Menu

Making a subject access request

Article 15 of the Applied GDPR provides the right of access to personal data. 

The exercise of this right is commonly known as making a ‘subject access request’. You can make a request at any time. Although it is often used before exercising any of your other information rights, it can be exercised to find out whether any information about you is being processed or not.

How to make a subject access request

You must make a subject access request to the ‘controller’ which is processing your personal data.  The controller may, for example, be a business, government department, or any other organisation which you think may have your personal data and is referred to as an “organisation” on this page. 

The request can be made to the organisation verbally or in writing. If you do make your request verbally, we recommend you follow it up in writing to provide a clear trail of correspondence.  In doing so it will provide clear evidence of your intentions if a dispute arises.

If you make your request electronically, the organisation will respond by the same method, unless you ask otherwise.

The organisation may ask you to provide some form of identification if it does not know you.  This is to help the organisation make sure it is searching for personal data about the correct person and to prevent personal data being given to the wrong person.  An example of the wording you can use to make a request is included in the Annex to the document below.

Can I make more than one request?

Although you can make requests to an organisation for access to different information, if you ask for the same information more than once the organisation may refuse to act if your request is ‘manifestly unfounded or excessive’.

If you are considering resubmitting a request for the same information, you should think about whether:

Fees

The organisation cannot charge you a fee for making a request or for providing you with a copy of the personal data sought by your request. 

However, a charge can be levied if you request further copies, but this must be based on administrative costs.

Time frame

Organisations must respond to your request without undue delay and in any event within one month of receipt of the request.  In exceptional circumstances, for example if the request is particularly complex, the time period may be extended by a maximum of a further two months. However, the organisation must let you know that there will be a delay and the reasons for it before the end of the first month.

More about how one month is calculated is on the website at: https://www.inforights.im/information-centre/data-protection-law-2018/rights/calculating-one-month/

What you should be given

If your personal data is being processed you should be given a copy of the information you have requested and be told:

 If automated decision-making or profiling is used, you should be provided with meaningful information about the logic involved as well information about the significance and envisaged consequence of the processing for you.

Can the organisation refuse to act or give me the information?

The organisation can refuse to act:

The organisation can refuse to give you some information if it includes information that identifies another individual, unless

In deciding this, the organisation must balance your right to access your data against the other individual’s rights regarding their own information.  However, the organisation must still provide as much information to you as possible by omitting, or redacting, the name of the other individual or other identifying particulars.  As this right is not a right to copies of documents, this can also be achieved, for example, by extracting the information about you and inserting it into a new document.

There are also a number of restrictions on the right of access in certain circumstances. More information is available on the website at: https://www.inforights.im/information-centre/data-protection-law-2018/rights/restrictions-on-rights/

What to do if you are unhappy with how your request was handled

If you do not receive a response, or are unhappy with how your request was handled, you should firstly make a complaint to the organisation.  This should be in writing as it will give you evidence of your actions.

If the matter remains unresolved, then you are entitled to make a complaint to the Commissioner. 

 

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise that you seek independent legal advice from a Manx advocate first.