Respond to subject access requests

The controller must implement procedures for servicing requests from data subjects. A consistent and quality assured process is essential to ensure a timely and accurate response. Requests may include:

• Requests for the data stored
• Correction of the data stored
• Erasure of the data stored

A controller needs to service the data protection rights of the customers or employees.

These rights are not absolute, and therefore servicing them will require consideration of the circumstances of each request and balancing competing rights and obligations.

Video Surveillance Data

A data subject requests a copy of video surveillance in which they appear. Before providing the data, redact any other people on the tape to protect their privacy and avoid a data breach.

This activity is high visibility for the organisation and needs to meet a high standard. Inadequate, or late responses, may result in complaints to the Data Protection Commission with consequent inspections or audits.

The organisation should consider how the data subject will engage with the services. The organisation could provide an email address or phone number. Alternatively, the organisation could provide a form on its website. A web form has the advantage of qualifying the data collected. The GDPR does not restrict the medium used; all potential channels know how the process works.

Data processors are not responsible to the data subjects for servicing their data protection rights. They should not respond to such requests and should direct the data subject to the data controller. However, the duties of the data processor may include supporting the data controller in responding to requests from data subjects. The contract should set out the tasks required of the processor to support subject access requests.