Date: Thursday, 30th May 2024
Time: 9.30am – 4.00pm
CPD: 5.5CPD Hours
Method of Delivery: Online
Individuals have the right to access and receive a copy of their own personal data. This is commonly referred to as a Data Subject Access Request or ‘DSAR’ and is a request made within an organisation.
Dealing with a Data Subject Access Request is important for several reasons, especially in the context of data protection and privacy regulations. It is also essential for legal compliance, protecting individual rights, building trust, managing risks and establishing internal accountability within an organisation.
SARs are a fundamental aspect of individuals’ rights to privacy and control over their personal information. Proper training ensures that employees understand the procedures and legal requirements associated with SARs, reducing the risk of non-compliance and potential legal consequences. Employees need to understand their roles in the SAR process, from recognising and validating requests to coordinating the retrieval and response for information.
Learning Outcomes/What is Covered?
Delegates will be given a detailed outline of the following areas:
How to manage and respond to a Subject Access Request:
- GDPR – Key definitions and introduction to changes to DSARs
- Data Access Request Regime under GDPR
- Access Rights
- Restrictions (GDPR)
- Exceptions to Right of Access
How to create an efficient DSAR process:
- Review of systems
- Draft/amend processes
- Draft/amend templates
- Verification and log
A recent case of the of 26 October 2023 from the European Court of Justice (ECJ) (C-307/22 – FT Copies du dossier médical) on the right of access to information under Article 15 of the GDPR is of general importance to anyone dealing with DSARs in that, the court decided that the purpose (or intention) of the data subject doesn’t have to relate to data protection. According to Recital 63, purposes related to data protection are those which enable the data subject “to be aware of, and verify, the lawfulness of the processing’. This case will be analysed during the training but it is important to note that generally the controller is not entitled to question the purpose, or relevance (of the information) to the data subject when responding to a DSAR. We will discuss situations where controllers may, in some circumstances refuse to (or partially) comply with DSARS.
Who should attend?
This training will benefit Data Protection Officers (DPOs), Legal and Compliance Teams, HR Professionals and all individuals responsible for maintaining and managing records within an organisation.