Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

New: Make an Access Request

From 25th May 2018, the General Data Protection Regulation (GDPR) introduces more clearly defined rights of information and access for individuals in respect of their personal data.

RIGHT OF INFORMATION

Under Article 13 and 14 of the GDPR, you have a right to be informed as to how your personal data is being processed (handled or used) by an organisation. In particular, at the time the organisation obtains personal data from you, it should advise you of (among other things), the purpose(s) of - and legal basis for - the processing of your data; any other recipient(s) of your data); how long it retains your data, or the criteria by which it determines how long it retains your data; and the existence of any automatic decision making processes applied to your data.

Moreover, where the personal data has not been obtained from you, the organisation must provide you with additional information relating to the types of personal data it holds and how it obtained this data. This information should be provided to you within a reasonable period, and at the latest within a month of the organisation obtaining the data (as per Article 12 of the GDPR). If the data is used to communicate with you, the information about the types of data obtained and how it was obtained should be provided to you, at the latest, when the first communication takes place. If it is expected that your personal data will be disclosed to another recipient, the information should be provided to you when your personal data is first disclosed.

RIGHT OF ACCESS

Under Article 15 of the GDPR, you have a right to obtain a copy, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any organisation. All you need to do is write to the organisation and request, under the GDPR, a copy of the personal data it holds in relation to you.

Your request could read as follows:

Dear
...
I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form in relation to...

(Please be as specific as possible in relation to the personal data you wish to access).

You may be asked to provide evidence of your identity. This is to make sure that personal information is not given to the wrong person.

 

In the normal course of events, an organisation will be obliged to respond to your access request within one month of receiving the request (most organisations manage to reply much sooner). In certain limited circumstances, the one month period may be extended by two months (taking into account the complexity of the request and the number of requests). Where an organisation is extending the period for replying to your request, it must inform you of any extension, and the reason(s) for the delay in responding, within one month of receiving the request.

There is no fee payable by you to make an access request - the organisation must deal with your request for free. However, where the organisation believes a request is manifestly unfounded or excessive (for example where an individual makes repeated unnecessary access requests), the organisation may either charge a fee taking into account its administrative costs in dealing with the request(s), or refuse to act on the request(s). The burden of demonstrating why a request is manifestly unfounded or excessive rests on the organisation.

Exceptions to the right of access

The Data Protection Act 2018 sets out some limited circumstances in which an organisation may not be required to provide you with a copy of your personal data1. In particular, an organisation may be exempt from providing you with personal data if a restriction of your right of access is necessary: 
  • to safeguard cabinet confidentiality, judicial independence and court proceedings, parliamentary privilege, national security, defence and the international relations of the State
  • for the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties
  • for the administration of any tax, duty or other money due or owing to the State or a local authority.
  • in contemplation of or for the establishment, exercise or defence of, a legal claim, prospective legal claim, legal proceedings or prospective legal proceedings whether before a court, statutory tribunal, statutory body or an administrative or out-of-court procedure
  • for the enforcement of civil law claims, including matters relating to any liability of an organisation in respect of damages, compensation or other liabilities or debts related to the claim, or
  • For the purposes of estimating the amount of the liability of an organisation on foot of a claim for the payment of a sum of money, whether in respect of damages or compensation, in any case in which the application of those rights or obligations would be likely to prejudice the interests of the organisation in relation to the claim.

 

In addition, an organisation may not be required to provide you with a copy of your personal data where the data consists of an expression of opinion about you by another person given in confidence, or on the understanding that it would be treated as confidential, to a person who has a legitimate interest in receiving the information.

An individual's right of access may also be restricted where, in the opinion of a medical professional, to grant access to the data would be likely to cause serious harm to the individual's physical or mental health. Access to personal data kept for, or obtained in the course of, carrying out of social work by a public authority, public body, voluntary organisation or other body may be similarly restricted2.

Access to personal data may also be restricted where such restrictions are necessary for the purposes of safeguarding important objectives of public interest.

