This can be a complex area and depends on the policy of the data controllers in question and any preferences that the individual(s) involved may have expressed. However, from a data protection perspective, any entity/data controller/service provider with a policy of transacting business with the named account holder only is perfectly entitled to adopt that approach.

The right of access under Article 15 of the General Data Protection Regulation (GDPR) applies to a person's own personal data. Therefore, access requests tend to be made by the individual themselves in relation to their own personal data.  It would however be reasonable to comply with an access request submitted on a person's behalf by their own solicitor.

The one-month time frame has elapsed and I have not got my data; what can I do?

If, following the expiry of the one-month time limit, you have not received a response at all from the data controller regarding your subject access request it is open to you to submit a reminder to the data controller. At the same time, you can also submit a formal complaint to the Data Protection Commission (DPC).

I am not happy with the responses of the data controller, what can I do?

Yes. Article 23 of the General Data Protection Regulation (GDPR) and various provisions under the Data Protection Act 2018 (such as section 60) set out a number of circumstances in which your right to obtain a copy of your personal data can be lawfully restricted  by a data controller. This is necessary in order to strike a balance between the rights of the individual, on the one hand, and some important needs of civil society, on the other hand.

Data controllers must respond to such requests within one month of receipt of the request, although this one-month time frame can be extended by up to two further months if, for example, the request is complex (Article 12(3) of the General Data Protection Regulation (GDPR)).

Financial institutions are legally obliged under Anti-Money Laundering (AML) legislation to carry out Politically Exposed Persons (PEP) screening where there is a 'reasonable risk' of money laundering and terrorist financing.

Where personal data stored on a credit/debit card is collected for the purpose of a transaction, unless it is clearly stated, it can be assumed that the purpose for its collection ends following completion of the payment for a product or service (which may also allow a reasonable period of time for follow-up payment related queries) and must be then securely deleted.

The Article 5(1) (e) General Data Protection Regulation (GDPR) principle of “storage limitation” requires that personal data… is kept in a form that allows identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.  If the purpose for which the information was obtained has ceased and the personal data is no longer required, the data must be deleted or disposed of securely.

As part of their claims processing procedures, health insurance companies may request medical information directly from a patient’s medical practitioner or service provider (hospital) so that medical costs and services can be paid. This is normally done with the consent of the patient who completes the relevant claim form with their Insurer.

When a person is seeking a quotation for an insurance policy, it is part of the contractual process whereby the initial stages are known as “an invitation to treat”. This means that the customer provides relevant information to the insurance company for assessment; based on the information supplied, the insurance company then makes an offer of insurance with the relevant cost of same to the consumer, who in turn either accepts or rejects such offer.