Skip to main content

GDPR & Data Access Rights

Your Right to a Subject Access Request (Article 15)

Under GDPR Article 15, you have the right to obtain a copy of all personal data a company holds about you. This is called a Subject Access Request (SAR). It is one of the most powerful tools available to you.

A SAR can reveal internal notes, write-off dates, board decisions, CCR submission records, and communications about your account that the company would never voluntarily share.

How to Send a Valid SAR

An email is enough.You do NOT need to fill in any internal form the company provides. The GDPR is clear: a request can be made “by any means” (Article 12). If a company tells you that you must use their specific form, they are wrong.

What to Include

  • Your full name
  • Your address
  • Date of birth
  • Account number (if applicable)
  • Statement that this is a Subject Access Request under Article 15 GDPR

The 30-Day Clock

The company has 30 calendar days from receipt of your SAR to respond. This clock starts when they receive your email — not when they process their internal form, not when they assign a case handler, and not when they acknowledge your request.

If they miss the 30-day deadline, they are in breach of GDPR. This is something you can report to the Data Protection Commission (DPC).

Identity Verification (Article 12(6))

A company can ask you to verify your identity if they have “reasonable doubts” about who you are. However, many companies use excessive ID requests as a delay tactic.

If you have an existing account with the company and you're emailing from a registered email address, they should have no reasonable doubts about your identity. Demanding a certified copy of your passport to respond to an email from a known customer is obstruction, not verification.

Watch Out

The 30-day clock does NOT pause while they “process” your ID. If they ask for ID on day 5 and you provide it on day 7, they still have until day 30 from the original request — not day 30 from when they verified your identity.

What to Look For in SAR Responses

When you receive your SAR data, look carefully for:

  • Internal notes: Comments from staff about your account, especially around dates of write-offs or complaint handling
  • Write-off dates: When was the debt actually written off internally? This may contradict what they reported to the CCR
  • Board decisions: Write-offs above certain amounts require board approval — the date of this decision is crucial
  • CCR submission data: What exactly did they report to the Central Credit Register, and when?
  • Contradictions: Discrepancies between what they told you and what their internal records show

Right to Rectification (Article 16)

If any data the company holds about you is inaccurate, you have the right to have it corrected. This applies to CCR data, account records, and any other personal data.

Right to Erasure (Article 17)

In certain circumstances, you can request that your personal data be deleted. This right applies when the data is no longer necessary for the purpose it was collected, or when data retention periods have expired.

Right to Compensation (Article 82)

If you have suffered damage as a result of a GDPR breach, you have the right to compensation. This can include material damage (financial loss) and non-material damage (distress, anxiety, inconvenience).

Article 82 claims are pursued separately from DPC complaints. Typically, you would wait for a DPC finding confirming the breach, then pursue compensation through the courts.

Filing a DPC Complaint

If a company breaches your GDPR rights, you can file a complaint with the Data Protection Commission at forms.dataprotection.ie.

You can file a DPC complaint at the same time as an FSPO complaint. They cover different issues — the FSPO deals with financial service complaints, while the DPC deals with data protection breaches. Running both simultaneously is perfectly valid and often strengthens your overall position.

Common Delay Tactics

Companies frequently try to delay SAR responses. Here are the most common tactics:

  • “Please fill in our internal form” — You don't have to. An email is valid.
  • “We need certified copies of your ID” — Disproportionate for an existing customer emailing from a known address.
  • “We need more time” — The GDPR allows an extension of up to two additional months only for “complex or numerous” requests. They must justify this within the first 30 days.
  • Simply not responding — If the 30 days pass with no response, file a DPC complaint immediately.
Disclaimer: This website provides general information based on personal experience navigating Irish financial complaint systems. It is not legal advice. Every case is different. If you need legal advice, consult a solicitor.