Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

New: Make an Access Request

From 25th May 2018, the General Data Protection Regulation (GDPR) introduces more clearly defined rights of information and access for individuals in respect of their personal data.

RIGHT OF INFORMATION

Under Article 13 and 14 of the GDPR, you have a right to be informed as to how your personal data is being processed (handled or used) by an organisation. In particular, at the time the organisation obtains personal data from you, it should advise you of (among other things), the purpose(s) of - and legal basis for - the processing of your data; any other recipient(s) of your data); how long it retains your data, or the criteria by which it determines how long it retains your data; and the existence of any automatic decision making processes applied to your data.

Moreover, where the personal data has not been obtained from you, the organisation must provide you with additional information relating to the types of personal data it holds and how it obtained this data. This information should be provided to you within a reasonable period, and at the latest within a month of the organisation obtaining the data (as per Article 12 of the GDPR). If the data is used to communicate with you, the information about the types of data obtained and how it was obtained should be provided to you, at the latest, when the first communication takes place. If it is expected that your personal data will be disclosed to another recipient, the information should be provided to you when your personal data is first disclosed.

RIGHT OF ACCESS

Under Article 15 of the GDPR, you have a right to obtain a copy, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any organisation. All you need to do is write to the organisation and request, under the GDPR, a copy of the personal data it holds in relation to you.

Your request could read as follows:

Dear
...
I wish to make an access request under Article 15 of the General Data Protection Regulation (GDPR) for a copy of any information you keep about me, on computer or in manual form in relation to...

(Please be as specific as possible in relation to the personal data you wish to access).

You may be asked to provide evidence of your identity. This is to make sure that personal information is not given to the wrong person.

In the normal course of events, an organisation will be obliged to respond to your access request within one month of receiving the request (most organisations manage to reply much sooner). In certain limited circumstances, the one month period may be extended by two months (taking into account the complexity of the request and the number of requests). Where an organisation is extending the period for replying to your request, it must inform you of any extension, and the reason(s) for the delay in responding, within one month of receiving the request.

There is no fee payable by you to make an access request - the organisation must deal with your request for free. However, where the organisation believes a request is manifestly unfounded or excessive (for example where an individual makes repeated unnecessary access requests), the organisation may either charge a fee taking into account its administrative costs in dealing with the request(s), or refuse to act on the request(s). The burden of demonstrating why a request is manifestly unfounded or excessive rests on the organisation.

Exceptions to the right of access

Similar to the Data Protection Acts 1988-2003 the national legislation will contain exceptions to the right of access.

Article 15 of the GDPR also provides that the right to obtain a copy of your personal data must not adversely affect the rights and freedoms of others. For example, when responding to an access request, an organisation should not provide the requestor with personal data relating to a third party that would reveal the third party's identity.

What if an organisation fails to respond to my access request?
If an organisation does not comply with a valid access request that you have made, it is open to you to make a complaint to the DPC. Before doing so it is recommended that you contact the organisation in question to establish the circumstances and to indicate your intention to complain to this Office. The organisation may be in a position to correct the problem there and then. Our experience is that contacting the organisation again directly in relation to your access request can often result in the matter being resolved.

If, having contacted the organisation directly, you are not satisfied with its response, or if you do not receive a response, at that point you may wish to raise a concern with this Office. The webform for contacting us to raise a concern is here

For more information about your rights to information and access under the GDPR, please see the following link: http://gdprandyou.ie/gdpr-for-individuals

ACCESS REQUESTS MADE BEFORE 25th MAY 2018

If you have made an access request to an organisation before 25th May 2018, the organisation's responsibilities in relation to your request are governed by the legislative regime which was in place before the GDPR came into effect. In Ireland, the relevant pieces of primary legislation are the Data Protection Acts 1988-2003 ("the Acts"). In relation to access requests made before 25th May 2018, the Acts contain the following provisions:

Under section 3 of the Acts, you have a right to find out, free of charge, an organisation holds information about you. You also have a right to be given a description of the information and to be told the purpose(s) for holding your information. An organisation that receives a request under section 3 of the Acts must respond within 21 days.

Under section 4 of the Acts, you have a right to obtain a copy, of any information relating to you kept on computer or in a structured manual filing system or intended for such a system by any entity or organisation. If you have made an access request under the section 4 of the Acts, the organisation may ask you to pay a fee of €6.35.

Once you have made your request, and paid any appropriate fee, the Acts provide that you must be given the information within 40 days (most organisations manage to reply much sooner).

Are there any exceptions to the right of access under the Data Protection Acts 1988-2003?
Yes. Sections 4 & 5 of the Acts set out a small number of circumstances in which your right to see your personal records can be limited. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand. For example, a criminal suspect does not have a right to see the information held about him by An Garda Síochána, where that would impede a criminal investigation. Similarly, you do not have a right to see communications between a lawyer and his or her client, where that communication would be subject to legal privilege in court. The right of access to medical data and social workers' data is also restricted in some very limited circumstances, where the health and mental well-being of the individual might be affected by obtaining access to the data. Your right to obtain access to examination results and to see information relating to other people is also curtailed. Further details on all of these points can be obtained by clicking on the link below.

Exceptions to the right of access.

What if an organisation fails to respond to an access request made under the Data Protection Acts 1988-2003?
If an organisation does not comply with a valid access request that you have made, it is open to you to make a complaint to the DPC. Before doing so it is recommended that you contact the organisation in question to establish the circumstances and to indicate your intention to complain to this Office. The organisation may be in a position to correct the problem there and then. Our experience is that contacting the organisation again directly in relation to your access request can often result in the matter being resolved.

If, having contacted the organisation directly, you are not satisfied with its response, or if you do not receive a response, at that point you may wish to raise a concern with this Office. The webform for contacting us to raise a concern is here