Resources

Case Studies Access Request Complaints

 

Access Request Complaints 2023

Failure to respond to an Access Request

The DPC received a complaint from an individual who had made a subject access request to a state hospital for a copy of all information held concerning them. The individual did not receive a response to this request.

The DPC contacted the Data Protection Officer (DPO) for the Hospital Group and informed them of the complaint.

The DPC reminded the hospital of their GDPR obligations , drawing their attention to Article 12(3), which states that controllers have an obligation to provide a response to an individual’s subject access request within the statutory timeframe. As part of the engagement, the DPC stipulated a timeline for the hospital to respond to the individual and provide them with a copy of the personal data. The data controller complied with the DPC’s direction.

Key Takeaway

  • Organisations are required to implement appropriate organisational measures in place to ensure that they are in a position to respond to any rights requests within the stipulated timeframes under the GDPR.
  • Organisations should note that the DPC maintains a record of complaints received which forms part of any consideration of potential future action, including proposals for the carrying out of an inquiry and the further exercising of formal powers such as reprimands.