Individuals' access to personal data

If your business stores, uses or otherwise deals with information about an identifiable individual, that person is entitled to make a number of requests of you about that information, known as . These include requests for copies, transfers, amendments, deletion or for you to stop using the data. This section will help you to understand your legal obligations and to put in place policies and procedures so that you can prepare for, identify and deal with requests efficiently.

Policies and procedures for dealing with data subject requests

  1. 1.What policies and procedures should I have to deal with data subject requests?
  2. 2.What practical steps can I take in preparation for dealing with data requests?

Data subject requests in general

  1. 3.What should I do if I receive a request from an individual about their personal data?
  2. 4.How do I check whether a request from an individual about their personal data is one I am legally required to consider?
  3. 5.How do I acknowledge receipt of a request from an individual about their personal data and verify their ID?
  4. 6.How do I identify the scope of a request from an individual about their personal data?
  5. 7.Can I charge a fee for responding to a request from an individual about their personal data?
  6. 8.How long do I have to respond to a request from an individual about their personal data?

Subject access requests

  1. 9.What is a subject access request?
  2. 10.How should I respond to a subject access request?
  3. 11.How long do I have to respond to a subject access request?
  4. 12.Can I request clarification for a subject access request?
  5. 13.When should I request clarification for a subject access request?
  6. 14.What if I do not get a reply to my request for clarification of a subject access request?
  7. 15.How do I locate the information that is relevant to a subject access request?
  8. 16.What if I cannot find any data relevant to a subject access request?
  9. 17.Can I refuse a subject access request?
  10. 18.How do I ensure that no other individual's personal data is included in the response to a subject access request?
  11. 19.How should I send the response to a subject access request to the individual concerned?

Requests to transfer or port personal data

  1. 20.What is a request to transfer or port personal data to another person or business?
  2. 21.How should I respond to a request from an individual to transfer or port personal data to another person or business?
  3. 22.How do I locate the information that is relevant to a request from an individual to transfer or port personal data to another person or business?
  4. 23.How do I ensure that no other individual's personal data is included in the response to a request from an individual to transfer or port personal data to another person or business?
  5. 24.How should I send the response to a request from an individual to transfer or port personal data to another person or business?

Requests to delete data

  1. 25.Can an individual request that I delete data about them?
  2. 26.How should I respond to a request to delete data?
  3. 27.What is the individual's right to be forgotten?
  4. 28.How do I check whether the right to be forgotten applies to a request to delete data?
  5. 29.Are there any exceptions to the right to be forgotten that mean I do not have to delete the data?
  6. 30.How do I locate the data that is relevant to a request to delete data?
  7. 31.How do I delete the data that is relevant to a request to do so?
  8. 32.Do I have to inform third parties whom I have shared the data with that it has been deleted in response to an individual's request?
  9. 33.Do I have to notify the relevant individual that their data has been deleted in response to a request from them to do so?

Requests to correct inaccurate data

  1. 34.Can an individual request that I correct inaccurate data I hold about them?
  2. 35.How should I respond to a request to correct inaccurate personal data?
  3. 36.How do I locate the relevant data in need of correction in response to a request to do so?
  4. 37.Can I still use an individual's personal data if I have had a request to correct it?
  5. 38.How will I know if I need to correct inaccurate data in response to a request to do so?
  6. 39.Do I have to inform third parties I have shared the data with that it has been corrected in response to an individual's request?
  7. 40.Do I have to notify the relevant individual that their data has been corrected in response to a request from them to do so?

Requests to stop using personal data

  1. 41.How should I respond to a request to stop using personal data?
  2. 42.Do I have to stop using personal data immediately if I have had a request to do so?
  3. 43.How do I know if I am legally required to stop using data in response to a request from an individual to do so?
  4. 44.Do I have to delete data in response to a request from an individual to stop using it?
  5. 45.Do I have to notify the relevant individual that I have stopped using their data in response to a request from them to do so?

Letter to party who has been supplied with data to confirm its correction

This template letter to a party who has been supplied with data to confirm its correction will allow you to produce a letter to be sent to anyone you have shared personal data with which you have subsequently had to correct or complete after a request from the individual whose data you have shared. If you have shared the personal data with any other people or organisations, you must take reasonable steps to attempt to inform them about the correction you have made. If you have shared the data widely, you will need to be satisfied you have done all you reasonably can to notify others of the correction. You do not have to make disproportionate efforts to do so, but you should at least take steps to contact other organisations you have shared the data with. This letter will help you to take those steps. You can also get this template letter as part of the Data subject request toolkit .
£10 + VAT

Request form to correct inaccurate or incomplete data

This request form to correct inaccurate or incomplete data can be used to produce a template that you can give to individuals who want you to correct inaccurate or incomplete personal data that you hold about them. Using a template like this means individuals can make their request to correct personal data in a standard format which is easier for you to process. Having a standard format also helps staff identify a request to correct personal data, and direct it to the appropriate person. Making request forms to correct data available also means you can set out the information that any individual will need to provide when they want a correction to be made. However you must not insist that people make a request to correct data using this form. You must also deal with requests to correct personal data that are sent by other means. You can also get this request form template as part of the Data subject request toolkit .
£10 + VAT
See all solutions