The EU General Data Protection Regulation (GDPR) introduces some changes to the current Data Protection Laws and to the procedure for making and responding to Subject Access Requests (SAR).
Richard Clinch/Susan Caffrey are appointed the designated person to deal with SARs. Subject Access Requests give data subjects/individuals the right to obtain:
Article 15 of the GDPR sets out information to be provided to a data subject making a SAR as follows:
(a) Purposes of the processing
(b) Categories of personal data concerned
(c) Recipients or categories of recipient to whom the personal data have been or will be disclosed
(d) Where possible the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period
(e) The right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
(f) Right to lodge a complaint with a supervisory authority
(g) Where the personal data are not collected from the data subject any available information as to their source
(h) The existence of automated decision-making including profiling
(i) The right to informed of the appropriate safeguards relating to personal data transferred to a third country of an international organisation.
(j) The right to obtain a copy of personal data shall not adversely affect the right
and freedoms of others.
Seamus Maguire & Co holds personal data relating to clients, employees and suppliers. Seamus Maguire & Co must always be in a position to clearly identify the data subject making the request and will require proof of identification.`
In most circumstances Seamus Maguire & Co will provide their data subjects with a copy of the information they request free of charge.
Where requests from a data subject are deemed to be manifestly unfounded, excessive or repetitive Seamus Maguire & Co will either: –
(a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested or
(b) refuse to act on the request
In circumstances where the request is refused because the request does not meet the criteria e.g. the rights and freedoms of others may be adversely affected. Please refer to the draft Data Protection Bill at Part 4, Chapter 2, Head 37 sets out Restrictions. Appendix
Information to be provided within one month
Seamus Maguire & Co will endeavour to provide the data subject with the information without undue delay and in any event within one month of receiving the request.
In circumstances where requests are complex or numerous Seamus Maguire & Co are entitled to extend this period by two further months. Seamus Maguire & Co will and must still respond to the request within a month, explaining why the extension is necessary.
Where Seamus Maguire & Co does not take action on the request of the data subject, Seamus Maguire & Co shall inform the data subject without delay and at the latest within one month of the receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
How should the information be provided
The information shall be provided in writing or by other means e.g. orally, electronically. Where the data subject makes the request electronically, the information shall be provided by electronic means where possible unless otherwise requested by the data subject.
In the event a data subject makes a request for access to their personal data held by this firm, the data subject must complete a SAR form together with any supporting documentation of verification and identification and submit it to firstname.lastname@example.org [responsible for handling SAR requests].
If data relating to a third party is identified then the firm shall deal with such third-party data in accordance with Article 15(4) GDPR.
A copy of the personal data held shall be provided to the data subject in accordance with the time limits set out.