GDPR Subject Access Request

GaryBC

MacPingu1986 said:

GaryBC said:

Sort of drifting off topic a bit peeps! 
It's still a letter template I'm after. One that includes references to "in accordance with Article blah" and "as stated in Clause yadda" etc. 

Gary - you don't need any of the Article/Clause references, the DPA/GDPR are so flexible that any vague reference to wanting copies of personal data is sufficient, even if there's no reference to the DPA/GDPR in the letter/email at all.

A simple heading of "this is a subject access request under UK data protection legislation is absolutely fine.

I know you have your heart set on a signed for letter but it also really isn't necessary, sending an email to the email address on their privacy policy is again, absolutely fine and you have the sent email in your sent items as your proof you sent it and it's *incredibly* unlikely that a fault will mean the email isn't received.

Plus on the actual practicalities of your SAR getting to the right team to respond to it, it's much likely to happen via email than by a letter that can easily get lost in transit within the company after delivery.

All lovely in theory but I've had my fingers burnt too many times by variations of "I've no idea what you're talking about" responses to trust anything less than [the closest I can reasonably get to] absolute proof and unambiguous clarity of my request. 

As for reaching the individual concerned that's only a problem in large, faceless, corporations. 

GaryBC

RefluentBeans said:

MacPingu1986 said:

GaryBC said:

Sort of drifting off topic a bit peeps! 
It's still a letter template I'm after. One that includes references to "in accordance with Article blah" and "as stated in Clause yadda" etc. 

Gary - you don't need any of the Article/Clause references, the DPA/GDPR are so flexible that any vague reference to wanting copies of personal data is sufficient, even if there's no reference to the DPA/GDPR in the letter/email at all.

A simple heading of "this is a subject access request under UK data protection legislation is absolutely fine.

I know you have your heart set on a signed for letter but it also really isn't necessary, sending an email to the email address on their privacy policy is again, absolutely fine and you have the sent email in your sent items as your proof you sent it and it's *incredibly* unlikely that a fault will mean the email isn't received.

Plus on the actual practicalities of your SAR getting to the right team to respond to it, it's much likely to happen via email than by a letter that can easily get lost in transit within the company after delivery.

To add - most companies will have a data protection officer who will receive all these emails/correspondence; and most companies have an email address of this person on the website (even if it’s a generic dpo@… email address). Saves customer service staff try to resolve any issues thinking it’s a customer service issue. 

Only a problem in large companies. 

RefluentBeans

GaryBC said:

RefluentBeans said:

MacPingu1986 said:

GaryBC said:

Sort of drifting off topic a bit peeps! 
It's still a letter template I'm after. One that includes references to "in accordance with Article blah" and "as stated in Clause yadda" etc. 

Gary - you don't need any of the Article/Clause references, the DPA/GDPR are so flexible that any vague reference to wanting copies of personal data is sufficient, even if there's no reference to the DPA/GDPR in the letter/email at all.

A simple heading of "this is a subject access request under UK data protection legislation is absolutely fine.

I know you have your heart set on a signed for letter but it also really isn't necessary, sending an email to the email address on their privacy policy is again, absolutely fine and you have the sent email in your sent items as your proof you sent it and it's *incredibly* unlikely that a fault will mean the email isn't received.

Plus on the actual practicalities of your SAR getting to the right team to respond to it, it's much likely to happen via email than by a letter that can easily get lost in transit within the company after delivery.

To add - most companies will have a data protection officer who will receive all these emails/correspondence; and most companies have an email address of this person on the website (even if it’s a generic dpo@… email address). Saves customer service staff try to resolve any issues thinking it’s a customer service issue. 

Only a problem in large companies. 

If it’s a small company why can’t you email followed by a phone call to confirm receipt of email? If a small company there’s even less reason to be as pedantic with legalese. 

GaryBC

RefluentBeans said:

GaryBC said:

RefluentBeans said:

MacPingu1986 said:

GaryBC said:

Sort of drifting off topic a bit peeps! 
It's still a letter template I'm after. One that includes references to "in accordance with Article blah" and "as stated in Clause yadda" etc. 

Gary - you don't need any of the Article/Clause references, the DPA/GDPR are so flexible that any vague reference to wanting copies of personal data is sufficient, even if there's no reference to the DPA/GDPR in the letter/email at all.

