ROPA stands for Record of Processing Activities. Article 30 of the GDPR requires you to maintain a record of processing activities. You will be required to produce this, if requested by the supervisory authority, e.g. the Information Commissioner’s Office (ICO) in the UK; the Data Protection Commission (DPC) in Ireland. The ROPA must include a…
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully. Individuals may exercise the right by making…
An individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point. A request does not have to include the phrase ‘subject access request’ or…
In almost all cases the answer is “yes”. If a request is within the scope of the Data Protection Act (there are a few exemptions), you are required to comply and must provide the information requested. You can also refuse to comply with a subject access request if it is: manifestly unfounded; or excessive. In…
You must comply with a request without undue delay and at the latest within one month of receipt of the request or (if later) within one month of receiving any information requested to confirm the requester’s identity. You should calculate the time limit from the day you receive the request (whether it is a working…
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You need to let the individual know as soon as possible that you…
The GDPR does not prevent an individual making a subject access request via a third party. Often, this will be a solicitor acting on behalf of a client, but it could simply be that an individual feels comfortable allowing someone else to act for them. In these cases, you need to be satisfied that the…
An individual is entitled only to their own personal data, and not to information relating to other people (unless the information is also about them or they are acting on behalf of someone). Therefore, it is essential that you establish whether the information requested falls within the definition of personal data. In addition to a…
Responsibility for complying with a subject access request lies with your organisation, as the data controller. Your DPO will generally be responsible for fulfilling a DSAR, if you haven’t appointed a DPO, the responsibility should be given to someone with up-to-date data protection knowledge and training in GDPR compliance. If you don’t have the internal…
© Copyright 2021 Oyster IMS | Web design by Union 10 Design
We do not believe that this outbreak will have a direct impact on most of our services.
We are continuing to monitor the situation, liaising with partners and suppliers critical to the operation of our services, and all those who are dependent on our business.