Data Subject Access Requests
The General Data Protection Regulation (GDPR) gives individuals the right to request a copy of any of their personal data which are being processed by OSi as well as other relevant information (as detailed below).
What is the right of access?
There are actually a few different aspects to the right of access under Article 15 GDPR, including certain information, and a copy of your personal data. You have the right to obtain the following from the data controller:
- Confirmation of whether or not personal data concerning you is being processed.
- Where personal data concerning you is being processed, a copy of your personal data.
- Where personal data concerning you is being processed, other additional information as follows:
- Purpose(s) of the processing.
- Categories of personal data.
- Any recipient(s) of the personal data to whom the personal data has or will be disclosed, in particular recipients in third countries or international organisations and information about appropriate safeguards.
- The retention period or, if that is not possible, the criteria used to determine the retention period
- The existence of the following rights:
• Right to rectification;
• Right to erasure;
• Right to restrict processing;
• Right to object;
as well as information on how to request these from the controller.
- The right to raise a concern with a supervisory authority (in Ireland this is the Data Protection Commission).
- Where personal data is not collected from the data subject, any available information as to its source.
- The existence of automated decision-making, including profiling and meaningful information about how decisions are made, the significance and the consequences of processing.
How do I exercise the right of access?
The GDPR does not set out any particular method for making a valid access request, therefore a request may be made by an individual in writing or verbally. OSI would, however, encourage individuals to submit written access requests where practical, to avoid disputes over the details, extent, or timing of an access request.
OSI has provided the below template for access requests that are made to the controller in writing:
Please be as specific as possible in relation to the personal data you wish to access. You may be asked to provide evidence of your identity subsequent to this initial contact with OSI. This is to make sure that personal information is not given to the wrong person.
Can I be charged a fee to make an access request?
In most cases individuals cannot be required to pay a fee to make a subject access request. Only in certain very limited circumstances, per Article 12(5) GDPR, where the initial request is ‘manifestly unfounded or excessive’ can OSi charge a ‘reasonable fee’ for the administrative costs of complying with the request.
In what format should the information I request be provided?
The general rule is that a controller should respond to your access request in the same way the request was made, or in the way in which you specifically asked for a response. Where you make the request electronically (such as by email), controllers should provide the required information in a commonly used electronic format, unless you request otherwise.
Are there any limits to my right of access?
Under Article 12(5) GDPR, in limited circumstances, where an access request is ‘manifestly unfounded or excessive’, OSi may, where appropriate, refuse to act on the request.
The GDPR (in Article 15(4)) states that the right to obtain a copy of your personal data should not ‘adversely affect the rights or freedoms of others’. This means that when responding to an access request, the controller should consider the rights of third parties, such as their data protection rights, trade secrets, or intellectual property rights such as copyright. This could arise, for example, where your access request relates to a record containing both your personal data but also the personal data, trade secrets, or intellectual property of others.
OSi is obliged to reply within a specified period of time (1 calendar month) to all requests received. Whilst OSI encourages individuals to submit initial access requests using the above portal where practical, requests can also be made in writing or email to the address below:
Data Protection Officer,
Ordnance Survey Ireland,
Ordnance Survey Road,
Email: [email protected]