This document has been updated to reflect the August 2019 ruling of the Court of Justice of the European Union regarding the calculation of the one-month time limit for SAR responses (which now begins on the day the SAR is received, not the day after). Detail has also been added with respect to asking individuals for more information.
The GDPR incorporates a set of core rights for data subjects, among which
is the ‘right of access’. Transparency is an important aspect of modern
data protection legislation and the right of access plays a vital role in
ensuring this transparency.
Individuals exercising the right of access have the right to find out what
personal data an organisation holds about them, what that organisation is
doing with the data, and why. They also have the right to obtain a copy of
that personal data.
This is achieved by what is known as a ‘data subject access request’.
This Data Subject Access Request Policy and Procedure is designed to guide
an organisation and its staff through the process of handling a subject
access request (“SAR”). It clearly sets out which stages apply to all staff
and which apply specifically to those authorised to handle SARs.
This document is designed to work alongside an existing Data Protection
Policy. It is intended for use as an internal policy, not a customer-facing
Alternatively, for explaining data subjects’ rights in more detail without
making your Privacy Notice too unwieldy, a Data Subject Rights Policy is
The policy begins by explaining how to spot a SAR – this is particularly
important because there is no standard format and a request can be made
orally or in writing. All staff should be on the lookout for requests from
individuals that may in fact be SARs. SARs should then be passed on to the
appropriate member of staff, for example, the Data Protection Officer (if
the business has one).
From there, the policy addresses each step of handling the SAR including
time limits (usually one month but extendable by a further two in limited
circumstances), fees (not usually permitted), the information that should
be provided to the individual making the request, refusing to respond, and
exemptions to the right.
A particularly important part of the policy is designed to assist in the
locating of information in response to a SAR. In some cases, particularly
for smaller businesses, this may be simple. In others, however,
particularly where an individual’s data may be spread across different
filing systems, the information added to this part of the policy will prove
useful in tracking it down to ensure a complete response. It is important,
therefore, to ensure that this part of the template is completed with as
much detail as is reasonably possible and within the time limit allowed.
Extensions, as noted above, are permissible, but not in most normal cases.
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
This Data Subject Access Request Policy & Procedure contains the
3. Data Protection Officer & Scope of Policy
4. How to Recognise a Data Subject Access Request
5. What to do When a SAR is Received
6. Responding to a SAR Part 1: Identifying Data Subjects and Clarifying Requests
7. Responding to a SAR Part 2: Fees
8. Responding to a SAR Part 3: Time Limits
9. Responding to a SAR Part 4: Information to be Provided
10. Responding to a SAR Part 5: Locating Information
11. Refusing to respond to a SAR
12. Exemptions to the Right of Access
13. [Erasure or Disposal of Personal Data]
14. Failure to Comply with this Policy
15. Policy Review
16. Implementation of Policy
This template is in open format. Either enter the requisite details in the
highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.