Book contents
- Frontmatter
- Dedication
- Contents
- Acknowledgements
- 1 Introduction to information rights law
- 2 Freedom of information
- 3 Freedom of information exemptions
- 4 Data protection: principles and main features
- 5 Data protection: rights of data subjects
- 6 Data protection: internal enquiries
- 7 Environmental Information Regulations
- 8 Other information-related laws
- 9 Fitting information and records management into information rights work
- 10 Resources
- Notes
- Index
5 - Data protection: rights of data subjects
Published online by Cambridge University Press: 01 June 2019
- Frontmatter
- Dedication
- Contents
- Acknowledgements
- 1 Introduction to information rights law
- 2 Freedom of information
- 3 Freedom of information exemptions
- 4 Data protection: principles and main features
- 5 Data protection: rights of data subjects
- 6 Data protection: internal enquiries
- 7 Environmental Information Regulations
- 8 Other information-related laws
- 9 Fitting information and records management into information rights work
- 10 Resources
- Notes
- Index
Summary
This chapter includes the types of requests that data subjects can make relating to data held and processed by a data controller and data processor. The basics of data protection are covered in Chapter 4 and the types of enquiries likely to be raised by staff, including data protection impact assessments and transfers outside the EU, are covered in Chapter 6.
Introduction
This chapter covers the types of requests that you are likely to deal with as a Data Protection Officer (DPO) or in helping the DPO at your organization.
Individuals have been able to request data about themselves under the Data Protection Act (DPA). This right is strengthened in the General Data Protection Regulations (GDPR), although there is now also the pos - sibility of refusing a request if it is manifestly unreason able, which was not available in the DPA. Under the DPA, you had 40 days to respond.
Data subjects also had the right to get their incorrect information corrected or deleted under the DPA if the data controller did not have a reason to keep it. Data subjects could also object to marketing or automated processing. You had 21 days to respond to these types of requests under the DPA. These rights have also been strengthened in the GDPR and a right to data portability (see below) has been added.
Under the GDPR, all requests from data subjects must be responded to within one month. At the time of writing, there is no guidance as to what this length of time is in days. In UK law, there is a definition of a month, as given in Halsbury's Laws of England:
When the period prescribed is a calendar month running from any arbitrary date the period expires with the day in the succeeding month immediately preceding the day corresponding to the date upon which the period starts: save that, if the period starts at the end of a calendar month which contains more days than the next succeeding month, the period expires at the end of the latter month.
So it could mean you have 28 days to respond in February, 31 days in March and 30 days in April, unless you receive the request on 31 March, which gives you only until 30 April to respond.
- Type
- Chapter
- Information
- Information Rights for Records Managers , pp. 99 - 120Publisher: FacetPrint publication year: 2018