Complying with a subject access request
Receiving a subject access request
A subject access request may be made verbally or in writing, including via electronic means.
- If a request is made verbally, a record of that verbal request should be maintained to provide a clear trail of correspondence.
- If a request is made electronically, the response should be provided in a commonly used electronic form, unless otherwise requested by the individual.
Controllers may take ‘reasonable measures’ to identify the person making the request if they are not known.
No fee can be levied, unless the request is manifestly unfounded or excessive, in particular due to their repetitive nature (see general rules applying to rights).
Responding to an access request
Compliance with an access request must be without undue delay, but within one month (see Calculating "one month"). This is subject to an extension of up to two months in some limited circumstances.
The controller must:
- Confirm to the individual whether their personal data are, or are not, being processed;
- If personal data are being processed, the following must be provided to the individual:
- a copy of the personal data; and
- information about:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient;
- the retention period;
- any available information as to the source of the personal data, if they were not collected from the individual;
- the existence of any automated decision-making, including profiling, based on that personal data and meaningful information about the logic involved, as well as the significance and possible consequences of that processing for the individual;
- information about the safeguards in place if the personal data is being transferred outside the Island or EU;
- details of the rights of rectification, erasure, restriction and objection, and the right to lodge a complaint with the Commissioner;
The right of access can be restricted where "such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society". The controller must be able to demonstrate that any restriction imposed is necessary in the circumstances.
The restrictions on rights are set out in Schedule 9 of the Implementing Regulations.
Non-compliance with requests to exercise rights
If the controller is not taking action on the request of the individual to exercise a right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about:
- the reasons for not taking action; and
- their remedies, in particular the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
All guidance about complying with subject access requests is available in the "Subject Access Request document library"