Making a subject access request
Article 15 of the Applied GDPR provides the right of access to personal data.
The exercise of this right is commonly known as making a ‘subject access request’. You can make a request at any time. Although it is often used before exercising any of your other information rights, it can be exercised to find out whether any information about you is being processed or not.
- This right does not entitle you to copies of documents – the right is only to the information which is about you (that is, your "personal data").
How to make a subject access request
You must make a subject access request to the ‘controller’ which is processing your personal data. The controller may, for example, be a business, government department, or any other organisation which you think may have your personal data and is referred to as an “organisation” on this page.
The request can be made to the organisation verbally or in writing. If you do make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence. In doing so it will provide clear evidence of your intentions if a dispute arises.
If you make your request electronically, the organisation will respond by the same method, unless you ask otherwise.
The organisation may ask you to provide some form of identification if it does not know you. This is to help the organisation make sure it is searching for personal data about the correct person and to prevent personal data being given to the wrong person. An example of the wording you can use to make a request is included in the Annex to the document below.
Can I make more than one request?
Although you can make requests to an organisation for access to different information, if you ask for the same information more than once the organisation may refuse to act if your request is ‘manifestly unfounded or excessive’.
If you are considering resubmitting a request for the same information, you should think about whether:
- it is likely that your data has changed since your last request;
- enough time has passed for it to be reasonable to request an update;
- your data is being used differently; or
- the organisation has changed its activities or processes recently.
The organisation cannot charge you a fee for making a request or for providing you with a copy of the personal data sought by your request.
However, a charge can be levied if you request further copies, but this must be based on administrative costs.
- If your request is manifestly unfounded or excessive, particularly if it is a repeat request for the same information, the organisation may charge a fee if it decides to act on your request.
Organisations must respond to your request without undue delay and in any event within one month of receipt of the request. In exceptional circumstances, for example if the request is particularly complex, the time period may be extended by a maximum of a further two months. However, the organisation must let you know that there will be a delay and the reasons for it before the end of the first month.
More about how one month is calculated is on the website at: https://www.inforights.im/information-centre/data-protection-law-2018/rights/calculating-one-month/
What you should be given
If your personal data is being processed you should be given a copy of the information you have requested and be told:
- why the personal data is being processed (the purposes)
- what personal data is being processed (the categories)
- who it has been, or may be disclosed to (the recipients)
- how long it will be kept (retention period)
- the source of the data (if it did not come from you and if that information is available)
- what safeguards are in place if the personal data is being transferred to a third country.
- that you have other rights of rectification, erasure, restriction of processing, objection to processing
- that you can make a complaint to the Commissioner
If automated decision-making or profiling is used, you should be provided with meaningful information about the logic involved as well information about the significance and envisaged consequence of the processing for you.
Can the organisation refuse to act or give me the information?
The organisation can refuse to act:
- if it demonstrates that it is not in a position to identify you
- if the request is manifestly unfounded or excessive
The organisation can refuse to give you some information if it includes information that identifies another individual, unless
- the other individual has agreed to the disclosure, or
- it is reasonable to provide you with this information without the other individual’s consent.
In deciding this, the organisation must balance your right to access your data against the other individual’s rights regarding their own information. However, the organisation must still provide as much information to you as possible by omitting, or redacting, the name of the other individual or other identifying particulars. As this right is not a right to copies of documents, this can also be achieved, for example, by extracting the information about you and inserting it into a new document.
There are also a number of restrictions on the right of access in certain circumstances. More information is available on the website at: https://www.inforights.im/information-centre/data-protection-law-2018/rights/restrictions-on-rights/
What to do if you are unhappy with how your request was handled
If you do not receive a response, or are unhappy with how your request was handled, you should firstly make a complaint to the organisation. This should be in writing as it will give you evidence of your actions.
If the matter remains unresolved, then you are entitled to make a complaint to the Commissioner.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice from a Manx advocate first.
More guidance about subject access requests is available in the Subject Access Request document library