DSAR refused, not actioned 2nd time and then again!
So, as the title says, I'm having massive issues getting my data.
I have a complaint which has now been ongoing for nearly 7 months and wanted my data to include in a complaint to OFCOM, cisas and ICO. On the first occasion in December I made the request and was told my data would be with me in 40-45 days. During the same call I requested a deadlock letter.
2nd time, I was told that the initial request had been declined! (No communication to me at all regarding this decision; direct breach of gdpr rules). I made the request again and was assured that it would now be dealt with. I queried why I had not received deadlock letter and was told that it would be sent "in due course".
Almost 60 days later, still nothing!
I called again and was told that my DSAR request "hadn't been done properly" and that I would need to do it sgain. I asked to speak to a manager and was refused as "they will only tell you the same thing I did". I asked on the status of my deadlock letter and was told that it had been sent but no date could be given as to when. I have still to date not received it.
I am being held over a barrel by Virgin. They have not given me the information I need to make a formal complaint, have broken the law in doing so and refuse to give me any compensation.
Please can someone with the authority to get this sorted out contact me.
Re: DSAR refused, not actioned 2nd time and then again!
Thanks for your post. I'm very sorry to read about your experience, this is not what we would want or expect for you.
I would love to take a look into this further for you, to be able to do this, I will need some details. I will send you a PM asking for the details needed. If you can reply to this, I will be more than happy to help.
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
The GDPR does not specify how to make a valid request.Therefore, an individual can make a subject access request to you verbally or in writing. It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
This presents a challenge asany of your employees could receive a valid request.However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
Guidance on how long you have to comply with a request:
You must act on the subject access request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.