A simple heading of "this is a subject access request under UK data protection legislation is absolutely fine.

I know you have your heart set on a signed for letter but it also really isn't necessary, sending an email to the email address on their privacy policy is again, absolutely fine and you have the sent email in your sent items as your proof you sent it and it's *incredibly* unlikely that a fault will mean the email isn't received.

Plus on the actual practicalities of your SAR getting to the right team to respond to it, it's much likely to happen via email than by a letter that can easily get lost in transit within the company after delivery.

To add - most companies will have a data protection officer who will receive all these emails/correspondence; and most companies have an email address of this person on the website (even if it’s a generic dpo@… email address). Saves customer service staff try to resolve any issues thinking it’s a customer service issue. 

Only a problem in large companies. 

If it’s a small company why can’t you email followed by a phone call to confirm receipt of email? If a small company there’s even less reason to be as pedantic with legalese. 

Phone calls are the absolute easiest to deny! And size bears no relationship to the tendency to stick fingers in ears and him! 

Nope, I'm sticking with my 'legalese' and a signed for letter. 

powerful_Rogue

I think you're making things more difficult then they really need to be.

Template subject access request letter/email

[Fill in the blank spaces below with as much detail as possible.]

To: ___________
Subject line: Subject Access Request
Date: [if you’re writing a letter on paper remember to include today’s date]

Dear [put their name if you know it, or the name of the service],

I would like a copy of the following personal data that you hold about me, and which I have
a right to view under the Data Protection Act 2018:

[include a list of all the information you want. This might be very specific e.g. all emails from
person A to person B, or it could be more general e.g. all information you held about me
from July 2018 to July 2019.]

If you need any further information from me, please let me know as soon as possible. I
would like you to contact me by __________ [e.g. phone, email or post].

I would prefer if you sent me a copy of my data in a printed/electronic format [you can
specify whether you want to receive your information printed or in electronic format].

I would like to remind you that data protection law requires you to respond to my request
within one month.

Please can you confirm that you have received and read this request?
Thank you,
[write your name here]

https://www.mind.org.uk/media/8421/template-for-subject-access-request-letter-or-email-2021-pdf-download.pdf

RefluentBeans

GaryBC said:

RefluentBeans said:

GaryBC said:

RefluentBeans said:

MacPingu1986 said:

GaryBC said:

Sort of drifting off topic a bit peeps! 
It's still a letter template I'm after. One that includes references to "in accordance with Article blah" and "as stated in Clause yadda" etc. 

Gary - you don't need any of the Article/Clause references, the DPA/GDPR are so flexible that any vague reference to wanting copies of personal data is sufficient, even if there's no reference to the DPA/GDPR in the letter/email at all.

A simple heading of "this is a subject access request under UK data protection legislation is absolutely fine.

I know you have your heart set on a signed for letter but it also really isn't necessary, sending an email to the email address on their privacy policy is again, absolutely fine and you have the sent email in your sent items as your proof you sent it and it's *incredibly* unlikely that a fault will mean the email isn't received.

Plus on the actual practicalities of your SAR getting to the right team to respond to it, it's much likely to happen via email than by a letter that can easily get lost in transit within the company after delivery.

To add - most companies will have a data protection officer who will receive all these emails/correspondence; and most companies have an email address of this person on the website (even if it’s a generic dpo@… email address). Saves customer service staff try to resolve any issues thinking it’s a customer service issue. 

Only a problem in large companies. 

If it’s a small company why can’t you email followed by a phone call to confirm receipt of email? If a small company there’s even less reason to be as pedantic with legalese. 

Phone calls are the absolute easiest to deny! And size bears no relationship to the tendency to stick fingers in ears and him! 

Nope, I'm sticking with my 'legalese' and a signed for letter. 

The purpose of the phone call is just to confirm the email. A letter being delivered could be as easily denied ‘no we didn’t get it - must’ve delivered to our neighbour’. Personally I’d want to save my £5 rather than pay for special delivery 

GaryBC

powerful_Rogue said:

I think you're making things more difficult then they really need to be.

Template subject access request letter/email

[Fill in the blank spaces below with as much detail as possible.]

