I was one of the people who received an email about a data breach months ago, then a follow up saying I was one of the people directly affected.
I contacted the dpo department early march to make a data subject access request, I got a stalling reply weeks later blaming lockdown for lack of response. Then I received another email saying they can't give out details to my email address (which they sent to instead of my virgin media address )because of security issues(how ironic). They asked for me to send them 'utility bills and other documents which are necessary to the data I require'??? or they consider the matter closed.
I followed up asking why we cannot continue via postal letters/ phone calls if they require proof of who I am.
I heard nothing more until last week, where Ii get a email saying that I have requested they stop sending marketing mail to me and will update the systems, totally ignoring my actual request and doing something which i did not ask.
I require specific information of which data was breached, when will my actual request be dealt with?
The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and,where that is the case, access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from the data subject, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
2. Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.
3. The controller shall provide a copy of the personal data undergoing processing. 2For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. 3Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.
The GDPR does not specify how to make a valid request.Therefore, an individual can make a subject access request to you verbally or in writing.It can also be made to any part of your organisation (including by social media) and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'subject access request' or Article 15 of the GDPR, as long as it is clear that the individual is asking for their own personal data.
This presents a challenge asany of your employees could receive a valid request.However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
Guidance on how long you have to comply with a request:
You must act on the subject access request without undue delay and at the latest within one month of receipt.
You should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
Can we ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality.
You need to let the individual know as soon as possible that you need more information from them to confirm their identity before responding to their request. The period for responding to the request begins when you receive the additional information.