You are here: Home > Government in Ireland > Data protection > How to access your personal data under the GDPR
- Data protection terms
- What personal data can I access?
- How do I make an access request underdata protection law?
- How will the company or organisationdeal with my request?
- Can my request be refused?
- After you receive your personaldata
- Access to particular types ofpersonal data
- Accessing records under Freedom ofInformation
- The right to be forgotten
- Further information and contacts
Data protection terms
You have a fundamental right of access to your personal data from datacontrollers under the General Data Protection Regulation (GDPR).
Personal data is information that relates to you, or canidentify you, either by itself or together with other available information.Personal data can include your name, address, contact details, anidentification number, IP address, CCTV footage, access cards, audio-visual oraudio recordings of you, and location data.
Under data protection law, if an organisation or company is holding or usingyour personal data, you are known as a data subject.
The organisation or company holding or using that data, is known as adata controller. However, the data controller can allowanother person, organisation or company, known as a dataprocessor, to process your personal data on its behalf.
Doing anything with your personal data, including storing it, is known asprocessing.
What personal data can I access?
You have the right to get a copy of any personal data which an organisationholds on you.
You also have the right to find out if your personal data is beingprocessed.
If your personal data is being stored or used (processed), you have theright to know:
- The reason why it is being processed
- Where the personal data came from
- Who your personal data will be shared with
- How long your personal data will be kept
- The categories of personal data being processed
- How to exercise your data protection rights
The data processor should also tell you about your right to make a complaintto the Data ProtectionCommissioner.
Special Category Data
Some personal data is very sensitive and special rules apply to thisinformation. These special categories include information that reveals any ofthe following:
- Your race or ethnic origin
- Your political opinions
- Your religious or philosophical beliefs
- Your trade union membership
- Your health
- Any biometric information (for example, your fingerprints) or genetic data
- Your sexual orientation or sex life
The processing of this information is only allowed where you have given yourexplicit consent or where the information is absolutely necessary to meet otherlegal requirements. For example, you may have to inform your employer of yournationality to show that you have the legal right to work in Ireland.
How do I make an access request underdata protection law?
There is no set way to make an access request but the following generaladvice can help you to avoid delays or confusion.
Make your request in writing
Ask as soon as possible and in writing. This can either be by letter oremail. Seeking your personal data is known as making an access requestor a data subject access request. You should state in the letter oremail that it is an access request. This means that both you and the datacontroller will have a record of the request and its content if an issue ariseslater. Some large companies allow you to automatically download your personalinformation directly through their website.
Contact the relevant data protection officer
Make your request as specific as possible in relation to the personal datathat you wish to access unless you want to access all the personal data that isheld about you. Remember to specify whether you want the information inelectronic format (as computer files) or in hard copy (on paper).
Send proof of your identity
Provide some additional, identifying information about yourself if needed.You may need to provide more than just your name because the organisation mayhave records on other people with the same name as you. The organisation mayask you to provide further evidence of your identity.
There is generally no fee for making an access request.
The main exception to this is where your access request is considered‘manifestly unfounded or excessive’. For example, if you continue to makethe same access request even though it has already been dealt with. If a datacontroller can prove that your request is manifestly unfounded or excessive,they can charge a reasonable fee for the administrative costs of providing theinformation requested.
They may also charge a fee based on administrative costs if you ask foradditional copies of the information.
How will the company or organisationdeal with my request?
The data controller must respond to your request within one month.
If the request is complex or involves a large amount of information, thedata controller can extend the time to respond by a further two months. Youshould receive a written explanation for any extension within the initialone-month period.
If your request is very broad and requires the data controller to provide alarge amount of information and documents, you may be asked to reduce thenumber of documents containing personal data requested. However, you can insiston receiving all the information and documentation held. If you do, it may takelonger to comply with your access request.
In general, the data controller should respond to your access request in thesame format the request was made, or in the way in which you specifically askedfor a response. For example, if you emailed your request, the data controllershould provide the information by email, unless you request otherwise.
Can my request be refused?
