If you've read our guide to what GDPR means for small businesses, you'll already know that you must enable any individuals you hold data about to receive confirmation that their data is being processed, to have access to the data, and to be given additional information as described in our guide to information to be provided to individuals under the GDPR.
When do you need to provide the data?
This information must be provided within 1 month of the request and must be free of charge. If the requests are particularly complex or numerous, you may be allowed to have a 1-month extension, as long as you notify the individual first.
The only time when it may be acceptable to charge an admin fee is for requests that are unfounded, excessive or repetitive.
An unfounded, excessive or repetitive request can also be refused, or if disclosing the information would adversely affect the rights and freedoms of others, this would be another acceptable reason for refusal.
If you do refuse a subject access request, remember that you must let the individual know within 1 month of them making the request. Reasons of the refusal must be given to the individual, they should be advised of their right to complain to the ICO (or relevant authority), as well as their right to a judicial remedy.
If you accept the request, you should first use reasonable means to verify the individual’s identity. And if they make the request electronically, check whether they would be happy to receive the information in electronic format.
Responding to rectification requests
After receiving the information, the individual person may tell you that the data is incomplete or inaccurate. If this happens, you must make the amends within 1 month of being informed (for complex amendments, you may be able to extend this for another month), and you must also share the amendments with any third parties you shared the original data with.
If you don’t agree with the individual’s amendments, you need to let them know, along with your reasons for refusal, within 1 month of you receiving the information update from them.
Data processing restrictions
Another rule under the GDPR is that individuals have a right to restrict you from processing their data. You can still store it, but you just can’t continue to process it in any way.
Data processing must be restricted if:
• The accuracy of the data has been questioned (you may be able to continue processing it if you later confirm the accuracy of it)
• You’re assessing whether your business has legitimate reasons for data processing that override an individual’s objection of their data being processed (where it was essential to carry out a task in the public interest or for a purpose of legitimate interests)
• If the individual needs the data for legal reasons and you no longer need it
• If an individual opposes their data being deleted in favour for their data being restricted of processing, in scenarios where processing is unlawful
If you do need to restrict data processing, you must inform any third parties that you’ve shared the data with, and you’re also required to let the individual know if you decide to put a stop to the restriction at any time.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way