Subject Access Request

[Abigial Russell]

I was wondering if anyone on this forum could help me (here's hoping!)

If an IT company holds data on their servers for a client - can an SAR be submitted to the IT company even though the information they hold is 'technically' not their data?

The reason I ask is that if an SAR is submitted to company by an individual, but the individual submitting the SAR suspects that data will be subsequently and selectively deleted , can that individual also approach the IT business that the company uses for 'off site' data back up to also provide the personal data held on them?

Thanks in advance for any advice you may be able to give.

Abigail

 

[Alan]

The Data Controller is totally responsible for the Subject Access Request. As Data Processor you must take instructions from the Data Controller. ( I'm assuming you are the IT company and hence Data Processor, rather than the person raising the SAR - if you are the person raising the SAR to the IT company they would just reject it as not being Data Controller )

If in doubt ask the ICO they are normally helpful.

 

[Abigial Russell]

The Data Controller is totally responsible for the Subject Access Request. As Data Processor you must take instructions from the Data Controller. ( I'm assuming you are the IT company and hence Data Processor, rather than the person raising the SAR - if you are the person raising the SAR to the IT company they would just reject it as not being Data Controller )

If in doubt ask the ICO they are normally helpful.

Thank you so much for your reply. I'm asking on behalf of the person who submitted the SAR. They are concerned that data would be deleted by the controller and would like to mirror that with the info held by the IT company who are more likely to be compliant in the request - that way they will have evidence that data deletion has taken place. When we spoke to the ICO they were a bit non committal which I suspect was due to the fact they didn't know the answer?

 

[Mike Kilby PC.dp]

Not surprised the ICO are non-committal on this, as it often comes down to terms of processor contracts. We do receive SAR's for our clients and we accept them and pass them on to the client, as we are seen as an extension of their business in the services we provide.

Alan is correct that as the law stipulates, a "Processor" has no legal right to even acknowledge processing, unless under contract (like our example) and they have no right at all to further disclose that information to anyone, not even the data subject.

It is awkward when you think the controller may delete the information however there are potentially things you can do to strenghten any arguments later down the line, remembering that it is a criminal offence to knowingly delete data so as not to have to provide it in a SAR.

May I ask, what (broad category of ) information you believe is held and that the controller may delete?

 

[Abigial Russell]

Not surprised the ICO are non-committal on this, as it often comes down to terms of processor contracts. We do receive SAR's for our clients and we accept them and pass them on to the client, as we are seen as an extension of their business in the services we provide.

Alan is correct that as the law stipulates, a "Processor" has no legal right to even acknowledge processing, unless under contract (like our example) and they have no right at all to further disclose that information to anyone, not even the data subject.

It is awkward when you think the controller may delete the information however there are potentially things you can do to strenghten any arguments later down the line, remembering that it is a criminal offence to knowingly delete data so as not to have to provide it in a SAR.

May I ask, what (broad category of ) information you believe is held and that the controller may delete?

What if there is no contract in place between the two...the company in question has absolutely no GDPR procedures or policy in place.

The incident refers to an ex employee who worked for the business for 20 years and used their company email address for professional and personal use (long before GDPR reared it’s head). The business emails that may still be being sent to the company is of no relevance or concern to them but the personal aspect is. It’s virtually impossible to recall all the personal usage the email address is associated with and therefore cannot change personal details nor request a password reset because the password reset is sent to an email address they no longer have access to?
Is it reasonable for that person to have a right to know after such a long length of time of being associated with that email address who is still using it. I understand it’s a contentious issue.

 

[fisicx]

That’s a whole different ballgame. Everything sent to and from a company email address belongs to the company. They can even reallocate the email address or have all messages forwarded to another member of staff. Your friend has no right of access to this account or anything in it.

 

[Abigial Russell]

That’s a whole different ballgame. Everything sent to and from a company email address belongs to the company. They can even reallocate the email address or have all messages forwarded to another member of staff. Your friend has no right of access to this account or anything in it.

Thanks for the reply - just to clarify, they would not have a right of access even if those emails contain their personal data?

 

[Mike Kilby PC.dp]

Abigial, personally I think what fisicx has said is wrong and you are right, in the most part, but you must remember that the SAR request isn't for access to "any" data, it's for access to data that the company determines the means and necessity of collection.

Business emails would fall under that classification, so would indeed be covered in a SAR, however personal emails wouldn't, they are by definition personal and the company would have no obligation to respond to the SAR on that basis.

Also, bear in mind that the Data Protection Act was in existence for 20 years prior to GDPR, so fundamentally the rights and controls were still in place then as they are now, it's just most people didn't know about them!

My advice would be to look at this differently.

• If you cant remember the accounts, it means you've not used something in sufficiently long to need it, so sign up again on another account you do have.
• For those you can remember, contact the provider and tell them you don't have access to that email any more. This happens frequently when people change broadband etc, so they should have a backup means of getting you back into those accounts.

There is also a significant possibility that if you have accounts that haven't been accessed since before the GDPR came into force, they may well have been deleted anyway as part of enforcing retention policies of those providers on inactive accounts.