The right to access your personal data is a basic right and applies by law regardless of the type of body or entity that is holding your personal data. Accordingly, you have a basic right to access your personal data held by, amongst others, doctors, hospitals or consultants treating you in a private or public capacity. In response to such a request, you should receive anything held on file or computer by the health professional or facility that relates to you or from which you can be identified.

Section 56 of the Data Protection Act 2018 provides for an Article 15 right of access to results, scripts of examination and results of an appeal. Article 15 requests made in relation to examination results or scripts completed during the course of an examination, are taken to be made on the later of:

(a) The date of the first publication of the results of the examination, or

(b) The date of the request

An Article 15 request for the result of an appeal against an examination is taken to have been made on the later of:

The Central Bank of Ireland, under the Credit Reporting Act 2013 as amended, maintains a central record of repayments made on loans, whether mortgages or personal, and credit cards. To get a copy of your credit report further information is available on the Central Credit Register website.

This can be a complex area and depends on the policy of the data controllers in question and any preferences that the individual(s) involved may have expressed. However, from a data protection perspective, any entity/data controller/service provider with a policy of transacting business with the named account holder only is perfectly entitled to adopt that approach.

The right of access under Article 15 of the General Data Protection Regulation (GDPR) applies to a person's own personal data. Therefore, access requests tend to be made by the individual themselves in relation to their own personal data.  It would however be reasonable to comply with an access request submitted on a person's behalf by their own solicitor.

The one-month time frame has elapsed and I have not got my data; what can I do?

If, following the expiry of the one-month time limit, you have not received a response at all from the data controller regarding your subject access request it is open to you to submit a reminder to the data controller. At the same time, you can also submit a formal complaint to the Data Protection Commission (DPC).

I am not happy with the responses of the data controller, what can I do?

Yes. Article 23 of the General Data Protection Regulation (GDPR) and various provisions under the Data Protection Act 2018 (such as section 60) set out a number of circumstances in which your right to obtain a copy of your personal data can be lawfully restricted  by a data controller. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.

Data controllers must respond to such requests within one month of receipt of the request, although this one-month time frame can be extended by up to two further months if, for example, the request is complex (Article 12(3) of the General Data Protection Regulation (GDPR)).

Financial institutions are legally obliged under Anti-Money Laundering (AML) legislation to carry out Politically Exposed Persons (PEP) screening where there is a 'reasonable risk' of money laundering and terrorist financing.

The Article 5(1) (e) General Data Protection Regulation (GDPR) principle of “storage limitation” requires that personal data… is kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  If the purpose for which the information was obtained has ceased and the personal data is no longer required, the data must be deleted or disposed of securely.