To: ___________
Subject line: Subject Access Request
Date: [if you’re writing a letter on paper remember to include today’s date]

Dear [put their name if you know it, or the name of the service],

I would like a copy of the following personal data that you hold about me, and which I have
a right to view under the Data Protection Act 2018:

[include a list of all the information you want. This might be very specific e.g. all emails from
person A to person B, or it could be more general e.g. all information you held about me
from July 2018 to July 2019.]

If you need any further information from me, please let me know as soon as possible. I
would like you to contact me by __________ [e.g. phone, email or post].

I would prefer if you sent me a copy of my data in a printed/electronic format [you can
specify whether you want to receive your information printed or in electronic format].

I would like to remind you that data protection law requires you to respond to my request
within one month.

Please can you confirm that you have received and read this request?
Thank you,
[write your name here]

https://www.mind.org.uk/media/8421/template-for-subject-access-request-letter-or-email-2021-pdf-download.pdf

Things are already difficult. Which is why I want to cut through all the opinions and obfuscation and direct the recipient towards exactly what he is to do and why. 

powerful_Rogue

GaryBC said:

powerful_Rogue said:

I think you're making things more difficult then they really need to be.

Template subject access request letter/email

[Fill in the blank spaces below with as much detail as possible.]

To: ___________
Subject line: Subject Access Request
Date: [if you’re writing a letter on paper remember to include today’s date]

Dear [put their name if you know it, or the name of the service],

I would like a copy of the following personal data that you hold about me, and which I have
a right to view under the Data Protection Act 2018:

[include a list of all the information you want. This might be very specific e.g. all emails from
person A to person B, or it could be more general e.g. all information you held about me
from July 2018 to July 2019.]

If you need any further information from me, please let me know as soon as possible. I
would like you to contact me by __________ [e.g. phone, email or post].

I would prefer if you sent me a copy of my data in a printed/electronic format [you can
specify whether you want to receive your information printed or in electronic format].

I would like to remind you that data protection law requires you to respond to my request
within one month.

Please can you confirm that you have received and read this request?
Thank you,
[write your name here]

https://www.mind.org.uk/media/8421/template-for-subject-access-request-letter-or-email-2021-pdf-download.pdf

Things are already difficult. Which is why I want to cut through all the opinions and obfuscation and direct the recipient towards exactly what he is to do and why. 

The template I posted and linked to is all you need. It's as simple as that.

GaryBC

RefluentBeans said:

GaryBC said:

RefluentBeans said:

GaryBC said:

RefluentBeans said:

MacPingu1986 said:

GaryBC said:

Sort of drifting off topic a bit peeps! 
It's still a letter template I'm after. One that includes references to "in accordance with Article blah" and "as stated in Clause yadda" etc. 

Gary - you don't need any of the Article/Clause references, the DPA/GDPR are so flexible that any vague reference to wanting copies of personal data is sufficient, even if there's no reference to the DPA/GDPR in the letter/email at all.

A simple heading of "this is a subject access request under UK data protection legislation is absolutely fine.

I know you have your heart set on a signed for letter but it also really isn't necessary, sending an email to the email address on their privacy policy is again, absolutely fine and you have the sent email in your sent items as your proof you sent it and it's *incredibly* unlikely that a fault will mean the email isn't received.

Plus on the actual practicalities of your SAR getting to the right team to respond to it, it's much likely to happen via email than by a letter that can easily get lost in transit within the company after delivery.

To add - most companies will have a data protection officer who will receive all these emails/correspondence; and most companies have an email address of this person on the website (even if it’s a generic dpo@… email address). Saves customer service staff try to resolve any issues thinking it’s a customer service issue. 

Only a problem in large companies. 

If it’s a small company why can’t you email followed by a phone call to confirm receipt of email? If a small company there’s even less reason to be as pedantic with legalese. 

Phone calls are the absolute easiest to deny! And size bears no relationship to the tendency to stick fingers in ears and him! 

Nope, I'm sticking with my 'legalese' and a signed for letter. 

The purpose of the phone call is just to confirm the email. A letter being delivered could be as easily denied ‘no we didn’t get it - must’ve delivered to our neighbour’. Personally I’d want to save my £5 rather than pay for special delivery 

What phone call? I never got a phone call? 

And a fiver is an insignificantly tiny sum compared to what's at stake! 

user1977

What if they deny that your Special Delivery item contained the letter you claim it did?