How to access your personal data under the GDPR

You have a fundamental right of access to your personal data from data controllers under the General Data Protection Regulation (GDPR).

Personal data is information that relates to you, or can identify you, either by itself or together with other available information. Personal data can include your name, address, contact details, an identification number, IP address, CCTV footage, access cards, audio-visual or audio recordings of you, and location data.

Under data protection law, if an organisation or company is holding or using your personal data, you are known as a data subject.

The organisation or company holding or using that data, is known as a data controller. However, the data controller can allow another person, organisation or company, known as a data processor, to process your personal data on its behalf.

Doing anything with your personal data, including storing it, is known as processing.

You have the right to get a copy of any personal data which an organisation holds on you.

You also have the right to find out if your personal data is being processed.

If your personal data is being stored or used (processed), you have the right to know:

• The reason why it is being processed
• Where the personal data came from
• Who your personal data will be shared with
• How long your personal data will be kept
• The categories of personal data being processed
• How to exercise your data protection rights

The data processor should also tell you about your right to make a complaint to the Data Protection Commissioner.

Special Category Data

Some personal data is very sensitive and special rules apply to this information. These special categories include information that reveals any of the following:

• Your race or ethnic origin
• Your political opinions
• Your religious or philosophical beliefs
• Your trade union membership
• Your health
• Any biometric information (for example, your fingerprints) or genetic data
• Your sexual orientation or sex life

The processing of this information is only allowed where you have given your explicit consent or where the information is absolutely necessary to meet other legal requirements. For example, you may have to inform your employer of your nationality to show that you have the legal right to work in Ireland.

There is no set way to make an access request but the following general advice can help you to avoid delays or confusion.

Make your request in writing

Ask as soon as possible and in writing. This can either be by letter or email. Seeking your personal data is known as making an access request or a data subject access request. You should state in the letter or email that it is an access request. This means that both you and the data controller will have a record of the request and its content if an issue arises later. Some large companies allow you to automatically download your personal information directly through their website.

Contact the relevant data protection officer

Many large organisations have a Data Protection Officer (or DPO) and they are generally the best person to contact about your request for information. You should be able to find their contact details in the privacy policy or ‘contact us’ section of the organisation’s website. Where there is no specific email address for a data access request, you should use the organisation’s general contact details.

Be specific

Make your request as specific as possible in relation to the personal data that you wish to access unless you want to access all the personal data that is held about you. Remember to specify whether you want the information in electronic format (as computer files) or in hard copy (on paper).

Send proof of your identity

Provide some additional, identifying information about yourself if needed. You may need to provide more than just your name because the organisation may have records on other people with the same name as you. The organisation may ask you to provide further evidence of your identity.

Costs

There is generally no fee for making an access request.

The main exception to this is where your access request is considered ‘manifestly unfounded or excessive’. For example, if you continue to make the same access request even though it has already been dealt with. If a data controller can prove that your request is manifestly unfounded or excessive, they can charge a reasonable fee for the administrative costs of providing the information requested.

They may also charge a fee based on administrative costs if you ask for additional copies of the information.

The data controller must respond to your request within one month.

If the request is complex or involves a large amount of information, the data controller can extend the time to respond by a further two months. You should receive a written explanation for any extension within the initial one-month period.

If your request is very broad and requires the data controller to provide a large amount of information and documents, you may be asked to reduce the number of documents containing personal data requested. However, you can insist on receiving all the information and documentation held. If you do, it may take longer to comply with your access request.

In general, the data controller should respond to your access request in the same format the request was made, or in the way in which you specifically asked for a response. For example, if you emailed your request, the data controller should provide the information by email, unless you request otherwise.

A data controller can refuse access to some or all of your data where:

• Providing your personal data has an impact on the rights of others
• Your personal data is listed with the personal data of others (In these cases, the data controller may remove the personal data of others to provide you with your data)
• Your personal data is in a document that has trade secrets, confidential information or intellectual
• The request is considered ‘manifestly unfounded or excessive’ (for example, if you made a request in the recent past and were told that the data controller had no personal data relating to you)

By law, access to your personal data may also be refused in relation to processing carried out:

• For electoral purposes, such as publishing a roll of electors
• By the Electoral Commission
• In the administration of tax and duties
• To safeguard Cabinet confidentiality
• When defending legal claims

These exceptions are listed in Section 60 of the Data Protection Act 2018.

When you receive your personal data after an access request, you have several other data protection rights.

If your personal data is inaccurate, you have the right to have the data corrected without delay.

If your personal data is incomplete, you have the right to have the data completed. This includes by providing supplementary information.

