Data Subject Access Request Form (Ghana)
Data Subject Access Request Form
DATA PROTECTION ACT 2012 (ACT 843) — SECTION 10
Data Subject Access Request
To: [Controller Name], [Controller Address]
Attention: [DPO Name] (Data Protection Officer)
Date: [Request Date]
1. Data Subject Details
Full legal name: [Subject Name]
Ghana Card number (NIA): [Subject Ghana Card]
Date of birth: [Subject DOB]
Residential address: [Subject Address]
Email: [Subject Email] | Telephone: [Subject Phone]
Account / reference number: [Subject Account Ref]
2. Data Access Request
I, [Subject Name], hereby exercise my right of access under Section 10 of the Data Protection Act 2012 (Act 843) and request that [Controller Name] provide me with:
Confirmation of whether personal data concerning me is being processed by [Controller Name].
Access to my personal data: [Data Description]
Information about the purposes for which my personal data is processed, the categories of data concerned, and the recipients or categories of recipients to whom my data has been or will be disclosed.
Additional rights being exercised: [Additional Rights]
Reason for request: [Request Purpose]
3. Third Party Authorisation
This request is made on behalf of another person: [Third Party Requestor]
4. Response Requested
I request that [Controller Name] respond to this request within 30 days of receipt, in accordance with the Data Protection Commission's (DPC) guidance under the Data Protection Act 2012 (Act 843). If you are unable to comply within 30 days, please notify me of the expected response date.
If you refuse this request, please provide the reasons for refusal in writing and inform me of my right to lodge a complaint with the Data Protection Commission (DPC).
Signature
Signed by the data subject on [Request Date].
Data Subject
________________
Signature
What Is a Data Subject Access Request Form (Ghana)?
A Data Subject Access Request Form in Ghana puts a formal request before the recipient and sets out the grounds supporting it.
The Data Protection Act 2012 (Act 843) establishes the Data Protection Commission (DPC) as the supervisory authority in Ghana. The DPC is responsible for registering data controllers under Section 17, enforcing compliance with Act 843, and adjudicating complaints from data subjects who have been denied access to their personal data or whose rights under Act 843 have otherwise been infringed. A data subject who is denied access to their personal data may lodge a complaint with the DPC, which has the power to investigate and issue enforcement notices.
Personal data under Act 843 includes any information relating to an identified or identifiable natural person, including names, Ghana Card numbers issued by the National Identification Authority (NIA) under Act 707, SSNIT numbers, financial records, health records, employment records, communications data, and biometric data. Data controllers subject to Act 843 include all organisations that process personal data in Ghana — from banks licensed by the Bank of Ghana (BoG) and telecommunications operators licensed by the National Communications Authority (NCA), to employers, healthcare providers, e-commerce companies, and government agencies.
Section 10 of Act 843 requires the data controller to respond to a data subject access request within a reasonable time — the DPC's guidance indicates this should be within 30 days of receipt of the request. Where the data controller cannot comply within 30 days, the controller must notify the data subject of the expected response date. The data controller may charge a reasonable fee for responding to access requests, but excessive fees that deter data subjects from exercising their rights are inconsistent with Act 843.
A Data Subject Access Request Form in Ghana is distinct from a Data Correction Request, which a data subject uses to require a data controller to correct inaccurate personal data under Section 11 of Act 843, and from a Data Erasure Request, which requests deletion of personal data where retention is no longer justified. All three rights are available to data subjects under Act 843 and can be exercised using separate forms or combined in a single request.
The legal framework governing the Data Subject Access Request Form (Ghana) in Ghana draws on several key statutes and regulatory bodies. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Parties executing a Data Subject Access Request Form (Ghana) in Ghana should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Data Protection Act 2012 (Act 843) sets the foundational requirements.
When Do You Need a Data Subject Access Request Form (Ghana)?
A Data Subject Access Request Form in Ghana is required or useful in the following circumstances.
A Data Subject Access Request Form is needed when an individual in Ghana wishes to find out what personal data a bank licensed by the Bank of Ghana (BoG), an insurance company regulated by the National Insurance Commission (NIC), or another financial institution holds about them — for example, to check for inaccurate credit information or unauthorised transactions recorded in their name.
A Data Subject Access Request Form is required when a current or former employee wishes to access their employment records held by their employer, including performance reviews, disciplinary records, salary history, and SSNIT contribution records, in advance of a dispute before the National Labour Commission (NLC) or the High Court (Labour Division).
A Data Subject Access Request Form is needed when an individual suspects that a data controller has processed their personal data unlawfully — for example, sold their contact details to third parties without consent — and the individual wishes to obtain evidence of the processing before lodging a complaint with the Data Protection Commission (DPC).