An organisation may also be exempt from providing you with access to copies of personal data that is processed for archiving purposes in the public interest, or for scientific or historical research purposes or statistical purposes, where the granting of access to the data would be likely to render impossible, or seriously impair, the achievement of those purposes, and where the restrict of access rights is necessary for those purposes.

Finally, the GDPR also provides that the right to obtain a copy of your personal data must not adversely affect the rights and freedoms of others. For example, when responding to an access request, an organisation should not provide the requestor with personal data relating to a third party that would reveal the third party’s identity. 3

 

Further information on limiting data subject rights and the application of Article 23 of the GDPR can be found here

 

What if an organisation fails to respond to my access request?
If an organisation does not comply with a valid access request that you have made, it is open to you to make a complaint to the DPC. Before doing so it is recommended that you contact the organisation in question to establish the circumstances and to indicate your intention to complain to this Office. The organisation may be in a position to correct the problem there and then. Our experience is that contacting the organisation again directly in relation to your access request can often result in the matter being resolved.

If, having contacted the organisation directly, you are not satisfied with its response, or if you do not receive a response, at that point you may wish to raise a concern with this Office. The webform for contacting us to raise a concern is here

For more information about your rights to information and access under the GDPR, please see the following link: http://gdprandyou.ie/gdpr-for-individuals

ACCESS REQUESTS MADE BEFORE 25th MAY 2018

If you have made an access request to an organisation before 25th May 2018, the organisation's responsibilities in relation to your request are governed by the legislative regime which was in place before the GDPR came into effect. In Ireland, the relevant pieces of primary legislation are the Data Protection Acts 1988-2003 ("the Acts"). In relation to access requests made before 25th May 2018, the Acts contain the following provisions:

Under section 3 of the Acts, you have a right to find out, free of charge, an organisation holds information about you. You also have a right to be given a description of the information and to be told the purpose(s) for holding your information. An organisation that receives a request under section 3 of the Acts must respond within 21 days.

Under section 4 of the Acts, you have a right to obtain a copy, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation. If you have made an access request under the section 4 of the Acts, the organisation may ask you to pay a fee of €6.35.

Once you have made your request, and paid any appropriate fee, the Acts provide that you must be given the information within 40 days (most organisations manage to reply much sooner).

Are there any exceptions to the right of access under the Data Protection Acts 1988-2003?
Yes. Sections 4 & 5 of the Acts set out a small number of circumstances in which your right to see your personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand. For example, a criminal suspect does not have a right to see the information held about him by An Garda Síochána, where that would impede a criminal investigation. Similarly, you do not have a right to see communications between a lawyer and his or her client, where that communication would be subject to legal privilege in court. The right of access to medical data and social workers' data is also restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data. Your right to obtain access to examination results and to see information relating to other people is also curtailed. Further details on all of these points can be obtained by clicking on the link below.

Exceptions to the right of access.

What if an organisation fails to respond to an access request made under the Data Protection Acts 1988-2003?
If an organisation does not comply with a valid access request that you have made, it is open to you to make a complaint to the DPC. Before doing so it is recommended that you contact the organisation in question to establish the circumstances and to indicate your intention to complain to this Office. The organisation may be in a position to correct the problem there and then. Our experience is that contacting the organisation again directly in relation to your access request can often result in the matter being resolved.

If, having contacted the organisation directly, you are not satisfied with its response, or if you do not receive a response, at that point you may wish to raise a concern with this Office. The webform for contacting us to raise a concern is here

 

[1] Sections 60 and 61 of the Data Protection Act 2018.

[2] SI 82 of 1989 (health data); SI 83 of 1989 (social work data); section 68(2)(a) & section 68(3) Data Protection Act 2018

[3] Article 15(4) GDPR

 


Data Protection Commission, Canal House, Station Road, Portarlington, Co. Laois, R32 AP23, Ireland.
Phone +353 (0761) 104 800 | LoCall 1890 25 22 31 | Fax +353 57 868 4757 | email info@dataprotection.ie