Under GDPR, subject-access requests will change for controllers

21st June 2017 News 49 Views

The GDPR will bring certain enhancements to the requirements for controllers in handling subject-access requests. Litigation, including the role of discovery/disclosure and legal professional privilege, can complicate the response to SARs. Legal professional privilege can be a valid reason for controllers to decline to provide certain personal data requested by an SAR, but LPP only applies to personal data in documents and communications relating to legal advice and litigation. In absence of LPP or other legal restrictions, such as national security, data subjects have a right to their personal data requested under an SAR, even if intending to use it in court against the defendant controller. Controllers should become familiar with all the restrictions allowed by their national laws in replying to an SAR and the GDPR’s new SAR requirements, Thomas Shaw, CIPP/E, CIPP/US, writes in this exclusive for The Privacy Advisor

View original article here

About author

Related articles