A data controller can refuse access to some or all of your data where:
- Providing your personal data has an impact on the rights of others
- Your personal data is listed with the personal data of others (In these cases, the data controller may remove the personal data of others to provide you with your data)
- Your personal data is in a document that has trade secrets, confidential information or intellectual
- The request is considered ‘manifestly unfounded or excessive’ (for example, if you made a request in the recent past and were told that the data controller had no personal data relating to you)
By law, access to your personal data may also be refused in relation toprocessing carried out:
- For electoral purposes, such as publishing a roll of electors
- By the Electoral Commission
- In the administration of tax and duties
- To safeguard Cabinet confidentiality
- When defending legal claims
These exceptions are listed in Section60 of the Data Protection Act 2018.
After you receive your personaldata
When you receive your personal data after an access request, you haveseveral other data protection rights.
If your personal data is inaccurate, you have the right to have the datacorrected without delay.
If your personal data is incomplete, you have the right to have the datacompleted. This includes by providing supplementary information.
You can ask for your data to be deleted in some situations (see ‘The rightto be forgotten’ below)
In some limited cases, you may be able to object to further processing ofyour personal data or its transfer to another processor.
What can I do if I am unhappy with the outcome of an access request?
If you are unhappy with the way your access request was processed, you canmake a complaint to the DataProtection Commission (DPC).
The DPC is Ireland’s independent authority with responsibility forupholding the right of people in the EU to have their personal data protected.It monitors compliance with GDPR and other data protection legislation anddeals with complaints in relation to data protection breaches. The DPC website contains helpfulexplanations of data protection law.
You may be unhappy with the way your request was handled because:
- There was no response or a delayed response to your access request
- The response to the request was incomplete
- You believe the data controller wrongly relied on exemptions to not share your personal data with you
How do I make a complaint?
Complete the DPC’sonline complaint form. You will be asked to provide evidence to supportyour complaint. This includes:
- Evidence of your access request
- Correspondence between you (or your legal representative) and the data controller and
- information in support of your belief that the data controller holds your personal Information
Access to particular types ofpersonal data
This section covers the following particular types of personal data orrecords:
- Children’s personal data
- Medical records
- Garda records
- People who have died
Children’s personal data
Children have the same data protection rights as adults and can make accessrequests. However, they are given specific protection with regard to theirpersonal data. This is because they may be less aware of the risks andconsequences of sharing their personal data. Also, they may be less aware ofthe safeguards available and their rights in relation to how their personalinformation is processed.
Parents and guardians may also be able to make access requests or exerciseany other data protection right on behalf of their children. If a request ismade by a parent or guardian, the data controller must consider the nature andcircumstances of the request, including the age, capacity and views of thechild and the child’s best interests.
Your medical records are your personal information and you are entitled toaccess them.
If you are a patient in a public or publicly-funded hospital, or have amedical card or GP visit card, you can seek access in the following ways:
- Make an access request under data protection law.
- Make an access request under the Freedom of Information Act.
- Write to the service provider or Health Service Executive and ask for your records.
You may have to provide information to help them locate your file, includingyour date of birth, current and previous addresses, the contacts you had withspecific services and approximate dates
Under data protection law, you can be refused access to your medical recordsif disclosure would give rise to serious harm to your physical or mentalhealth. You can read moreabout access to medical records.
You can ask An Garda Síochána for a copy of any personal data that it hasabout you. When you make an access request to the Gardaí, you are generallyentitled to:
- Get a copy of the personal data being kept about you
- Be told why the data is being kept
- Be told the identity of anyone that the Gardaí has shared the data with
- Be told how the Gardaí obtained the data (unless this would be against public interest, for example, cause a risk of harm to someone else)
You can make a request for your personal data using the GardaSíochána subject access request form (pdf). Post the completed form tothe address on the form or email it to DataProtection@Garda.ie.
The Gardaí can refuse your request for personal data and withhold thatinformation in the following situations:
- Your request for data would identify someone else. This also applies to the Gardaí's obligation to give you details of the source of the information. If the source of the information identifies somebody else, the Gardaí can withhold it
- They have to refuse so as to prevent, detect or investigate crime, or to arrest or prosecute offenders
- There are existing or expected legal proceedings or claims
You can read more about accessingyour Garda record.
In Ireland, GDPR rules for the processing of personal data do not generallyapply to those who have died. Access may be possible under Freedomof Information laws.
Accessing records under Freedom ofInformation
You can also access your personal information under freedomof information (FOI). This only applies to information held by publicbodies (for example, government departments, local authorities and publichospitals).