A Data Subject Access Request Form is required when a patient at a Ghanaian healthcare facility wishes to obtain access to their medical records held in an electronic health information system, in accordance with both Act 843 s.10 and applicable Health Facilities Regulatory Agency (HeRAF) standards.
A Data Subject Access Request Form is needed when a data subject wishes to verify what personal data a telecommunications operator licensed by the National Communications Authority (NCA) has collected about their account, usage patterns, and location data, particularly following a suspected data breach.
A Data Subject Access Request Form is required when a data subject is exercising their rights before lodging a complaint with the DPC under Act 843, as the DPC may require evidence that the data subject first attempted to exercise their access rights directly with the data controller. Completing a Data Subject Access Request Form creates a formal record of the request and the date of submission.
Parties in Ghana should prepare a Data Subject Access Request Form (Ghana) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your Data Subject Access Request Form (Ghana)
A complete Data Subject Access Request Form in Ghana under the Data Protection Act 2012 (Act 843) s.10 must contain the following essential elements.
Data Subject Identity: Full legal name of the requesting individual; Ghana Card number issued by the National Identification Authority (NIA) under Act 707, or another form of government-issued identification; residential address or email address for delivery of the response; date of birth (to assist the data controller in locating the correct records); and any other identifier by which the data subject is known to the data controller — such as a customer account number, employee ID number, or patient reference number.
Identification of Data Controller: The full name and DPC registration number of the data controller to whom the request is addressed; the registered address or contact details of the data controller; and the name of the Data Protection Officer (DPO) or designated contact if known.
Description of Data Sought: A clear description of the specific personal data or categories of personal data to which access is sought — for example, all customer account records, all employment records, all health records, or all marketing data held by the data controller about the data subject. Where the request is broad, the data controller may ask the data subject to clarify before responding, but cannot refuse to respond on the grounds of breadth alone.
Purpose of Request: A brief statement of why the data subject is making the request — for example, to verify the accuracy of records held, to prepare for litigation, or to investigate a suspected breach. This is helpful but not required under Act 843 s.10.
Date and Signature: The date of the request and the data subject's signature (or electronic signature under the Electronic Transactions Act 2008 (Act 772)), confirming the accuracy of the identity information provided.
Proof of Identity: A copy of the data subject's Ghana Card or other government-issued identity document, to enable the data controller to verify the identity of the requestor and protect against fraudulent access requests.
Additional elements include: reference to Section 10 of the Data Protection Act 2012 (Act 843) as the legal basis for the request; a request for information on the source of the personal data if not collected directly from the data subject; and a request for details of any automated decision-making processes applied to the data subject's data. Forms-legal.com provides this template as a starting point for exercising data subject rights in Ghana.
Additional compliance elements for a Data Subject Access Request Form (Ghana) used in Ghana include: Under the Companies Act 2019 (Act 992), the Registrar General's Department (RGD) maintains the register of Ghanaian companies. Section 7 of the Companies Act 2019 governs company incorporation. The Ghana Revenue Authority (GRA) administers corporate tax under the Income Tax Act 2015 (Act 896). The Commercial Division of the High Court in Accra adjudicates business disputes. The Ghana Investment Promotion Centre (GIPC) regulates foreign investment under the GIPC Act 2013 (Act 865). Forms-legal.com provides this template as a starting point for Ghana-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). Data Subject Access Request Form (Ghana) (Ghana) [Legal document template]. Forms Legal. https://forms-legal.com/ghana/business/policies/data-subject-access-request-ghana
"Data Subject Access Request Form (Ghana) (Ghana)." Forms Legal, 2026, https://forms-legal.com/ghana/business/policies/data-subject-access-request-ghana.
@misc{formslegal-data-subject-access-request-ghana,
author = {{Forms Legal}},
title = {Data Subject Access Request Form (Ghana) (Ghana)},
year = {2026},
howpublished = {\url{https://forms-legal.com/ghana/business/policies/data-subject-access-request-ghana}},
note = {Free legal document template}
}Frequently Asked Questions
Section 10 of the Data Protection Act 2012 (Act 843) gives every data subject in Ghana the right to request from any data controller: confirmation of whether or not personal data concerning them is being processed; access to that personal data; and information about the purposes for which the data is processed, the categories of data concerned, and the recipients or categories of recipients to whom the data has been or will be disclosed. The right of access enables data subjects to verify the lawfulness of processing and to check the accuracy of the data held about them. The data controller must respond within a reasonable time — generally understood to be 30 days from receipt of the request. The data controller may charge a reasonable fee, but excessive fees are not permitted. A data controller that refuses or fails to respond to a valid access request may be the subject of a complaint to the Data Protection Commission (DPC), which has enforcement powers under Act 843.
