In September 2021, Austrian Post was hit with the country’s largest GDPR fine to date. The organisation received a €9 million fine for failing to facilitate data subject rights requests properly. Requests were only possible via a web form, post, or phone – email wasn’t supported. The Austrian DPA regulator ruled the mail carrier should have allowed people to submit requests via any medium they preferred.
Handling subject access requests (SARs) incorrectly can lead to considerable fines. Under the GDPR (and UK GDPR), individuals have the right to know what personal information organisations have about them and what they’re using it for. Mistakes are often made when organisations aren’t prepared, when they miss deadlines, or don’t recognise that the request falls under the GDPR at all.
In the fifth of our short training videos, the Privacy Guy highlights just why this right is so important. He asks you to imagine you got in with the wrong crowd when you were younger and got a conviction for criminal damage. It was over 20 years ago but your friend has come across a database that shows your conviction and shows it to people, putting you in an awkward position. Or perhaps you do some online research on a job applicant at work and find out he was convicted for drug possession in his 20s while working as a DJ. After not getting the job, he files a SAR because he suspects the decision wasn’t fair.