however, must assist the data controller in fulfilling its obligations. The data controller may decide to outsource the answering of access requests to a data processor provided that the processor is able to comply with all data protection obligations in relation to access requests as per the Irish requirements since the data controller will be responsible for any violations or non-compliance actions.
In the case of joint controllers, the data subjects have the right to exercise their access rights in respect of and against each of the joint controllers. The DPC emphasizes that there must be technical and organizational measures in place between joint controllers that can ensure that every subject access request is dealt with within the deadlines.
Securiti’s Data Subjects Rights Fulfillment Solution helps companies comply with subject access requests within the stipulated deadlines. Ask for a DEMO to understand how we can help you ensure compliance with global privacy laws and regulations.