Your rights under FOI are similar to your rights under GDPR. FOI allows youto access records containing your “personal information” and the dataprotection regime grants access to your “personal data”.
Access requests can be made under FOI and data protection at the same time,and you have similar rights in relation to the correction of any inaccuratepersonal information.
There is no time limit to access personal information in respect of both,and similar rules apply in relation to the organisation’s obligation todisclose. Making access requests for personal information are generally freeunder both.
In many cases, there won’t be a material difference between the twosystems when making an access request in respect of your personal data from apublic body. However, there are some important differences in some areas. Youcan use both systems at the same time or one after the other.
The right to be forgotten
You have the right to have your data erased, without undue delay, if one ofthe following grounds applies:
- Where your personal data is no longer necessary in relation to the purpose for which it was collected or processed.
- Where you withdraw your consent to the processing and there is no other lawful basis for processing the data.
- Where you object to the processing and there is no overriding legitimate grounds for continuing the processing
- Where you object to the processing and your personal data is being processed for direct marketing purposes
- Where your personal data has been unlawfully processed.
- Where your personal data has to be erased in order to comply with a legal obligation.
- Where your personal data has been collected in relation to the offer of ‘information society services’ (for example, social media) to a child.
Further information and contacts
There is further detailed information about the GDPR on dataprotection.ie.
Page edited: 17 February 2023
- Overview of the General Data Protection Regulation (GDPR)
This document outlines the main elements of the GDPR and links to further information about it.
- Data protection in the workplace
Overview of some of the main obligations for employers and outlines the rights of employees under Data Protection law.
- Controlling and processing personal data
This document outlines the obligations of data controllers and processors under the General Data Protection Regulation.(Video) GDPR: 5 steps
If you have a question about this topic you can contact the Citizens Information Phone Service on 0818 07 4000 (Monday to Friday, 9am to 8pm).
You can also contact your local Citizens Information Centre.
How do I collect personal data from GDPR? ›
Articles 13 & 14 — When collecting personal data
At the moment you collect personal data from a user, you need to communicate specific information to them. If you don't collect the information directly from the user, you are still required to provide them with similar information.
- Make your request in writing. Ask as soon as possible and in writing. ...
- Contact the relevant data protection officer. ...
- Be specific. ...
- Send proof of your identity. ...
The General Data Protection Regulation (GDPR), under Article 15, gives individuals the right to request a copy of any of their personal data which are being 'processed' (i.e. used in any way) by 'controllers' (i.e. those who decide how and why data are processed), as well as other relevant information (as detailed ...What are the 4 key components of GDPR? ›
fair and lawful processing; purpose limitation; data minimisation and data retention.Can I access my personal data? ›
Individuals have the right to access and receive a copy of their personal data, and other supplementary information. This is commonly referred to as a subject access request or 'SAR'. Individuals can make SARs verbally or in writing, including via social media.What is GDPR and how does it work? ›
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.How do I request personal data? ›
You have the right to ask an organisation whether or not they are using or storing your personal information. You can also ask them for copies of your personal information, verbally or in writing. This is called the right of access and is commonly known as making a subject access request or SAR.Who collects GDPR data? ›
the company/organisation must collect and process only the personal data that is necessary to fulfil that purpose ('data minimisation'); the company/organisation must ensure the personal data is accurate and up-to-date, having regard to the purposes for which it is processed, and correct it if not ('accuracy');Who is allowed to access the data and information? ›
Those to whom the personal data belongs have a right to access their personal data, so you must give out the personal data you have about them if they ask for it. Additionally, others might also, unknowingly or not, ask you to give out personal data.What are the 3 types of personal data? ›
whether someone is directly identifiable; whether someone is indirectly identifiable; the meaning of 'relates to'; and. when different organisations are using the same data for different purposes.
