We've just received advice from the ICO on this:
As a colleague confirmed on the helpline, we would not consider that a data controller<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/controllers-and-processors/> has 'received' a subject access request (SAR) made via an online platform in cases where they have to 'sign up' and/or pay a fee in order to even view the request. Therefore the controller's Article 15 obligations<https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/> wouldn't be triggered.
Even if the controller did choose to accept a SAR from a portal, unless or until a controller can verify the identity of the data subject making the request it will not be subject to the Article 15 obligations. The portal would be responsible for providing evidence that it has authority to act on behalf of the data subject. Therefore the controller wouldn't need to comply with the third party request until it is satisfied that the third party is acting on the behalf, and with the authority of, the data subject.
As you also state, it is likely that these platforms would become data controllers for any personal data they process in connection with the completion of any SARs, so they would need to be compliant with data protection law. If a data controller wasn't satisfied that the portal would process personal data in compliance with the legislation then it could choose not to share personal data in order to ensure its own compliance.
Regards
Lindsay Foody
Information Access & Security Officer
Information Governance Team
The Democracy Service
Civic Centre 3, Market Street, Huddersfield, HD1 2TG
Telephone: 01484 221000 (voice activated switchboard - please ask for Information Governance)
For more information about how we deal with your personal data, please see the Kirklees Council privacy notice<https://www.kirklees.gov.uk/beta/information-and-data/how-we-use-your-data.aspx>
<http://www.kirklees.gov.uk>
[http://www.kirklees.gov.uk/beta/assets/global/img/logo_kirkleesCouncil_x2.png]
Website<https://www.kirklees.gov.uk> | News<http://www.kirkleestogether.co.uk> | Email Updates<http://www.kirklees.gov.uk/stayconnected> | Facebook<https://www.facebook.com/liveinkirklees> | Twitter <https://twitter.com/KirkleesCouncil>
This email and any attachments are confidential. If you have received this email in error - please notify the sender immediately, delete it from your system, and do not use, copy or disclose the information in any way. Kirklees Council monitors all emails sent or received.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
