Subject Access Request Form (GDPR-Compliant)
Under the GDPR, data subjects have the right to access their personal data.
This is done by means of a data subject access request.
A subject access request does not have to follow a specific formula;
indeed, relevant staff within a business should be trained to recognise a
subject access request. Nevertheless, offering a standard form like this
one to (for example) your customers, makes the process easier for them and
This Subject Access Request Form provides a brief outline of the data
subject’s right of access, including a simplified summary of the
information they are entitled to obtain from you. The second page of the
form requests information from the data subject that will enable you to
find their data and to better understand their request.
In simple terms, a data controller (i.e. you) has one month to respond to a
subject access request after receiving it, and this period can be extended
by up to two months where a request is complex or there are numerous
requests to handle.
In real terms, the information provided to you in the first instance may
not be enough (and in any event you may need more information to prove the
identity of the person making the request). The GDPR actually states that
you must “provide information on action taken on a
request...within one month…”. You must respond, therefore, but that does
not mean you need to provide a full response if you do not have all the
information you require.
Our various response letters cover a range of possible scenarios and
typically set a one-month period (or longer for complex requests) within
which the data subject can expect a further response.
Under the Data Protection Act 1998, data controllers could charge a fee for
handling subject access requests. Under the GDPR, this is not generally
permitted; however, in the case of “manifestly unfounded or excessive”
(e.g. repetitive) requests, a fee that reflects the true administrative
cost to the data controller can be charged.
In response to a subject access request, you are required to provide the
following information to a data subject:
- Confirmation that their personal data is being processed (or not, of
course, if you do not have any of their personal data);
- Access to that personal data (e.g. a copy of it) - note that if the
subject access request is made electronically, the data must also be
provided electronically unless the data subject requests otherwise;
- What you are using their personal data for;
- The categories of personal data in question;
- Details of any recipient(s) to whom their personal data has been or will
be transferred, particularly those in third countries (i.e. non-EEA) and
the safeguards in place for such third-country transfers;
- How long their personal data will be retained (or the criteria to
determine retention, if no fixed period);
- Details of the data subject’s rights to request the rectification or
erasure of their personal data, or to restrict or object to your processing
- Details of the data subject’s right to complain to a supervisory
authority (the ICO in the UK);
- If the personal data has not been collected from the data subject
themselves, details of third-party sources (where available);
- Details of any automated decision-making (including profiling) that takes
place using the personal data in question, the logic involved in that
decision-making, the significance, and the envisaged consequences.
Please note that, due to the wide range of potential data types and formats
used by different organisations, we do not offer a template for supplying
data subjects’ personal data.
The response letters also available in this sub-folder, cater for the
- Acknowledgement of SAR receipt with options to request further
information and/or proof of identity;
- Acknowledgement of SAR or additional information (or proof of ID) receipt
with options to request a fee and/or stating an extended response time;
- Acknowledgement of SAR or additional information (or proof of ID),
standard response time;
- Acknowledgement of receipt of fee, standard or extended response time;
- Acknowledgement of SAR (or additional information) receipt, confirming
that no is data held.
This Subject Access Request Form is in open format. Either enter the
requisite details in the highlighted fields or adjust the wording to suit
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.