How to access your personal data under the GDPR (2024)

You are here: Home > Government in Ireland > Data protection > How to access your personal data under the GDPR

Data protection terms

You have a fundamental right of access to your personal data from datacontrollers under the General Data Protection Regulation (GDPR).

Personal data is information that relates to you, or canidentify you, either by itself or together with other available information.Personal data can include your name, address, contact details, anidentification number, IP address, CCTV footage, access cards, audio-visual oraudio recordings of you, and location data.

Under data protection law, if an organisation or company is holding or usingyour personal data, you are known as a data subject.

The organisation or company holding or using that data, is known as adata controller. However, the data controller can allowanother person, organisation or company, known as a dataprocessor, to process your personal data on its behalf.

Doing anything with your personal data, including storing it, is known asprocessing.

What personal data can I access?

You have the right to get a copy of any personal data which an organisationholds on you.

You also have the right to find out if your personal data is beingprocessed.

If your personal data is being stored or used (processed), you have theright to know:

• The reason why it is being processed
• Where the personal data came from
• Who your personal data will be shared with
• How long your personal data will be kept
• The categories of personal data being processed
• How to exercise your data protection rights

The data processor should also tell you about your right to make a complaintto the Data ProtectionCommissioner.

Special Category Data

Some personal data is very sensitive and special rules apply to thisinformation. These special categories include information that reveals any ofthe following:

• Your race or ethnic origin
• Your political opinions
• Your religious or philosophical beliefs
• Your trade union membership
• Your health
• Any biometric information (for example, your fingerprints) or genetic data
• Your sexual orientation or sex life

The processing of this information is only allowed where you have given yourexplicit consent or where the information is absolutely necessary to meet otherlegal requirements. For example, you may have to inform your employer of yournationality to show that you have the legal right to work in Ireland.

How do I make an access request underdata protection law?

There is no set way to make an access request but the following generaladvice can help you to avoid delays or confusion.

Make your request in writing

Ask as soon as possible and in writing. This can either be by letter oremail. Seeking your personal data is known as making an access requestor a data subject access request. You should state in the letter oremail that it is an access request. This means that both you and the datacontroller will have a record of the request and its content if an issue ariseslater. Some large companies allow you to automatically download your personalinformation directly through their website.

Contact the relevant data protection officer

Many large organisations have a Data Protection Officer (or DPO) and theyare generally the best person to contact about your request for information.You should be able to find their contact details in the privacy policy or‘contact us’ section of the organisation’s website. Where there is nospecific email address for a data access request, you should use theorganisation’s general contact details.

Be specific

Make your request as specific as possible in relation to the personal datathat you wish to access unless you want to access all the personal data that isheld about you. Remember to specify whether you want the information inelectronic format (as computer files) or in hard copy (on paper).

Send proof of your identity

Provide some additional, identifying information about yourself if needed.You may need to provide more than just your name because the organisation mayhave records on other people with the same name as you. The organisation mayask you to provide further evidence of your identity.

Costs

There is generally no fee for making an access request.

The main exception to this is where your access request is considered‘manifestly unfounded or excessive’. For example, if you continue to makethe same access request even though it has already been dealt with. If a datacontroller can prove that your request is manifestly unfounded or excessive,they can charge a reasonable fee for the administrative costs of providing theinformation requested.

They may also charge a fee based on administrative costs if you ask foradditional copies of the information.

How will the company or organisationdeal with my request?

The data controller must respond to your request within one month.

If the request is complex or involves a large amount of information, thedata controller can extend the time to respond by a further two months. Youshould receive a written explanation for any extension within the initialone-month period.

If your request is very broad and requires the data controller to provide alarge amount of information and documents, you may be asked to reduce thenumber of documents containing personal data requested. However, you can insiston receiving all the information and documentation held. If you do, it may takelonger to comply with your access request.

In general, the data controller should respond to your access request in thesame format the request was made, or in the way in which you specifically askedfor a response. For example, if you emailed your request, the data controllershould provide the information by email, unless you request otherwise.

Can my request be refused?

A data controller can refuse access to some or all of your data where:

• Providing your personal data has an impact on the rights of others
• Your personal data is listed with the personal data of others (In these cases, the data controller may remove the personal data of others to provide you with your data)
• Your personal data is in a document that has trade secrets, confidential information or intellectual
• The request is considered ‘manifestly unfounded or excessive’ (for example, if you made a request in the recent past and were told that the data controller had no personal data relating to you)

By law, access to your personal data may also be refused in relation toprocessing carried out:

• For electoral purposes, such as publishing a roll of electors
• By the Electoral Commission
• In the administration of tax and duties
• To safeguard Cabinet confidentiality
• When defending legal claims

These exceptions are listed in Section60 of the Data Protection Act 2018.

After you receive your personaldata

When you receive your personal data after an access request, you haveseveral other data protection rights.

If your personal data is inaccurate, you have the right to have the datacorrected without delay.

