Data Processing and Subject Access Requests
As the GDPR draws ever-closer, our new and updated content continues. This month, our Data Processing Agreement for UK and EEA-based Data Processors has been updated, and we have published an all-new Subject Access Request toolkit for handling data subject access requests.
Updated Data Processing Agreement
The GDPR places considerable importance on the responsibilities of data processors. A data processor is any party that processes personal data on behalf of a data controller. If, for example, Company A collects personal data from its customers and subsequently enters into a service agreement with Company B, under which that personal data will be handled in some way by Company B, Company A will be the data controller and Company B, the data processor.
When any data controller uses a data processor, a written contract must be in place to govern the data processing. The GDPR sets out the key points that such contracts are required to cover. Our Data Processing Agreement for UK and EEA-based Processors has now been comprehensively updated, incorporating all required provisions under the GDPR in addition to further detail governing liability and indemnity.
New Subject Access Request Toolkit
Under the GDPR, data subjects have the right to access their personal data. This is done by means of a data subject access request. In response to a request, a data controller (in this case, you), if any personal data relating to that person has been collected, held, or processed, must confirm the same and provide access to the personal data in question (by, for example, providing a copy of it to the data subject). The GDPR also requires additional information including (but not limited to) details of what the data is used for and how long it is to be retained.
You must respond to a subject access request within one month of receipt (although this does not necessarily mean a full response as you may require further information from the data subject, or – in some cases – more time to process the request). A significant change from the Data Protection Act regime also means that, under normal circumstances, it is no longer possible to charge for responding to a subject access request (although, again, there are exceptions).
Our new Subject Access Request Toolkit for Business users follows on from our subject access request documents published last month for Employment users. In this case, the templates have been designed for use with a broader audience, most notably customers or clients, and provide more detail to data subjects who would not otherwise be in a position to consult with other staff members. Subscribers to both Business and Employment may, therefore, find both versions to be of use in different scenarios.
The toolkit begins with a Subject Access Request Form for data subjects to use. There is no particular format for a subject access request set out by the GDPR, but this form is designed to make it easier both for data subjects and for you.
The remainder of the toolkit consists of a series of letter templates covering different scenarios ranging from a simple “No, we don’t have any data!” to a “Good heavens! We’re going to need a fee and lots more time!” and a few points in between! Please note, however, that due to the wide range of potential data types and formats used by different organisations, we have not included a template for the final compliance with the request – i.e. when supplying data subjects’ personal data.
The contents of this Newsletter are for reference purposes only and do not constitute legal advice. Independent legal advice should be sought in relation to any specific legal matter.