The Data Protection Act 2012 (Act 843) requires a data controller in Ghana to respond to a data subject access request within a reasonable time. The Data Protection Commission (DPC) has indicated in its guidance that 30 days from receipt of the request is the expected standard response period, consistent with international best practice. Where the request is complex or where the data controller receives a high volume of requests, the response period may be extended, but the data controller must notify the data subject of the extension and the reasons for it within the initial 30-day period. The data controller must respond in writing — whether by letter, email, or through a secure online portal — and must provide the requested personal data in an intelligible form. Failure to respond within a reasonable time without justification is grounds for a complaint to the DPC and may result in an enforcement notice requiring the data controller to comply.
A data controller in Ghana may decline to comply with a data subject access request under the Data Protection Act 2012 (Act 843) only in limited circumstances, including: where the request is manifestly unfounded or excessive — for example, where a data subject makes repeated identical requests with no legitimate purpose; where complying with the request would disclose information about a third party who has not consented to disclosure and the third party's privacy interests outweigh the data subject's right of access; where the information is subject to legal professional privilege; or where disclosure is restricted by another law — for example, information that is part of a criminal investigation by the Ghana Police Service. The data controller must notify the data subject in writing of the refusal, the reasons for it, and the data subject's right to lodge a complaint with the Data Protection Commission (DPC). The DPC will investigate complaints and may require the data controller to comply if it finds the refusal unjustified.
Under the Data Protection Act 2012 (Act 843), a data controller in Ghana may charge a reasonable fee for responding to a data subject access request. The fee must reflect the actual administrative cost of locating, retrieving, and supplying the personal data requested. The DPC discourages excessive fees that would effectively deter data subjects from exercising their rights under Act 843. Where a request is clearly excessive or repetitive, a higher fee may be justified, but the data controller must be able to demonstrate the reasonableness of the fee if challenged before the DPC. In practice, many Ghanaian data controllers — particularly banks licensed by the Bank of Ghana (BoG) and major telecommunications operators — provide access to basic account and subscriber data at no charge through their online customer portals or branches, reserving fees for complex or voluminous requests requiring significant manual processing.
If a data controller in Ghana refuses or fails to respond to a Data Subject Access Request within a reasonable time, the data subject has two main remedies under the Data Protection Act 2012 (Act 843). First, the data subject may lodge a complaint with the Data Protection Commission (DPC). The DPC has the power to investigate the complaint, issue enforcement notices requiring the data controller to comply, and impose penalties for non-compliance. The DPC complaint process is initiated by submitting a written complaint to the DPC at its offices in Accra, setting out the details of the request made, the data controller's response or failure to respond, and the relief sought. Second, the data subject may bring a civil claim for damages before the High Court where they have suffered loss as a result of the data controller's failure to comply with Act 843. The Data Subject Access Request Form (Ghana) serves as important evidence in both DPC complaints and court proceedings, documenting the date and contents of the original request.
Under the Data Protection Act 2012 (Act 843), a Data Subject Access Request in Ghana must ordinarily be made by the data subject themselves, since the right of access is a personal right vested in the individual whose personal data is being processed. However, a third party may make a request on behalf of a data subject in the following circumstances: a parent or legal guardian making a request on behalf of a minor child; a person holding a valid power of attorney granted by the data subject under the Powers of Attorney Act 1998 (Act 549), authorising them to exercise the data subject's rights; a legal representative such as a solicitor enrolled with the Ghana Bar Association acting under the data subject's written instructions; or an appointed representative acting on behalf of a data subject who lacks mental capacity. In all cases, the data controller may require proof of the authorisation or power of attorney before releasing personal data to the third-party requestor, to protect against unauthorised access.
In addition to the right of access under Section 10, the Data Protection Act 2012 (Act 843) grants data subjects in Ghana several other rights. Section 11 gives data subjects the right to require a data controller to correct personal data that is inaccurate, incomplete, or out of date. Data subjects also have the right to object to processing in certain circumstances — particularly where processing is based on the legitimate interests of the data controller or is carried out for direct marketing purposes. Data subjects have the right to withdraw consent at any time where processing is based on consent under Section 22 of Act 843. Where processing is carried out by automated means, data subjects may have the right not to be subject to a decision based solely on automated processing that significantly affects them. All these rights can be exercised by completing and submitting the appropriate request form to the data controller's DPO or designated data protection contact. The Data Protection Commission (DPC) can be approached if a data controller fails to honour any of these rights.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
Data Protection Compliance Form (Ghana)
A Data Protection Compliance Form for Ghana under the Data Protection Act 2012 (Act 843) s.22, used by data controllers to document their compliance with data protection principles and registration obligations.
Data Breach Notification Form (Ghana)
A Data Breach Notification Form for Ghana under the Data Protection Act 2012 (Act 843) s.30, used to notify the Data Protection Commission and affected data subjects of a personal data breach.