What is the main rule of GDPR? ›
Everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly, lawfully and transparently. used for specified, explicit purposes.What are the 7 principles of GDPR? ›
The principles are: Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability.What are the 3 primary conditions in GDPR? ›
5 GDPR Principles relating to processing of personal data. Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');What is the right to access my personal information? ›
The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data, as well as other supplementary information. It helps individuals to understand how and why you are using their data, and check you are doing it lawfully.Can I request emails about me under GDPR? ›
How do I make a subject access request? All you need to do is write to your employer asking for the personal information that they hold about you. Your employer should have a designated data protection officer. If you know who that person is then your letter or email should be sent directly to them.What is accessing of data without permission? ›
What is Unauthorized Access? Unauthorized access refers to individuals gaining access to an organization's data, networks, endpoints, applications or devices, without permission. It is closely related to authentication – a process that verifies a user's identity when they access a system.What is GDPR in a nutshell? ›
The GDPR is a European data protection law that gives individuals more control over their personal information in the most basic interpretation. It's forced companies to reframe how they think about data privacy, making “privacy by design” paramount.What is not considered personal data under GDPR? ›
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.What is the GDPR for dummies guideline? ›
GDPR For Dummies sets out in simple steps how small business owners can comply with the complex General Data Protection Regulations (GDPR). These regulations apply to all businesses established in the EU and to businesses established outside of the EU insofar as they process personal data about people within the EU.What is the time limit for GDPR? ›
What are the time limits? If you exercise any of your rights under data protection law, the organisation you're dealing with must respond as quickly as possible. This must be no later than one calendar month, starting from the day they receive the request.
Can I email personal data? ›
What kind of information should I not send via email? We all need to be mindful when sharing personal information, whether it is our own or that of others. You should not send personal data via unencrypted email. It is not a secure way to send any personal data and could expose you to data hacking.Do I have to comply with GDPR in the US? ›
Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether it's Europe, the US, or any part of the world. It is known as the 'extra-territorial effect'. The legislation is not restricted to European businesses and citizens, and it can be applied and used for businesses outside Europe.How does the GDPR differ from the US? ›
U.S. state laws do not require controllers (or businesses) to establish a lawful basis for processing. However, one of the key obligations for controllers under the GDPR is to identify (and document) a lawful basis for every processing activity – which, in certain circumstances, may require opt-in consent.Where is data stored under GDPR? ›
GDPR specifies that data must be stored within the EU or in a jurisdiction where a country outside the EU offers an adequate level of data protection.Which is method of accessing data? ›
There are three basic types of access methods used to manipulate the permanent and temporary database objects -- Create, Scan, and Probe. Temporary objects are created by the optimizer in order to process a query.What are the 3 types of access control? ›
- Discretionary access control (DAC) A discretionary access control system, on the other hand, puts a little more control back into leadership's hands. ...
- Rule-based access control. ...
- Identity-based access control.
- Sequential access uses a seek operation to move the different data on a disk until the requested data is found. ...
- Random access stores or retrieves data from anywhere on the disk.
Personal data may, for example, include information on name, address, e-mail address, personal identification number, registration number, photo, fingerprints, diagnostics, biological material, when it is possible to identify a person from the data or in combination with other data.What is confidentiality in GDPR? ›
1. Confidentiality refers to all forms of information including personal information about people using services or employees or volunteers, information about the organisation, for example, its plans or finances and information about other organisations, whether the information is recorded or not.What 3 things does an individual need to know when personal data is collected? ›
☐ The legitimate interests for the processing (if applicable). ☐ The categories of personal data obtained (if the personal data is not obtained from the individual it relates to). ☐ The recipients or categories of recipients of the personal data.
Where can I get a copy of the GDPR? ›
Welcome to gdpr-info.eu. Here you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version of the OJ L 119, 04.05.2016; cor.Who processes personal data in GDPR? ›
'processor' means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 'recipient' means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.Is there a US equivalent of GDPR? ›
What is the US equivalent of GDPR? The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR. This comprehensive data privacy act gives Californian residents greater transparency and control over how businesses collect and use their personal information.Is GDPR applicable in the US? ›
Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether it's Europe, the US, or any part of the world. It is known as the 'extra-territorial effect'. The legislation is not restricted to European businesses and citizens, and it can be applied and used for businesses outside Europe.Can GDPR data be stored in the US? ›
Data sovereignty and the GDPR
The GDPR requires that all data collected on citizens must be either stored in the EU, so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection.
Data protection principles apply to natural persons having legal capacity. The GDPR stipulates that data must be identified or identifiable to a living person to be considered personal. Therefore, it does not extend to entities such as foundations, corporations and institutions.What are the 4 stages of data processing? ›
- Data collection.
- Data input.
- Data processing.
- Data output.