Take care with subject access requests!

Care when dealing with Subject Access Requests...

On 15th May 2020 it was announced by the Danish Data Protection Agency (Datatilsynet) reported by way of a press release that it had recommended a recruitment company for a police fine after the company deleted data after the date of receipt of a subject access request and before its reply.

In Denmark, the data protection supervisor does not have the power to fine data controllers but reports an infringing controller to the police and the police then consider whether there are grounds to bring a charge and any financial penalty will be determined by a court.

In this case the controller, JobTeam, a recruitment company, received a subject access request from a data subject and deleted some or all of the relevant data before responding.  The data subject complained to the supervisor who investigated and proposed a fine.

The supervisor said that the data controller had not met the basic requirements of the GDPR that personal data be processed lawfully, fairly and transparently.

This should stand as a warning to all data controllers in receipt of subject access requests.  If the data subject believes that a response is erroneous, whether or not that belief is accurate, the supervisor can investigate and if evidence is found of any breach of GDPR, including and not limited to errors in record keeping a fine may follow.

Ian Beeby