Subject Access Request: Top 4 Important Things Companies Have to Keep in Mind

Since the 25th of May the new General Data Protection Regulation (GDPR) is in effect all over Europe. It is relevant for all companies, which hold and work with personal data.

Due to the new regulation there are many more tasks for companies to come up with. The GDPR allows employees, customers and online-users to request information on how and in which way their personal data is used.
We show you what to do and what to keep in mind when you receive a subject access request. We will furthermore inform you, how you can use Whisply as a secure way to send data to a requester.

1. What contains a subject access request?

A subject access request (SAR) is separated in two parts: Firstly, affected people will get a confirmation as to whether or not personal data is stored by companies. Secondly, if this applies, people in authority are obligated to provide the appropriate data and their processing. In case, an organisation does not make any use of someone´s data they have to inform the applicant either way.
So: who is in charge to handle a SAR? Generally, every company is obligated to response to every request they receive. There are a few exceptions: If the concern is made of various companies. In this case, only the one company is in charge, which actually receives and works with the requester´s data. Is an IT- service organization, which works for another company, in control of someone´s data, they have to disclose the company, they are working for.
The following information must be provided, referred to in Article 15 (1) GDPR:

1. The purposes of the processing (of personal data)
2. The categories of personal data concerned
3. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in non-EU countries or international organizations
4. Where possible, the projected period of time, for which the personal data will be stored, or, if not possible the criteria used to determine that period
5. The existence of the right to request (from the controller) rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject to or object to such processing
6. The right to lodge a complaint with supervisory authority
7. Where the personal data is not collected from data subject, any available information as their source
8. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4), and at least in those cases, meaningful information about the logic involved, as well as the significance and the projected consequences of such processing for the data subject

2. What to keep in mind answering a request?

In addition to the defaults of the GDPR, there are national laws (in Germany §57 BDSG (neu)) you have to be aware of. Those laws structure the processing of a subject access request under extraordinary circumstances:
If personal data will be transmitted to a non-EU country or an international organization, the affected person has the right to know about his safeguards, according to Article 46 GDPR, which are connected with the transmission. By safeguards the authority means:
a) A legally binding and enforceable instrument between public authorities or bodies
b) Binding corporate rules in accordance with Article 47 GDPR
c) Standard data protection clauses, adopted by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR
d) Standard data protection clauses, adopted by a supervisory authority and approves by the Commission pursuant to the examination procedure referred to in Article 93(2) GDPR
e) An approved code of conduct, pursuant to Article 40 GDPR or a certification mechanism pursuant to Article 42 GDPR together with binding and enforceable commitments of the controller or processor, in the non-EU country to apply the appropriate safeguards, including as regards the data subjects´ rights

3. Which deadlines are important in answering a SAR?

After receiving a request, the controller has one month to deal with the request and provide the information referred to in Article 12(1) GDPR, either orally or in writing. In some complex cases it is possible to delay the deadline to a maximum of two months. But as a result, the requester must be informed for what reason the deadline got delayed.
Referred to in Article 12(5) GDPR, the information and additionally, every action that involves transmitting the information to a recipient must be free of charge. Except for some cases, the responsible person can actually charge an agreeable fee or does not have to become active processing a request, if an requester makes the same application frequently.

4. Transmitting a subject access request to arequester

Personal Data and its security is a very sensitive topic these days, which also made many people suspicious. Not everybody realizes and has the insights why his data is going to be used- A SAR may provide this remedy.
Processing a subject access request is the first step, but how to transmit the personal data to its owner in a way that no unauthorized third person may access the data? A much more convenient option, than sending the requested information via letter or providing it orally, is our web application: Whisply.
Whisply allows a secure end-to-end encrypted transmission of data, directly from your Dropbox. The encrypted data can be shared with everyone via a download link. Additionally, this download link may be protected by a password, pin or can be set to self-destruct after a specified time period. This provides high security for the file transfer with every requester of an SAR.
By using the Whisply service, you get the opportunity to show your costumers that you care about the security and privacy of their personal data. Furthermore, by adding a pin or password it is possible to ensure that the transmitted information may only be decrypted by the requester itself.