Ireland’s Data Protection Commission has issued a guidance note on the right of access under the General Data Protection Regulation.
Key takeaways:
- Requests to access data are the majority of complaints received.
- If reasonably necessary to clarify the request, you may request that the requester specify the information or processing activities they want access to.
- A request may be made in writing or verbally. For a verbal request:
- record the time and date
- follow up in writing
- Even if you have a designated method or contact person for submission of requests, an individual may use another method or contact person, or contact any member of staff.
- A request does not need to contain any specific text to be valid.
- Request proof of identity only when reasonable and proportionate to do so.
- Only request the minimum amount of further information necessary and proportionate in order to prove the requester’s identity
- Keep requesters regularly updated on the progress of their request, and give them sufficient notice in advance of any potential delays.
- Respond to a request in the same way it was made, or the requester specifically asked. If making a verbal response, retain records.