The one-month time frame has elapsed and I have not got my data; what can I do?

If, following the expiry of the one-month time limit, you have not received a response at all from the data controller regarding your subject access request it is open to you to submit a reminder to the data controller. At the same time, you can also submit a formal complaint to the Data Protection Commission (DPC).

I am not happy with the responses of the data controller, what can I do?

If the subject access request was not responded to in full, or if you are otherwise dissatisfied with the response of the data controller, the Data Protection Commission (DPC) suggests in the first instance, to set out your concerns to the data controller in writing and provide them with an opportunity to respond. If you remain dissatisfied with their response you may, at that stage, submit a formal complaint to the DPC.

If you are making a complaint it will be necessary for you to forward to the DPC, copies of your original request to the data controller (including any reminders/ subsequent correspondence) and a copy of their response (only the cover letter and not copies of the personal data they may have provided). You are also asked to clearly set out the details of your data protection complaint together with a list of any personal data you believe is outstanding (if that is why you remain dissatisfied). The DPC will then examine the matter for you on your behalf and will keep you informed of our progress on this matter.

I cannot locate the data controller, what can I do?

It will be necessary for an individual to try and locate the whereabouts of the data controller if they wish to lodge a complaint with the Data Protection Commission (DPC). Individuals can carry out an online search for the data controller, or contact their governing body if the data controller belongs to such a body. The DPC will not be in a position to pursue a complaint in the absence of an identifiable data controller.

The data controller has gone into liquidation, how can I now access my data?

If the organisation has gone into liquidation, it will be necessary for individuals to establish who is now determining the purposes and means of processing their data. Liquidators tend to be agents of the company, and if the liquidator assumes responsibility for determining the purpose and means of the processing of personal data, it may be the case that the liquidator becomes the data controller.  It is the facts and the circumstances that identify who is the data controller as opposed to their title.

The data controller has gone into receivership, how can I now access my data?

If a receiver is tasked with disposing of the assets of the company, such as computers that contain personal data, or if they are in fact appointed by the High Court, then under both sets of circumstances, they are responsible for the data stored in the company and are considered the data controller.

For further information, read our guidance on Data Protection Considerations Relating to Receivership.