You can ask for your data to be deleted in some situations (see ‘The right to be forgotten’ below)

In some limited cases, you may be able to object to further processing of your personal data or its transfer to another processor.

What can I do if I am unhappy with the outcome of an access request?

If you are unhappy with the way your access request was processed, you can make a complaint to the Data Protection Commission (DPC).

The DPC is Ireland’s independent authority with responsibility for upholding the right of people in the EU to have their personal data protected. It monitors compliance with GDPR and other data protection legislation and deals with complaints in relation to data protection breaches. The DPC website contains helpful explanations of data protection law.

You may be unhappy with the way your request was handled because:

• There was no response or a delayed response to your access request
• The response to the request was incomplete
• You believe the data controller wrongly relied on exemptions to not share your personal data with you

How do I make a complaint?

Complete the DPC’s online complaint form. You will be asked to provide evidence to support your complaint. This includes:

• Evidence of your access request
• Correspondence between you (or your legal representative) and the data controller and
• information in support of your belief that the data controller holds your personal Information

This section covers the following particular types of personal data or records:

• Children’s personal data
• Medical records
• Garda records
• People who have died

Children’s personal data

Children have the same data protection rights as adults and can make access requests. However, they are given specific protection with regard to their personal data. This is because they may be less aware of the risks and consequences of sharing their personal data. Also, they may be less aware of the safeguards available and their rights in relation to how their personal information is processed.

Parents and guardians may also be able to make access requests or exercise any other data protection right on behalf of their children. If a request is made by a parent or guardian, the data controller must consider the nature and circumstances of the request, including the age, capacity and views of the child and the child’s best interests.

Medical records

Your medical records are your personal information and you are entitled to access them.

If you are a patient in a public or publicly-funded hospital, or have a medical card or GP visit card, you can seek access in the following ways:

• Make an access request under data protection law.
• Make an access request under the Freedom of Information Act.
• Write to the service provider or Health Service Executive and ask for your records.

You may have to provide information to help them locate your file, including your date of birth, current and previous addresses, the contacts you had with specific services and approximate dates

Under data protection law, you can be refused access to your medical records if disclosure would give rise to serious harm to your physical or mental health. You can read more about access to medical records.

Garda records

You can ask An Garda Síochána for a copy of any personal data that it has about you. When you make an access request to the Gardaí, you are generally entitled to:

• Get a copy of the personal data being kept about you
• Be told why the data is being kept
• Be told the identity of anyone that the Gardaí has shared the data with
• Be told how the Gardaí obtained the data (unless this would be against public interest, for example, cause a risk of harm to someone else)

You can make a request for your personal data using the Garda Síochána subject access request form (pdf). Post the completed form to the address on the form or email it to DataProtection@Garda.ie.

The Gardaí can refuse your request for personal data and withhold that information in the following situations:

• Your request for data would identify someone else. This also applies to the Gardaí's obligation to give you details of the source of the information. If the source of the information identifies somebody else, the Gardaí can withhold it
• They have to refuse so as to prevent, detect or investigate crime, or to arrest or prosecute offenders
• There are existing or expected legal proceedings or claims

You can read more about accessing your Garda record.

Deceased people

In Ireland, GDPR rules for the processing of personal data do not generally apply to those who have died. Access may be possible under Freedom of Information laws.

You can also access your personal information under freedom of information (FOI). This only applies to information held by public bodies (for example, government departments, local authorities and public hospitals).

Your rights under FOI are similar to your rights under GDPR. FOI allows you to access records containing your “personal information” and the data protection regime grants access to your “personal data”.

Access requests can be made under FOI and data protection at the same time, and you have similar rights in relation to the correction of any inaccurate personal information.

There is no time limit to access personal information in respect of both, and similar rules apply in relation to the organisation’s obligation to disclose. Making access requests for personal information are generally free under both.

In many cases, there won’t be a material difference between the two systems when making an access request in respect of your personal data from a public body. However, there are some important differences in some areas. You can use both systems at the same time or one after the other.

You have the right to have your data erased, without undue delay, if one of the following grounds applies:

• Where your personal data is no longer necessary in relation to the purpose for which it was collected or processed.
• Where you withdraw your consent to the processing and there is no other lawful basis for processing the data.
• Where you object to the processing and there is no overriding legitimate grounds for continuing the processing
• Where you object to the processing and your personal data is being processed for direct marketing purposes
• Where your personal data has been unlawfully processed.
• Where your personal data has to be erased in order to comply with a legal obligation.
• Where your personal data has been collected in relation to the offer of ‘information society services’ (for example, social media) to a child.

There is further detailed information about the GDPR on dataprotection.ie.