Ireland’s Data Protection Commission has issued a guidance note on the right of access under the General Data Protection Regulation.

Key takeaways:

  • Requests to access data are the majority of complaints received.
  • If reasonably necessary to clarify the request, you may request that the requester specify the information or processing activities they want access to.
  • A request may be made in writing or verbally. For a verbal request:
    • record the time and date
    • follow up in writing
  • Even if you have a designated method or contact person for submission of requests, an individual may use another method or contact person, or contact any member of staff.
  • A request does not need to contain any specific text to be valid.
  • Request proof of identity only when reasonable and proportionate to do so.
  • Only request the minimum amount of further information necessary and proportionate in order to prove the requester’s identity
  • Keep requesters regularly updated on the progress of their request, and give them sufficient notice in advance of any potential delays.
  • Respond to a request in the same way it was made, or the requester specifically asked. If making a verbal response, retain records.

Read the full text of the guidance.