Data Subject Access Requests

The General Data Protection Regulation (GDPR) gives individuals the right to request a copy of any of their personal data which are being processed by OSi as well as other relevant information (as detailed below).

What is the right of access?

There are actually a few different aspects to the right of access under Article 15 GDPR, including certain information, and a copy of your personal data. You have the right to obtain the following from the data controller:

Confirmation of whether or not personal data concerning you is being processed.
Where personal data concerning you is being processed, a copy of your personal data.
Where personal data concerning you is being processed, other additional information as follows:
1. Purpose(s) of the processing.
2. Categories of personal data.
3. Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and information about appropriate safeguards.
4. The retention period or, if that is not possible, the criteria used to determine the retention period
5. The existence of the following rights:
  • Right to rectification;
  • Right to erasure;
  • Right to restrict processing;
  • Right to object;
  as well as information on how to request these from the controller.
6. The right to raise a concern with a supervisory authority (in Ireland this is the Data Protection Commission).
7. Where personal data is not collected from the data subject, any available information as to its source.
8. The existence of automated decision-making, including profiling and meaningful information about how decisions are made, the significance and the consequences of processing.

How do I exercise the right of access?

The GDPR does not set out any particular method for making a valid access request, therefore a request may be made by an individual in writing or verbally. OSI would, however, encourage individuals to submit written access requests where practical, to avoid disputes over the details, extent, or timing of an access request.

OSI has provided the below template for access requests that are made to the controller in writing:

"*" indicates required fields

If you want us to supply you with a copy of any personal data we hold about you, please complete this form and send it the address below. You are currently entitled to receive this information under the EU General Data Protection Regulation (GDPR) and the Data Protection Acts 1988-2018. We will also provide you with information about any processing of your personal data that is being carried out, the retention periods which apply to your personal data, and any rights to rectification, erasure, or restriction of processing that may exist.

The information you supply in this form will only be used for the purposes of identifying the personal data you are requesting and responding to your request. Please send your completed form and proof of identity to:

1. Details of the person requesting information

Name*

First Last

Address

Street Address Address Line 2 City Eircode

Phone number*

Email address*

2. Are you the data subject?

Please select the appropriate box.

YES: I am the data subject. I propose to forward proof of my identity (see below). Please proceed to Section 4.

NO: I am acting on behalf of the data subject. I propose to forward the data subject’s written authority and proof of the data subject’s identity and my own identity (see below). Please proceed to Section 3.

To ensure we are releasing data to the right person we require you to provide us with proof of your identity and of your address. Please supply us with a photocopy or scanned image (do not send the originals) of one of both of the following:

Proof of Identity. We need one of the following: passport, photo driving license, national identity card, birth certificate.
Proof of Address.We need one of the following: utility bill, bank statement, credit card statement (no more than 3 months old); current driving license; local authority tax bill.

If we are not satisfied you are who you claim to be, we reserve the right to refuse to grant your request.

3. Details of the data subject

Name

First Last

Address

Street Address Address Line 2 City Eircode

Phone number

Email address

4. What information are you seeking?

Please describe the information you are seeking. Please provide any relevant details you think will help us to identify the information you require.

Please note that if the information you request reveals details directly or indirectly about another person we will have to seek the consent of that person before we can let you see that information. In certain circumstances, where disclosure would adversely affect the rights and freedoms of others, we may not be able to disclose the information to you, in which case you will be informed promptly and given full reasons for that decision. While in most cases we will be happy to provide you with copies of the information you request, we nevertheless reserve the right, in accordance with Article 12 of the GDPR to charge a fee or refuse the request if it is considered to be “manifestly unfounded or excessive”. However, we will make every effort to provide you with a satisfactory form of access or summary of information if suitable.

5. Information about the data collection and processing

If you want information about any of the following, please tick the boxes:

Why we are processing your personal data

To whom your personal data are disclosed

The source of your personal data

Please be as specific as possible in relation to the personal data you wish to access. You may be asked to provide evidence of your identity subsequent to this initial contact with OSI. This is to make sure that personal information is not given to the wrong person.

Can I be charged a fee to make an access request?

In most cases individuals cannot be required to pay a fee to make a subject access request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive’ can OSi charge a ‘reasonable fee’ for the administrative costs of complying with the request.

In what format should the information I request be provided?

The general rule is that a controller should respond to your access request in the same way the request was made, or in the way in which you specifically asked for a response. Where you make the request electronically (such as by email), controllers should provide the required information in a commonly used electronic format, unless you request otherwise.

Are there any limits to my right of access?

Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, OSi may, where appropriate, refuse to act on the request.
The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’. This means that when responding to an access request, the controller should consider the rights of third parties, such as their data protection rights, trade secrets, or intellectual property rights such as copyright. This could arise, for example, where your access request relates to a record containing both your personal data but also the personal data, trade secrets, or intellectual property of others.

Timeframes

OSi is obliged to reply within a specified period of time (1 calendar month) to all requests received. Whilst OSI encourages individuals to submit initial access requests using the above portal where practical, requests can also be made in writing or email to the address below:

Data Protection Officer,
Ordnance Survey Ireland,
Ordnance Survey Road,
Phoenix Park,
Dublin 8.
D08 F6E4
Email: [email protected]