Responding to a Data Subject Access Request – What additional information must be provided?

Article 15 of the General Data Protection Regulation (GDPR) establishes the right for Data Subjects to seek access to personal data relating to them. In addition to providing for the right of access, Article 15 sets out the additional information that must be furnished. In particular, it provides that data subjects are entitled to be informed whether or not personal data relating to them is being processed and only where that is the case is a Data Subject entitled to the following additional information:

1. Why their personal data is being used.
2. The types of personal data held, for example, contact information, financial information and health information.
3. The identity of those with whom their personal data will be shared and in particular, any recipients in third countries or international organisations.
4. How long the Data Subject’s personal data will be stored. If it is not possible, at the time of responding to a request, to outline the exact period, you are required to provide additional information in relation to the criteria used to determine the retention time.
5. Where the personal data has not been collected by you directly from the Data Subject you must outline any available information you have on the source of that personal data. For example, disclosed to you by a third party, online and public sources.
6. Where the personal data will be subject to automated decision-making including profiling, you are required to set out the logic used in the decision-making process. In this instance, you must also include details on the significance and envisaged consequences for the Data Subject arising.
7. If you will be transferring personal data to a third country, which includes simply giving someone from a third country access on your systems to view the personal data, or to an international organisation, you must inform the data subject of the safeguards required by Article 46 relied on.

In addition to providing this information, at the time of your response, you are required to inform the Data Subject of the existence of their right to request from you the rectification or erasure of their personal data as well as their right to seek to restrict or object to the processing.

The DPC, in its guidance issued in October 2022 sets out that, when responding to request for access, while the information set out above may be contained within your Privacy Notice, it is not sufficient that you simply copy and paste the information from that Privacy Notice. Instead, the guidance requires that you adapt the information to the specific Data Subject.

An example of this can be seen under Article 13 and 14, which set out the information to be contained in a Privacy Notice. In particular, these Articles require you to identify the recipients or categories of recipients with whom the personal data will be disclosed. Compliance with Article 13 and 14 can be achieved therefore by simply outlining the categories of recipients. When responding to an access request under Article 15 however, where you have the ability to do so, you are required to identify the specific recipients of the personal data. It is not sufficient to simply categorise those recipients in a general way.

What information a Data Subject is entitled to was recently examined by the Court of Justice of the European Union in RW v Österreichische Post AG (Case C – 154/21). In that matter the Court of Justice held that “the information provided to the data subject pursuant to the right of access provided for Article 15 (1)(c) of the GDPR must be as precise as possible. In particular, the right of access contains the ability of the data subject to obtain from the data controller information about the specific recipients to whom the data has been or will be disclosed or alternatively to elect merely to request the information concerning the categories of recipients”.

The Court of Justice went on to say however that “it may be accepted that, in specific circumstances, it is not possible to provide information about specific recipients. Therefore, the right of access may be restricted to information about categories of recipients if it is impossible to disclose the identity of the specific recipients, in particular where they are not yet known”.

As consequence, when responding to an access request, in addition to providing the Data Subject with a copy of the personal data undergoing the processing, which for the avoidance of doubt does not require that they provide an actual copy of the document on which the personal data is found, you must provide this additional information set out in a more specific way than simply providing the general information contained in the Privacy Notice.

The DPC’s guidance to Data Controllers processing a request for access requires that, “even if the requester has not explicitly asked, for example, for the copy of the personal data at issue, it is nonetheless recommended that whenever an access request is made, Data Controllers provide the requester with all the information referred to in Article 15 GDPR.”

If you intend to restrict a Data Subject’s right of access under, for example, Section 60 of Section 162 of the Data Protection Act 2018, in relation to each item of personal data to which a restriction has been applied, you are required to provide a reference number for the restricted document, a description of the personal data (subject matter), the date on which the data was created, the reason for the refusal/restriction and the section of the Act under which the right of access is restricted.

Lastly, you are required to inform the Data Subject of their right to lodge a complaint with the supervisory authority - being the Data Protection Commissioner (DPC) in Ireland.