The GDPR imposes strict new rules on how organisations can handle the personal data of EU citizens. One of the most significant changes is the introduction of the right for individuals to make what are known as ‘subject access requests’.
Under the GDPR, individuals have the right to request access to their personal data, as well as certain other information, from organisations that are holding or processing their data. This is known as a subject access request.
Organisations must provide individuals with this information within one month of receiving the request. They must also provide it free of charge, unless the request is unfounded or excessive.
Subject access requests can be made orally or in writing. However, organisations are entitled to request verification of an individual’s identity before they provide them with any information in response to a request.
Organisations must also respond to subject access requests without delay and at the latest within one month of receipt. This can be extended by a further two months where the request is complex or a large number of requests have been made.
Organisations must provide individuals with the information they request in a clear, concise and easily accessible format. They must also provide it free of charge, unless the request is unfounded or excessive.
If an organisation refuses to comply with a subject access request, they must explain their reasons for doing so to the individual in writing. The individual also has the right to lodge a complaint with the supervisory authority if they believe their rights have been infringed.