Introduction
Individuals (or ‘data subjects’ as the Law defines them) are at the heart of data protection legislation.
The Data Protection (Bailiwick of Guernsey) Law, 2017 (‘the Law’) contains legal rights and responsibilities and specifically aims to strengthen individuals’ rights.
One of the most commonly used rights is the right of access (also sometimes referred to as a ‘subject access request’ (SAR), or ‘data subject access request’ (‘DSAR’). This is where individuals ask what personal data a controller holds about them and why.
In plain English, a DSAR is when an individual asks you:
- what do you
know about me?
- what do you
think about me?
- what do you
think you know about me?
- what are you
doing with it all this information?
GUIDANCE FOR CONTROLLERS:
If you have any information about identifiable individuals
read this guidance to understand how to handle DSARs to meet the Law’s requirements.
In addition to this guidance note, you may also like to
watch this Webinar: How to respond to ‘subject access requests’.
You can also
read a step by step guide to applying Section 16 of the Law to respond to an individual’s ‘data subject access request’ in the specific circumstances where the information the individual is requesting
includes information about other people.
GUIDANCE FOR INDIVIDUALS:
If you wish to make a DSAR please read this
guidance for individuals it contains more information specifically about DSARs, how to make one, what you should receive back, and what to do if you’re not happy with what you receive.
The information required to be provided to data subjects in response to the right of access under the Law Enforcement Ordinance differs to that required by the Law. When processing personal data for a Law Enforcement purpose under the
Law Enforcement Ordinance please consult section 13 of the
Ordinance.