GDPR Subject Access Request Template

Subject Access Request Form (GDPR-Ready)

BS.DAT.SAR.01

Under the GDPR, data subjects have the right to access their personal data. This is done by means of a data subject access request.

A subject access request does not have to follow a specific formula; indeed, relevant staff within a business should be trained to recognise a subject access request. Nevertheless, offering a standard form like this one to (for example) your customers, makes the process easier for them and for you.

This Subject Access Request Form provides a brief outline of the data subject’s right of access, including a simplified summary of the information they are entitled to obtain from you. The second page of the form requests information from the data subject that will enable you to find their data and to better understand their request.

In simple terms, a data controller (i.e. you) has one month to respond to a subject access request after receiving it, and this period can be extended by up to two months where a request is complex or there are numerous requests to handle.

In real terms, the information provided to you in the first instance may not be enough (and in any event you may need more information to prove the identity of the person making the request). The GDPR actually states that you must “provide information on action taken on a request...within one month…”. You must respond, therefore, but that does not mean you need to provide a full response if you do not have all the information you require.

Our various response letters cover a range of possible scenarios and typically set a one-month period (or longer for complex requests) within which the data subject can expect a further response.

Under the Data Protection Act 1998, data controllers could charge a fee for handling subject access requests. Under the GDPR, this is not generally permitted; however, in the case of “manifestly unfounded or excessive” (e.g. repetitive) requests, a fee that reflects the true administrative cost to the data controller can be charged.

In response to a subject access request, you are required to provide the following information to a data subject:

  • Confirmation that their personal data is being processed (or not, of course, if you do not have any of their personal data);
  • Access to that personal data (e.g. a copy of it) - note that if the subject access request is made electronically, the data must also be provided electronically unless the data subject requests otherwise;
  • What you are using their personal data for;
  • The categories of personal data in question;
  • Details of any recipient(s) to whom their personal data has been or will be transferred, particularly those in third countries (i.e. non-EEA) and the safeguards in place for such third-country transfers;
  • How long their personal data will be retained (or the criteria to determine retention, if no fixed period);
  • Details of the data subject’s rights to request the rectification or erasure of their personal data, or to restrict or object to your processing of it;
  • Details of the data subject’s right to complain to a supervisory authority (the ICO in the UK);
  • If the personal data has not been collected from the data subject themselves, details of third-party sources (where available);
  • Details of any automated decision-making (including profiling) that takes place using the personal data in question, the logic involved in that decision-making, the significance, and the envisaged consequences.

Please note that, due to the wide range of potential data types and formats used by different organisations, we do not offer a template for supplying data subjects’ personal data.

The response letters also available in this sub-folder, cater for the following scenarios:

  • Acknowledgement of SAR receipt with options to request further information and/or proof of identity;
  • Acknowledgement of SAR or additional information (or proof of ID) receipt with options to request a fee and/or stating an extended response time;
  • Acknowledgement of SAR or additional information (or proof of ID), standard response time;
  • Acknowledgement of receipt of fee, standard or extended response time;
  • Acknowledgement of SAR (or additional information) receipt, confirming that no is data held.

This Subject Access Request Form is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.

Top