Friday is here again, and we are back with another edition of Privacy Notes.
On today’s edition of Privacy note, we would be talking about ‘’Data Subject Access Request”
Did you know that a data subject has a right to access and get a copy of his personal data and other supplementary information from an organization processing his/her personal data? Well, now you know. A data subject can exercise his right to access through a regulated designative process known as the DSAR-Data Subject Access Request.
The essence is basically to bring to fore why and how data belonging to the Data subject are used and to also enable the Data Subject check to see if the processing is lawful. Where the Personal Data is being processed by the Data Controller or Data Administrator, the Data Subject may exercise some of his other rights which include but not limited to the following:
- Right to obtain a copy of the Personal Data.
- Right to verify the lawfulness or otherwise of the processing activity.
- Right to, where the lawful basis for the processing is wholly based on consent, withdraw the consent.
- Right to restrict the Data Controller or Data Administrator from carrying out any further activity on the Personal Data.
- Right to request the Data Controller or Data Administrator to rectify any error on the Personal Data.
- Right to request the Data Controller to delete Personal Data.
The Right of a Data Subject to access his Personal Data is what gave life to the above rights, hence, for a Data Subject to be able to exercise such rights, he first needs to get access to enable him, erase, rectify, object or delete as the circumstances may require. Such request of access can be made orally or in writing provided the intention is clear to the Data Controller or Administrator.
Upon a Data Subject making an access request, the Data Controller is mandated to provide the Personal Data to the Data Subject within one month of the receipt of the DSAR in a concise, structured and transparent format, using clear and plain language, same can be provided in writing or by any other means including electronically, it can also be given orally upon request by the Data subject.
Similarly, Data Controllers are expected to provide such information upon satisfying itself of the identity of the Data Subject. For instance, A student of an institution can request that his information be provided to him by simply making the request and attaching his school ID card and Matriculation number, this will enable the Institution to verify his identity and then provide his personal data to him.
As we conclude today’s edition of privacy notes, it is important to add that such request of access to a Data Subject’s Personal Data must not be repetitive, vexatious or excessive, as that would attract a fee.
I hope you learnt something new today? until we see you again, have a lovely weekend.