Law Stack Exchange
Law Stack Exchange

Questions tagged [subject-access-request]

20 questions
11
votes
2 answers

Are users' personal notes about other users subjected to the GDPR right of access?

Some applications, like Discord or Mastodon, allow a user A to put private notes (only accessible to A) next to the profile of another user B. This data is very probably Personal Identifiable Information (PII) according to GDPR: it is linked to a…
user19917937
  • 113
  • 4
10
votes
3 answers

Do data protection officers typically have any actual incentive to integrity in their performance of statutory duty?

Meet Bob. Bob was brutally assaulted by store security in a big corporate chain store. Bob would like to obtain evidence of the same and thus submits a gdpr subject access request to the central head office. He requests any CCTV footage from the day…
JosephCorrectEnglishPronouns
  • 6,409
  • 4
  • 31
  • 75
6
votes
2 answers

Is a sent email in someone else’s inbox subject to data subject rights of the sender?

Suppose Bob emails Alice, and both use Hotmail for their e-mail provider. Bob then deletes the message from his sent mail folder. Could Bob issue a subject access request (SAR) to Hotmail for the message (provided it is in fact still) held by…
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
5
votes
1 answer

GDPR subject access request for short-lived data

Suppose someone makes a GDPR subject access request for data that is always deleted after less than the required response period, (eg: CCTV footage that gets overwritten every 14 days). Does this mean the controller can always safely reply that…
Tom V
  • 467
  • 2
  • 9
3
votes
2 answers

Access rights to professional photographs

An independent professional photographer uses a sales tactic of candidly taking photos of others in public and then approaching them and offering them copies for a price. Suppose one of these photographed subjects turns around and…
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
3
votes
1 answer

Refused a subject access request

A person has made an email allegation to my daughters school that I have been emotionally abusing my daughter. The school have decided not to take this any further due to the fact they believe its hearsay and they have seen no evidence to support…
Paul Smith
  • 31
  • 1
2
votes
1 answer

How can data received in online subject access request form be used by ACRO?

Meet Bob. Bob has requested his PNC file from ACRO Criminal Records Office under the Data Protection Act. Their online request form solicits much intrusive information. What purposes may information so supplied be used for?
JosephCorrectEnglishPronouns
  • 6,409
  • 4
  • 31
  • 75
1
vote
1 answer

What does "reasonable and proportionate" mean wrt GDPR SAR ID requirements?

When one makes a GDPR Subject Access Request (SAR) the data controller should confirm that the request is really coming from the data subject. From here Recital 64 of GDPR states; “The controller should use all reasonable measures to verify the…
User65535
  • 10,342
  • 5
  • 40
  • 88
1
vote
1 answer

Is Cameron a data controller?

Cameron doesn’t take greatly thoughtful pains in defining himself with respect to his street and online activities. Some may consider him a political activist, some a citizen and/or amateur journalist, but in any case he attends many political…
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
1
vote
1 answer

Are data controllers required to acquire the means to appropriately redact data for disclosure to subjects?

Bob appears in CCTV footage that is held by all of ACME, BCME & CCME, but also features Alice and Charles. He requests access to the footage from all of the companies and receives three different responses from each: ACME painstakingly goes through…
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
1
vote
1 answer

SARing received text messages from a lost phone

Al loses his phone and it runs out of battery. He then is sent 10 SMS from various people. He then recovers his phone and switched it on and the messages are all received. Bob loses his phone but never recovers it yet would like to see any messages…
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
1
vote
1 answer

Incomplete/unserviceable SAR submissions and deletion timeframes

Bob was party to an incident in a shop that keeps CCTV footage for 30 days. 28 days later he submits a request for this responsive footage, but neglects to include with it adequate selfidentification materials like license or proof of address. Two…
JosephCorrectEnglishPronouns
  • 6,409
  • 4
  • 31
  • 75
0
votes
0 answers

What is the legality and consequence of blocking one who submits a SAR?

Alice submits a subject access request to Bob via WhatsApp, Bob responds to this by blocking Alice, but otherwise ignores her. What is the legality and consequences of Bob’s response to her SAR?
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
-1
votes
1 answer

SAR before claim: tactical and legal considerations

A claimant C intends to sue a business B, which is also a data controller. Independently of the prospect of any civil action, C is entitled to make a SAR (Subject Access Request) to B under the Data Protection Act 2018, and may be tempted to do so…
TylerDurden
  • 11,476
  • 3
  • 33
  • 105
-1
votes
1 answer

What are good tips and tricks to keep in mind when performing a subject access request for a comprehensive record of self-pertinent data from the met?

Bob would like to obtain as comprehensive as possible am archive of all data held on him by the metropolitan police, as well as any other police networks that they may be part of and share data with/on, like for example the PNC. What self-pertinent…
JosephCorrectEnglishPronouns
  • 6,409
  • 4
  • 31
  • 75
1
2