The EU’s General Data Protection Regulation (“GDPR”) contains the much-publicised right of subject access, which gives an individual the right to access a copy of all the personal data a controller holds in relation to him or her.
Under the GDPR, anything that can identify a living individual is personal data. Obvious examples include names, dates of birth, and addresses. Less obvious examples include photographs, identification numbers, or statements of opinion or fact about a person.
The GDPR also has extra-territorial scope, which means that it applies to organisations and businesses outside the borders of the EU if they meet certain criteria. Organisations based outside the EU could therefore find themselves on the receiving end of a subject access request (“SAR”) from an employee, customer or any other individual whose data they process.