If your personal data is incomplete, you have the right to have the datacompleted. This includes by providing supplementary information.

You can ask for your data to be deleted in some situations (see ‘The rightto be forgotten’ below)

In some limited cases, you may be able to object to further processing ofyour personal data or its transfer to another processor.

What can I do if I am unhappy with the outcome of an access request?

If you are unhappy with the way your access request was processed, you canmake a complaint to the DataProtection Commission (DPC).

The DPC is Ireland’s independent authority with responsibility forupholding the right of people in the EU to have their personal data protected.It monitors compliance with GDPR and other data protection legislation anddeals with complaints in relation to data protection breaches. The DPC website contains helpfulexplanations of data protection law.

You may be unhappy with the way your request was handled because:

• There was no response or a delayed response to your access request
• The response to the request was incomplete
• You believe the data controller wrongly relied on exemptions to not share your personal data with you

How do I make a complaint?

Complete the DPC’sonline complaint form. You will be asked to provide evidence to supportyour complaint. This includes:

• Evidence of your access request
• Correspondence between you (or your legal representative) and the data controller and
• information in support of your belief that the data controller holds your personal Information

Access to particular types ofpersonal data

This section covers the following particular types of personal data orrecords:

• Children’s personal data
• Medical records
• Garda records
• People who have died

Children’s personal data

Children have the same data protection rights as adults and can make accessrequests. However, they are given specific protection with regard to theirpersonal data. This is because they may be less aware of the risks andconsequences of sharing their personal data. Also, they may be less aware ofthe safeguards available and their rights in relation to how their personalinformation is processed.

Parents and guardians may also be able to make access requests or exerciseany other data protection right on behalf of their children. If a request ismade by a parent or guardian, the data controller must consider the nature andcirc*mstances of the request, including the age, capacity and views of thechild and the child’s best interests.

Medical records

Your medical records are your personal information and you are entitled toaccess them.

If you are a patient in a public or publicly-funded hospital, or have amedical card or GP visit card, you can seek access in the following ways:

• Make an access request under data protection law.
• Make an access request under the Freedom of Information Act.
• Write to the service provider or Health Service Executive and ask for your records.

You may have to provide information to help them locate your file, includingyour date of birth, current and previous addresses, the contacts you had withspecific services and approximate dates

Under data protection law, you can be refused access to your medical recordsif disclosure would give rise to serious harm to your physical or mentalhealth. You can read moreabout access to medical records.

Garda records

You can ask An Garda Síochána for a copy of any personal data that it hasabout you. When you make an access request to the Gardaí, you are generallyentitled to:

• Get a copy of the personal data being kept about you
• Be told why the data is being kept
• Be told the identity of anyone that the Gardaí has shared the data with
• Be told how the Gardaí obtained the data (unless this would be against public interest, for example, cause a risk of harm to someone else)

You can make a request for your personal data using the GardaSíochána subject access request form (pdf). Post the completed form tothe address on the form or email it to DataProtection@Garda.ie.

The Gardaí can refuse your request for personal data and withhold thatinformation in the following situations:

• Your request for data would identify someone else. This also applies to the Gardaí's obligation to give you details of the source of the information. If the source of the information identifies somebody else, the Gardaí can withhold it
• They have to refuse so as to prevent, detect or investigate crime, or to arrest or prosecute offenders
• There are existing or expected legal proceedings or claims

You can read more about accessingyour Garda record.

Deceased people

In Ireland, GDPR rules for the processing of personal data do not generallyapply to those who have died. Access may be possible under Freedomof Information laws.

Accessing records under Freedom ofInformation

You can also access your personal information under freedomof information (FOI). This only applies to information held by publicbodies (for example, government departments, local authorities and publichospitals).

Your rights under FOI are similar to your rights under GDPR. FOI allows youto access records containing your “personal information” and the dataprotection regime grants access to your “personal data”.

Access requests can be made under FOI and data protection at the same time,and you have similar rights in relation to the correction of any inaccuratepersonal information.

There is no time limit to access personal information in respect of both,and similar rules apply in relation to the organisation’s obligation todisclose. Making access requests for personal information are generally freeunder both.

In many cases, there won’t be a material difference between the twosystems when making an access request in respect of your personal data from apublic body. However, there are some important differences in some areas. Youcan use both systems at the same time or one after the other.

The right to be forgotten

You have the right to have your data erased, without undue delay, if one ofthe following grounds applies:

• Where your personal data is no longer necessary in relation to the purpose for which it was collected or processed.
• Where you withdraw your consent to the processing and there is no other lawful basis for processing the data.
• Where you object to the processing and there is no overriding legitimate grounds for continuing the processing
• Where you object to the processing and your personal data is being processed for direct marketing purposes
• Where your personal data has been unlawfully processed.
• Where your personal data has to be erased in order to comply with a legal obligation.
• Where your personal data has been collected in relation to the offer of ‘information society services’ (for example, social media) to a child.

Further information and contacts