Right of Access
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why we are using their data, and check we are doing it lawfully.
What is an individual entitled to?
Individuals have the right to obtain the following from us:
- confirmation that you are processing their personal data;
- a copy of their personal data; and
- other supplementary information – this largely corresponds to the information that you should provide in a privacy notice (see ‘Other information’ below).
An individual is only entitled to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). For further information about the definition of personal data please see our guidance on what is personal data.
In addition to a copy of their personal data, we also have to provide individuals with the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient we disclose the personal data to;
- our retention period for storing the personal data or, where this is not possible, our criteria for determining how long we will store it;
- the existence of their right to request rectification, erasure or restriction or to object to such processing;
- the right to lodge a complaint with the ICO or another supervisory authority;
- information about the source of the data, where it was not obtained directly from the individual;
- the existence of automated decision-making (including profiling); and
- the safeguards we provide if we transfer personal data to a third country or international organisation.
Does a Subject Access Request have to be in a particular format?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to verbally or in writing. It can also be made to any part of the organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase ‘subject access request’ or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
We have a legal responsibility to identify that an individual has made a request and handle it accordingly.