As the GDPR draws ever-closer, our new and updated content continues. This
month, our Data Processing Agreement for UK and EEA-based Data Processors
has been updated, and we have published an all-new Subject Access Request
toolkit for handling data subject access requests.
Updated Data Processing Agreement
The GDPR places considerable importance on the responsibilities of data
processors. A data processor is any party that processes personal data on
behalf of a data controller. If, for example, Company A collects personal
data from its customers and subsequently enters into a service agreement
with Company B, under which that personal data will be handled in some way
by Company B, Company A will be the data controller and Company B, the data
When any data controller uses a data processor, a written contract must be
in place to govern the data processing. The GDPR sets out the key points
that such contracts are required to cover. Our Data Processing Agreement
for UK and EEA-based Processors has now been comprehensively updated,
incorporating all required provisions under the GDPR in addition to further
detail governing liability and indemnity.
New Subject Access Request Toolkit
Under the GDPR, data subjects have the right to access their personal data.
This is done by means of a data subject access request. In response to a
request, a data controller (in this case, you), if any personal data
relating to that person has been collected, held, or processed, must
confirm the same and provide access to the personal data in question (by,
for example, providing a copy of it to the data subject). The GDPR also
requires additional information including (but not limited to) details of
what the data is used for and how long it is to be retained.
You must respond to a subject access request within one month of receipt
(although this does not necessarily mean a full response as you may require
further information from the data subject, or – in some cases – more time
to process the request). A significant change from the Data Protection Act
regime also means that, under normal circumstances, it is no longer
possible to charge for responding to a subject access request (although,
again, there are exceptions).
Our new Subject Access Request Toolkit for Business users follows on from our subject access request documents published last month for Employment users. In this case, the templates have been designed for use with a broader audience, most notably customers or clients, and provide more detail to data subjects who would not otherwise be in a position to consult with other staff members. Subscribers to both Business and Employment may, therefore, find both versions to be of use in different scenarios.
The toolkit begins with a Subject Access Request Form for data subjects to use. There is no particular format for a subject access request set out by the GDPR, but this form is designed to make it easier both for data subjects and for you.
The remainder of the toolkit consists of a series of letter templates
covering different scenarios ranging from a simple “No, we don’t have any
data!” to a “Good heavens! We’re going to need a fee and lots more time!”
and a few points in between! Please note, however, that due to the wide
range of potential data types and formats used by different organisations,
we have not included a template for the final compliance with the request –
i.e. when supplying data subjects’ personal data.
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific