Data Subject Access Requests

Introduction
Individuals (or ‘data subjects’ as the Law defines them) are at the heart of data protection legislation.

The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’) contains legal rights and responsibilities and specifically aims to strengthen individuals’ rights.

One of the most commonly used rights is the right of access (also sometimes referred to as a ‘subject access request’ (SAR), or ‘data subject access request’ (‘DSAR’). This is where individuals ask what personal data a controller holds about them and why. 

In plain English, a DSAR is when an individual asks you:
- what do you know about me?
- what do you think about me?
- what do you think you know about me?
- what are you doing with it all this information?
 

GUIDANCE FOR CONTROLLERS: 

If you have any information about identifiable individuals read this guidance to understand how to handle DSARs to meet the Law’s requirements.
In addition to this guidance note, you may also like to watch this Webinar: How to respond to ‘subject access requests’. 
You can also read a step by step guide to applying Section 16 of the Law to respond to an individual’s ‘data subject access request’ in the specific circumstances where the information the individual is requesting includes information about other people.

GUIDANCE FOR INDIVIDUALS: 

If you wish to make a DSAR please read this guidance for individuals it contains more information specifically about DSARs, how to make one, what you should receive back, and what to do if you’re not happy with what you receive.

The information required to be provided to data subjects in response to the right of access under the Law Enforcement Ordinance differs to that required by the Law. When processing personal data for a Law Enforcement purpose under the Law Enforcement Ordinance please consult section 13 of the Ordinance.