Data Subject Access Request
What is a Subject Access Request?
Under the EU General Data Protection Regulation (GDPR), individuals can make requests to organizations to see any personal information which is held about them. This is called a “subject access request”.
The Data Protection Authorities give the following definition of personal information:
Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Subject Access Request Types
- Right of Access – you shall have the right to obtain from ECU confirmation as to if personal data concerning him or her is being processed
- Right to Rectification – you shall have the right to obtain from ECU without undue delay the rectification of inaccurate personal data concerning him or her
- Right to Erasure – you shall have the right to obtain from ECU the erasure of personal data concerning him or her without undue delay and ECU shall have the obligation to erase personal data without undue delay
- Right to Restrict Processing – you shall have the right to request ECU restrict or suppress the processing of him or her personal data
- Right to Be Informed – you shall have the right to be informed about the collection and use of your personal data
- Right to Data Portability – you shall have the right to receive the personal data concerning him or her, which he or she has provided to ECU a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from ECU to which the personal data has been provided
- Right to Object – you shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her
How Do I Make a Subject Access Request?
To make a Subject Access Request, you are asked to complete a subject access request form, and submit it to:
Data Protection Officer (DPO)
East Carolina University
Information Technology and Computing Services
209 Cotanche Street
Greenville, NC 27835
In addition, you will be asked to provide copies of two forms of ID (passport, driving license, staff/student badge, etc.).
Data Protection Officer (DPO) is also available at (252) 328-9225 to answer questions about the University’s obligations under the EU General Data Protection Regulation (GDPR).
If you are making a request under article 12 of the EU General Data Protection Regulation (GDPR), we will consider your query urgent and waive the associated fees. Please inform us that you are invoking this section at the time you submit your request.
How can I get the most out of my subject access request?
When submitting a Subject Access Request, you are advised to make your request for information as specific as possible to include, details of dates, type of information (e.g. memos, letters, reports, emails etc.), department and the names of authors and recipients, where appropriate. If you know which departments in the University hold information on you, please state this on your request. If you are requesting correspondence, it will help greatly if you can let us know who the correspondence will be from and during which time period.
Under the Data Protection Act 1998, if the request is not clear, the University reserves the right to seek additional information from the data subject before processing the request. The statutory period for requests to be fulfilled is 30 calendar days, but you will be advised of the reasons why it may be necessary to extend this period, e.g. if the original request is not clear and further clarification is required.
What are the timeframes for my subject access request?
Subject access requests will be handled within 30 calendar days of receipt of your request and payment. Requests under article 12 will be handled urgently and dealt with as soon as possible.
How will I receive my information?
We will normally provide you with a hard copy of the information you have requested. Once we have prepared a file for you, we will ask if you would prefer us to send this to you via U.S. mail, or if you would like to collect it from our office. We prefer if you can collect information from our offices as this is more secure and minimizes the risk that information may be lost or delayed.
What should I do if I am unhappy with the response I receive?
If you have concerns about the response you have received, or are unhappy with the response, you should contact the Data Protection Officer, via email@example.com. If you have reason to believe that there are specific documents missing from your disclosure, it will help us investigate if you can list them or provide us with more information about the location of those documents.
Please note that some historic data may no longer be held due to our normal data retention policies. We will have only searched for information held in structured file systems – if the information required is found in an unstructured or partly structured system you will need to give us additional information in order that we can carry out a thorough search.
If you are submitting a subject access request relating to an ongoing appeals process, or another kind of ongoing review, some of this data may be considered exempt from disclosure under the EU General Data Protection Regulation (GDPR). If this is data that you have directly requested, we will ordinarily inform you that we have considered that document exempt from disclosure. We will normally be able to disclose these documents once the appeals process is over.
If you are still unhappy with the response you have received, you may go through the university complaints procedure.
REMINDER: This request only applies to data captured or processed while a subject is physically in the EEA.