Featured in JEP’s Expert Panel – 25th April 2018
A:
When a Data Controller (DC) receives a data subject access request (DSAR), the DC has 4 weeks to respond but can extend by further 8 weeks in certain circumstances (data subject must be informed of extension and reasons within the 4 week period); if DSAR is received electronically, response must be made electronically; no fee can be charged for routine requests; where requests are manifestly vexatious, unfounded or excessive, DC can either refuse to act or charge a reasonable fee; if DC refuses to act on a DSAR they must inform the data subject of their right to make a complaint and to seek judicial remedy; additional information can be requested to verify identification of data subject.
The key pieces of information to be provided are; DC contact details, relevant personal data, purpose and legal basis for processing, categories of recipients, explanation of legitimate interest basis if applied, where data is transferred to a third country or international organisation, what adequate level of protection of their rights and freedoms are in place, how long their data will be stored. See A12 of the new law for more details.