FAQs
Difficulties with my Subject Access Request?
The one-month time frame has elapsed and I have not got my data; what can I do?
If, following the expiry of the one-month time limit, you have not received a response at all from the data controller regarding your subject access request it is open to you to submit a reminder to the data controller. At the same time, you can also submit a formal complaint to the Data Protection Commission (DPC).
I am not happy with the responses of the data controller, what can I do?
FAQs
Are there any exceptions to the right of access?
Yes. Article 23 of the General Data Protection Regulation (GDPR) and various provisions under the Data Protection Act 2018 (such as section 60) set out a number of circumstances in which your right to obtain a copy of your personal data can be lawfully restricted by a data controller. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.
FAQs
How long does an organisation have to respond to my access request?
Data controllers must respond to such requests within one month of receipt of the request, although this one-month time frame can be extended by up to two further months if, for example, the request is complex (Article 12(3) of the General Data Protection Regulation (GDPR)).
FAQs
What is Politically Exposed Person’s (PEP) screening?
Financial institutions are legally obliged under Anti-Money Laundering (AML) legislation to carry out Politically Exposed Persons (PEP) screening where there is a 'reasonable risk' of money laundering and terrorist financing.
FAQs
Can an organisation retain my credit card / bank account details after I close my account with that organisation?
The Article 5(1) (e) General Data Protection Regulation (GDPR) principle of “storage limitation” requires that personal data… is kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. If the purpose for which the information was obtained has ceased and the personal data is no longer required, the data must be deleted or disposed of securely.
FAQs
Can my insurance company request a copy of my full medical records from my GP?
As part of their claims processing procedures, health insurance companies may request medical information directly from a patient’s medical practitioner or service provider (hospital) so that medical costs and services can be paid. This is normally done with the consent of the patient who completes the relevant claim form with their Insurer.
FAQs
How long can an insurance quote be held for?
When a person is seeking a quotation for an insurance policy, it is part of the contractual process whereby the initial stages are known as “an invitation to treat”. This means that the customer provides relevant information to the insurance company for assessment; based on the information supplied, the insurance company then makes an offer of insurance with the relevant cost of same to the consumer, who in turn either accepts or rejects such offer.
FAQs
I have a concern about an image available on Google Street View. What should I do?
Where images are captured by Street View cameras, there is typically a time delay before images are published on the internet; therefore the image available through Street View is not a 'real time' image. This delay allows for Google to deploy blurring technology to faces and car registration plates. It is important to note that street views of property or family pets do not constitute personal data and are therefore not subject to data protection law (and consequently not subject to requests for erasure under Article 17 of the GDPR).
FAQs
What is the position regarding individuals taking photographs/videos in a public place?
There is nothing in the General Data Protection Regulation (GDPR) that prohibits people from taking photos in a public place. Provided you are not harassing anyone, taking photographs of people in public is generally allowed and most likely will qualify for the household exemption under Article 2(2)(c) of the GDPR.
FAQs
What security measures should I have in place to protect personal data from unauthorised processing?
The General Data Protection Regulation (GDPR) requires that appropriate security measures be put in place which take account of the harm that would result from accidental or unlawful processing, including destruction, loss, alteration, unauthorised disclosure of or access to the information. The security measures should ensure ongoing confidentiality, integrity, availability and resilience of the processing systems. This should take account of best practice in available technology and processes and the cost of installation.