A Practical Guide to Managing GDPR Data Subject Access Requests – Second Edition (150)

CHAPTER ONE – WHAT IS AN ACCESS REQUEST?

Introduction

In this chapter, we look at some of the basic concepts and definitions as they relate to Access Requests.

A Data Subject Access Request (which I will refer to as an ‘Access Request’ throughout the book for ease of reference) is a right to access personal data under Article 15 of the EU General Data Protection Regulation (GDPR).¹

Individuals have a right to obtain a copy of their personal data as well as other supplementary information. It helps people understand how your company is using their data and whether you are doing so lawfully.

For example, Clare has an argument with her solicitor about the fees she was charged for her conveyance. She believes her solicitor has overcharged her for the work performed. She sends her solicitor an email asking to see copies of all the personal information the solicitor holds about her. Clare has made an Access Request.

We discuss these concepts in more detail within the book.

Access Requests only entitle individuals to see their personal data. Individuals do not have a right to see non-personal data under the Right of Access.

What is GDPR?

The General Data Protection Regulation (GDPR) is an EU Regulation which regulates the processing of personal data. The GDPR applies to companies processing personal data if those companies are either:

In the EU or
Outside the EU but:
1. offering goods or services to individuals in the EU or
2. monitoring the behaviour of those individuals in the EU (for example, by tracking their online behaviour).²

Both Processors and Controllers (see below) are caught by GDPR if they fall into 1. or 2. Above.

GDPR grants individuals in the EU a number of Rights including the Right to Access, Erase and even Rectify their personal data.

Does GDPR still apply in the UK?

Yes. GDPR is still part of UK law as ‘UK GDPR’. In practice, UK GDPR is virtually identical to the original EU GDPR save for some minor amendments. After Brexit, the UK can set some of its own rules relating to Data Protection law. However, most of the legal principles, including those relating to Access Requests, remain the same. The UK GDPR operates together with the UK Data Protection Act 2018 (‘DPA 2018’). The DPA 2018 and UK GDPR are the framework for data protection law in the UK

The UK Data Protection and Digital Information Bill (published in July 2022) which has not yet passed into law, may make some amendments to the rules on Access Requests. Under this bill, companies may have more power to refuse vexatious requests.

Who does UK GDPR apply to?

UK GDPR applies to organisations in the UK that process the personal data of individuals.
UK GDPR also applies to organisations based outside the UK if their processing activities relate to:

- offering goods or services to individuals in the UK; or
- monitoring the behaviour of individuals in the UK.

As the ICO has said ‘There are also implications for UK controllers who have an establishment in the EEA, have customers in the EEA, or monitor individuals in the EEA. The EU GDPR still applies to this processing’.

What is the Data Protection Act 2018?

The Data Protection Act 2018 (DPA 2018) is a UK Law which supplements and amplifies GDPR in the UK in a number of areas including in the area of Access Requests. GDPR allows national laws to include some exemptions or exceptions to GDPR. The DPA 2018 implements some of those exemptions including in the area of Access Requests. These exemptions are discussed in more detail in
Chapter 9.

What is the ICO?

The Information Commissioner’s Officer (ICO) regulates data protection in the UK. The ICO deals with complaints from the public about their data are processed. The ICO have the power to conduct audits of companies, and can take enforcement action against companies for breach of law and regulation including GDPR. The largest fine the ICO has imposed to date is £20 million imposed against an airline for a data breach incident.

What is personal data?

The right of access relates to “personal data”.

Article 4(1) of GDPR states that ‘personal data’ means:

any information
relating to an identified or identifiable natural person (‘data subject’).

For ease of reference I sometimes use the word ‘data’ in this book when I am referring to personal data.

What is an identifiable person?

Personal data is information that relates to an identified or identifiable natural person.³

Sometimes, we can identify someone directly from the personal data, for example, from their full name.

On other occasions, we may not be able to identify the person directly from the data on its own. However, we may be able to identify the person from the data by linking it to other data or through making further enquiries.

For example, we might have an email in which an employee ID number is mentioned. On its own, the ID number does not reveal anything. However, when enquiries are made it transpires that the employee number belongs to Sharon, a Doctor with London Medical. The ID number is therefore Sharon’s personal data. We could not identify Sharon directly from the ID number on its own, but we could identify her indirectly (i.e. after making further enquiries). Therefore, the ID number is personal data.

What kinds of information can be personal data?

Personal data can come in a variety of forms. Remember, personal data is:

any information
relating to an identified or identifiable natural person (‘data subject’).

