-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.html
17 lines (12 loc) · 2.35 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#GDPR Subject Access Requests
##What are Subject Access Requests?
A 'Subject Access Request' is asking a company to release all the data they hold on you. They can't charge for this information, under a new piece of legislation coming in on 25th May called the GDPR (General Data Protection Reulations).
##How do you make a subject access request?
Currently, companies are allowed to be prescriptive in how you ask for your data, and can charge £10 for a copy of this. This changes with the introduction of the GDPR, and not only can they not charge, they have to accept the request in any format.
The ICO (UK's Information Commissioner's Office) makes this clear [in a pdf guide they issued](https://ico.org.uk/media/for-organisations/documents/2014223/subject-access-code-of-practice.pdf). See section 4, question 1:
> A subject access request (SAR) is simply a written request made by or on behalf of an individual for the information which he or she is entitled to ask forunder section 7 of the Data Protection Act 1998 (DPA). The request does not have to be in any particular form. Nor does it have to include the words ‘subject access’ or make any reference to the DPA. Indeed, a request may be a valid SAR even if it refers to other legislation, such as the Freedom of Information Act (FOIA).
>
> A SAR must be made in writing. Standard forms can make it easier for you to recognise a subject access request and make it easier for the individual to include all the details you might need to locate the information they want. However, there is no legally prescribed request form. Nor can you require individuals to use your own in-house form to make a SAR. You may invite individuals to use your own request form, but you should make clear that this is not compulsory and you must not try to use this as a way of extending the 40 day time limit for responding.
##What information can companies ask for on a SAR?
Companies have the right (and the responsibility!) to ensure that you are who you say you are, and that you have the right to your information. The GDPR is not prescriptive as to exactly what you can and can't ask for.
The act doesn't prescibe exactly *what* theyre allowed or required to ask for, but typical requirements are a scan of a driving license or similar. It's also reasonable for them to ask for helpful information such as a customer number or account number.