“Privacy is dead, and social media holds the smoking gun.”
Pete Cashmore – CEO of Mashable
You have the right to obtain the following from the data controller (party who holds your personal data) under Art 15 of the GDPR:
- Is personal data concerning you being processed?
- Confirmation as to what personal data concerning you is being processed along with a copy of same.
Confirmation as to what personal data concerning you and all or any of the following:
- Purpose(s) of the processing;
- Categories of personal data;
- Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and information about appropriate safeguards;
- The retention period or, if that is not possible, the criteria used to determine the retention period;
The existence of the following rights:
- Right to rectification;
- Right to erasure;
- Right to restrict processing;
- Right to object;
- as well as information on how to request these from the controller
The right to raise a concern with a supervisory authority (in Ireland this is the Data Protection Commission). Where personal data is not collected from the data subject, any available
information as to its source. The existence of automated decision-making, including profiling and meaningful information about how decisions are made, the significance and the consequences of
processing.
HOW DO I EXERCISE THE RIGHT OF ACCESS UNDER GDPR?
There is no particular method to making a valid access request, however we can help you with a proper template. It is best to be as specific as possible in relation to the personal data you wish to
access. You may be asked to provide evidence of your identity. This is to make sure that personal information is not given to the wrong person.
CAN I BE CHARGED A FEE TO MAKE AN ACCESS REQUEST UNDER GDPR?
In most cases individuals cannot be required to pay a fee to make a subject access request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive’ (which the controller must prove).
IN WHAT FORMAT SHOULD THE INFORMATION I REQUEST UNDER GDPR BE PROVIDED?
The general rule is that a controller should respond to your access request in the same way the request was made (if requested by email,then the data should be sent by email), or in the way in which you specifically asked for a response.
ARE THERE ANY LIMITS TO MY RIGHT OF ACCESS UNDER GDPR?
Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, a controller may also, where appropriate, refuse to act on the request.
This is, however, a high threshold to meet, and the controller must be able to prove same. If you are unhappy with any outcome regarding your rights of access, please contact our data protection solicitors.
HOW CAN WE HELP YOU?
CONSULTATION
A consultation with our data protection solicitors will help us and you to understand the nature of your concern and allow us to strategize the best path forward for you.
REVIEW
Our data protection solicitors will require copies of all relevant documentation in order to fully consider your concern.
ADVICES
Based on stages 1 and 2 above our data protection solicitors issue a letter of advices advising you as to the strength of your claim.
RESOLVING OF MATTER
At this point we approach the entity who have infringed your GDPR rights in an effort to resolve matters swiftly with respect to your claim.
PROCEEDINGS
If Stage 4 is unsuccessful, we will advise you on the merits of pursuing court proceedings with a view to achieving the best possible result for you.