For example, David works as a manager at Silver Bank. He has been there for 15 years. Silver holds a lot of David’s personal data including:

His name and address
Location data relating to David
Information about his performance at work
Opinions about David expressed by his colleagues in emails
David’s sickness record
CCTV footage of David entering and leaving the building
Call records of conversations David had with Human Resources
Details of David’s browsing history at work

All of these things at A. – H. are David’s personal data because they:

Are data or information and
They relate to David.

Wide interpretation of personal data

The GDPR definition of personal data is very wide. Virtually any data that relates to an individual is likely to be their personal data.

What is a data subject?

The human being to whom the personal data relates. The data subject has the right to make a Data Subject Access Request.

What is a Controller?

A Controller the entity in control of the personal data. Specifically, he Controller is the organisation that ‘determines the purposes and means of the processing of personal data’.⁴ In other words, they decide how and why the person’s personal data is processed.⁵ If your company is a Controller, then they must comply with the Access Requests they receive from their employees, customers and anyone on whom they hold personal data.

What are Joint Controllers?

Joint Controllers are ‘two or more controllers jointly determining the purposes and means of the processing’.⁶ For example, two law firms working together on behalf of the same client on the same case could be joint controllers.

What is a Processor?

‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.⁷ Processors must do what they are told with the personal data.

Many companies use third parties to help them carry out their business operations, for example, IT support businesses, couriers, payroll services, waste disposal etc.

If Company Ais hired by Company B to help it with its operations, then that company may be a Processor depending on the nature of the agreement between them. If Company B is given no autonomy over the personal data they are processing as part of the agreement, then Company B is a Processor. Processors must do what they are told with the personal data they receive from the Controller.

Processors must be careful not to step outside their instructions from the Controller. If they do, they may become a Controller.⁸

For example, Bling Car Sales use E-Z Payroll to process their employee payroll data. Bling is a Controller for Bling’s ’s employee personal data and E-Z is a Processor in respect of Bling’s employee personal data.

Do all companies caught by GDPR need to comply with
Access Requests?

No. Controllers must comply with Access Requests. Controllers are the companies that bear the ultimate legal responsibility for the data processing under GDPR.

Can Processors ignore DSAR requests?

No. Processors may have responsibilities under their contract with the Controller to assist the Controller with Access Requests they receive. For example, the Processor might be storing or holding the individual’s data on the Controller’s behalf. The Controller may need assistance from the Processor in locating that data so the Controller can send it to the individual.⁹

For example, as we said above, Bling Car Sales use E-Z Payroll to process their employee payroll data. Bling is a Controller for the firm’s employee data and E-Z is a Processor. Bling receive an Access Request from Jim, a trainee Sales Manager at Bling. Jim wants access to all of his personal data. Some of Jim’s data is held by E-Z. Bling reach out to E-Z to ask them for a copy of the payroll data. They add that to the other data they hold on Jim and they send it on to Jim.

What does ‘processing’ personal data mean?

Processing means “any operation or set of operations which is performed on personal data”.¹⁰ Doing anything with personal data including deleting it or storing it falls under the definition of processing.

What are the special categories of personal data?

There are certain categories of personal data that require extra protection under GDPR. These categories of personal data are known as the special categories of personal data. They are sometimes referred to as ‘sensitive personal data’.

The special categories are personal data ‘relating to revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation’.¹¹

The more sensitive the data, the more it is incumbent on the Controller to put appropriate security in place around the personal data.¹²

The potential consequences of failing to comply with GDPR Access Request obligations

There are three potential consequences:

A Regulatory Sanction – Breach of the rules on Access Requests can lead to a fine. The maximum fine under UK GDPR is up to £17.5 million or 4% of total worldwide annual turnover, whichever is higher, although fines levied by Regulators must be ‘proportionate’.¹³ Failing to comply with Access Requests may not mean that your company is fined but it may encourage a Regulator to investigate your company or even issue another regulatory sanction such as an Enforcement Notice.¹⁴ In 2021/2022, 37% of the complaints received by the Information Commissioner’s Office related to Access Requests.¹⁵
Legal action – Any person who suffers damage as a result of a breach of any of their GDPR rights can sue the Controller or Processor for compensation.¹⁶ In other words, they can sue if their Data Subject Access Request is ignored or not fully complied with.

If a person’s Access Rights are not upheld, then the person can:

Apply to court for an order forcing the Controller to comply with the Access Request and/or
Sue for compensation for breach of the person’s subject access rights.

Criminal Offence – In some cases, failing to comply with the law on Access Requests can be a criminal offence. It is a criminal offence to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the Access Request would have been entitled to receive.¹⁷