Announcement

Collapse
No announcement yet.

SAR & GDPR 2018

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SAR & GDPR 2018

    Now that we're ready for the GDPR, did you know that you no longer need to pay for requesting a Subject Access Request (now known as a Right of Access)? Similarly, you no longer need to actually write in anymore - you can use any formal means of contact such as requesting your information via phone, Facebook (and other social media outlets) or via email, if the firm can adequately identify you of course.

    So with that in mind this page is to help deal with any Right of Access queries that may come up, and to highlight firms who are not accepting requests and trying it on!

    The official line from the ICO is as follows:
    • Individuals have the right to access their personal data.
    • This is commonly referred to as subject access.
    • Individuals can make a subject access request verbally or in writing.
    • Firms have one month to respond to a request.
    • Firms cannot charge a fee to deal with a request in most circumstances.
    You can read the ICO guide here - The ICO - Right of Access

    What is the right of access?
    The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.

    What is an individual entitled to?
    Individuals have the right to obtain the following from firms:
    • confirmation that their personal information is being processed;
    • a copy of any personal data; and
    • other supplementary information this largely corresponds to the information that should be provided in a privacy notice.
    Other information
    In addition to a copy of their personal data, firms must also provide individuals with the following information:
    • the purposes of their processing;
    • the categories of personal data concerned;
    • the recipients or categories of recipient they disclose the personal data to;
    • their retention period for storing the personal data or, where this is not possible, the criteria for determining how long they will store it;
    • the existence of your right to request rectification, erasure or restriction or to object to such processing;
    • the right to lodge a complaint with the ICO or another supervisory authority;
    • information about the source of the data, where it was not obtained directly from the individual;
    • the existence of automated decision-making (including profiling); and
    • the safeguards provided if they transfer personal data to a third country or international organisation.
    Most firms, including us here at AAD, are already providing much of this information already in our privacy notice. Ours can be accessed here - AAD Privacy Policy

    How does the ICO recognise a request?
    The GDPR does not specify how to make a valid request. Therefore, an individual can make a subject access request to a firm verbally or in writing. It can also be made to any part of the organisation (including by social media) and does not have to be to a specific person or contact point.

    A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.However, even if the firm has a form, you should note that a subject access request is valid if it is submitted by any means, so they will still need to comply with any requests received in a letter, a standard email or verbally.

    Therefore, although a firm may invite individuals to use a form, they must also make it clear that it is not compulsory and must not try to use this as a way of extending the one month time limit for responding.

    Right of Access Template
    If you'd like to stick to the norm and send a written request for information in, which we still recommend (as you have a paper copy / evidence of the request), then you could consider using the template below which should be ample for the firm to comply with your request:

    Dear Sirs,

    Ref: {enter your account details}

    In line with article 15 of the General Data Protection Regulation 2018 (GDPR) I hereby formally request that you provide me a copy of all information held about me on your systems, in paper format or other means.

    This is a data subject request so please send me everything that you hold about me to my home address as detailed below:

    {enter your address}

    I look forward to receiving the requested information within the next 30 days, as per the GDPR.

    Yours faithfully
    Yes, it really is that basic - that is all you need to send for the firm to adequately respond to your request.

    If you have any queries or questions please post them below...
    I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

    If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

  • #2
    A s.78 (CCA Request) is NOT included. Under s.77/78 you have separate rights which is where the CCA requests originate.

    Therefore you still need to continue to pay the statutory 1 fee for all s.77 / s.78 requests.
    I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

    If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

    Comment


    • #3
      A Credit Agency statutory report IS included. As the CRA (Experian / Equifax / Call Credit) processes your personal information (data), they must also be GDPR compliant which means you can send a Data Request in for free.

      At the present time the template above above will suffice as it's still relevant by requesting copies of all your data. However add a part stating you'd like your most recent credit file too.

      Something like "please also provide my most recent statutory credit report within my request" will be fine.

      This won't mean you get online access to daily credit scores / reports; it's specific to your statutory report which used to cost 2 - It'll now be free as well.
      I'm the forum administrator and I look after the theme & features, our volunteers & users and also look after any complaints or Data Protection queries that pass through the forum or main website. I am extremely busy so if you do contact me or need a reply to a forum post then use the email or PM features offered because I do miss things and get tied up for days at a time!

      If you spot any spammers, AE's, abusive or libellous posts or anything else that just doesn't feel right then please report them to me as soon as you spot them at: webmaster@all-about-debt.co.uk

      Comment

      Working...
      X