How to make a Data Subject Access Request?
How to make a Data Subject Access Request?
Article 15 of the EU General Data Protection Regulation (“GDPR”) gives data subjects (e.g. individuals) the right to access the data that companies hold about them.
Data subject access requests are used to access data that an employer (former, current or potential) holds about you. If you make a request, you are entitled to be given a copy of any personal data held on you. This could be in emails, but also databases, word processing systems, CCTV records, telephone records both for landline and mobile phones, internet logs, automated payroll systems, records of automated door entry systems such as swipe cards. If you make your request by electronic means (e.g. email), the response should also be in electronic form (Article 15(3) GDPR).
Your employer (or ex-employer) must respond within a month of receipt of the request (Article 12(3) GDPR), although they can extend this period by up to two months in certain situations (e.g. if your request is particularly complex). Employers can ask you to give evidence to confirm your identity (a photocopy of your passport should do the trick). There used to be a fee of £10 payable to the company from which you have requested information, but this no longer applies (as of 25 May 2018) (Article 12(5) GDPR).
Employers generally answer such requests because if they refuse or give incomplete or inaccurate answers, you can make:
- A statutory request to the Information Commissioner asking the Commissioner that there has been an infringement of the GDPR (Article 77 GDPR). The Commissioner will have to make an assessment and can serve a notice on an employer requiring it to give him information. Employers generally do not like to be referred to the Information Commissioner! (Article 57(1)(f) read together with section 165 of the Data Protection Act 2018 (“DPA 2018”))
- An application to court alleging breach of the subject access request rules and seeking an order for the purposes of securing compliance (sections 165 and 167, DPA 2018).
- A claim for damages against the employer and, if you can show you have suffered damage, a claim for compensation (Article 82(1) GDPR) and the right to obtain the rectification of inaccurate data (Article 15(1)(e) GDPR).
If you are thinking about lodging a claim in the employment tribunal, it is often a very useful way to get information and to put pressure on your employer. Below is an example of how to make a Data Subject Access Request in the form of a letter. Under the GDPR, you can technically make requests to access your data orally or by other electronic means (e.g. an email, a Facebook message or even a tweet!). You can also find more information on the Information Commissioner website.
Dear [NAME OF ADDRESSEE],
DATA SUBJECT ACCESS REQUEST UNDER THE GENERAL DATA PROTECTION REGULATION
I am writing to make a data subject access request pursuant to Article 15 of the General Data Protection Regulation. [I [am OR was employed OR engaged] by [NAME OF EMPLOYER] as [POSITION IN DEPARTMENT OR DIVISION] [between DATE and DATE].
I applied for [role OR work] with [NAME OF EMPLOYER] on [DATE]. I understand that you hold and process data about me.
SCOPE OF MY REQUEST
[This is a general request that relates to any personal data processed by or on behalf of [NAME OF EMPLOYER]. To help you comply with the request, you should know that it is likely that personal data is held relating to the following matters: [SET OUT MATTERS]
Although [NAME OF EMPLOYER] processes a wide range of personal data about me, this request is confined to data concerning:
- The decision to [SUBJECT MATTER].
- Allegations about [SUBJECT MATTER].
LOCATING THE PERSONAL DATA
I envisage that a number of individuals may process personal data in connection with the above. Some of the data processed will be held in the form of sent and received emails and word-processed documents. Presumably these can be identified through the use of search tools.
In relation to emails, you may limit the search to emails between [NAMES] during the period [DATES]. However, in relation to [SUBJECT MATTER] please ask [NAMES] whether any of them is aware of others who are likely to have exchanged emails containing personal data relating to me. If so, please let me know who those others are and search the emails of anyone that any of them identifies as well as those individuals mentioned above.
REQUEST FOR FURTHER INFORMATION
[I have mentioned above those individuals who I believe may have processed data about me. Amongst other aspects, I am concerned about how the [SUBJECT MATTER, FOR EXAMPLE, RECRUITMENT EXERCISE, REDUNDANCY EXERCISE] was carried out. Please could you let me know which individuals were involved in decision-making in relation to that process so that I can decide whether to make a more specific subject access request in relation to that situation].
VARIANT EXPRESSIONS OF MY NAME
My full name is spelled [NAME]. However, I have found people using a number of variant spellings including [VARIATIONS]. I am also referred to as [NICKNAMES]. I would like you to search for each of these variations, particularly when searching email records and other word-processed documents.
INFORMATION TO SUPPLY
Once you have identified personal data within the scope of this request, please provide a copy of the information constituting personal data and also:
- Provide a description of the data and the categories of personal data concerned.
- Explain the purposes for which the data is processed.
- Identify the source or sources of the data.
- Set out to whom the data has been disclosed or may be disclosed, in particular recipients in third countries or international organisations.
- Set out, where possible, the envisaged period for which the data will be stored, or, if not possible, the criteria used to determine that period.
- State whether there has been any automated decision-making using the data, including profiling, and if so, any meaningful information about how it was based, as well as the significance and the envisaged consequences for me of such processing.
[CONFIRMATION OF IDENTITY]
[Although I assume you are aware who I am, to avoid any doubt or delay I enclose a copy of my [driving licence] [passport] to confirm my identity.]
I look forward to hearing from you within one month.