What is a Subject Access Request (SAR)

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, individuals (called data subjects) have the right to know what personal data an organisation holds about them, how it is used, and to whom it is disclosed.

A Subject Access Request (SAR) is the formal way for individuals to exercise this right. When someone submits a SAR, your organisation must provide a copy of their personal data along with certain information about its processing.

What the law says

UK GDPR Article 15 — Right of Access
Data subjects have the right to obtain from the controller:

  • Confirmation that their personal data is being processed
  • A copy of that personal data
  • Information about:
    • The purposes of the processing
    • The categories of personal data concerned
    • The recipients or categories of recipient to whom the data has been or will be disclosed
    • How long the data will be stored (or how this is determined)
    • The individual’s rights (e.g. rectification, erasure, restriction, objection)
    • The right to lodge a complaint with the ICO
    • Where the data came from (if not collected directly from the individual)
    • Details of any automated decision-making, including profiling

How long do you have to respond?

  • You must respond without undue delay, and at the latest within one month of receipt of the request.
  • You can extend this period by up to two further months if the request is complex or you receive multiple requests, but you must tell the requester within one month if you need more time.

Can you charge a fee?

  • In most cases, you cannot charge a fee for responding to a SAR.
  • You may charge a reasonable fee if the request is clearly unfounded or excessive (especially if repetitive), or if the individual requests additional copies of their data.

What organisations must do

  • Verify the identity of the requester (especially if you have doubts about who is making the request).
  • Locate and securely compile all personal data that falls within the scope of the request.
  • Provide the data in an accessible, commonly used format (e.g. electronic file or printed copy).
  • Ensure you do not disclose personal data about other individuals unless you have their consent or it is reasonable to do so.

Example of a SAR

“Please provide me with a copy of all personal data that your company holds about me, as well as details of how this data is used and shared.”

Key points to remember

  • SARs are a key part of GDPR compliance.
  • Have clear procedures for handling SARs.
  • Assign a DPO to escalate SARs promptly.

Disclaimer

This article is for educational purposes and to give you a better understanding of GDPR law. It does not aim to provide specific legal advice. By using this site, you acknowledge that no solicitor-client relationship exists between you and AI6. We strongly recommend that you seek independent legal advice to address the specific needs of your business.

share this

Share:

GDPR & Privacy Compliance Posted in