Subject Access Requests
The UK GDPR allows individuals to access information from organisations that process their personal data by means of a subject access request. As the UK GDPR applies to all personal data that an organisation processes, employers should accept subject access requests not just from employees, but also from workers, contractors, apprentices and volunteers.
In response to a SAR, the company must advise the employee on the personal data that it collects about the employee and what the company does with that information, including how the information is used, stored, transferred, secured and the employee’s rights in relation to the data stored.
The time limit for responding to a subject access request is one month from the date of receipt. If a request is complex, the time period for response can be extended by a further two months.
This subfolder of documents includes a Subject Access Request Form and a variety of letters that can be used by the employer to respond to different Subject Access Request scenarios.