Data Subject Access Requests
One of the key rights afforded to data subjects by the UK GDPR is the right of access. Much like the right to be informed, this right plays an important role in ensuring transparency. The right of access entitles individual data subjects to receive a copy of their personal data held by you as well as certain other information. The exercise of this right is generally referred to as a subject access request or SAR.
There is no prescribed form which a SAR must take. SARs can be made orally or in writing. Moreover, a SAR does not need to specifically state that it is a SAR. A relatively informal query submitted to you via social media is just as valid an SAR as a formal letter stating that it is a subject access request.
It is important for you to respond without undue delay. You must respond within one month, but in certain limited circumstances this can be extended (if the request is complex or if you have received multiple requests from the same individual).
It is also not generally possible to charge a fee for handling a SAR (but again, there are limited exceptions).
You must perform reasonable searches for the required information and must provide it to the individual in a user-friendly and concise format, using a secure method.
As with extensions and fees, there are strictly limited grounds allowing you to refuse to comply with a SAR, for example, if the request is “manifestly unfounded or excessive”, but in most circumstances, you must issue a proper response.
Document Templates Available
We offer a range of documents to assist in handling subject access requests:
- Our Data Subject Access Request Guidance Notes provide detailed information on SARs including how to recognise them, the information you are required to provide in response, time limits, fees, and more.
- Using our Data Subject Access Request Policy and Procedure , you can provide a helpful “how to” guide for SAR handling within your business. Designed to work alongside your main data protection policy, this document can help staff to identify SARs and then explains what to do with them – including how to respond, the applicable time limits, what to do if certain information has not been provided, and so on.
- Our Subject Access Request Form is for you to provide to individuals (e.g. website users or customers) to assist them in making a SAR. Note, however, that you cannot require them to do so. Remember that a SAR need follow now specific formula.
In some cases, you will be able to respond to a SAR quickly and easily, but in other situations, you may, for example, need additional information to clarify the request or proof of ID. We have provided a set of template letters to assist in responding to SARs:
- SAR Letter – Acknowledgement is your first step and includes options to cater for different situations, for example, when requesting clarification or ID.
- SAR Letter – Fee and/or Additional Time can be used in situations where, for example, a request is complex or is “manifestly unfounded or excessive” and you are charging a fee or explaining that you need more time.
- SAR Letter – Receipt of Additional Information or ID acknowledges receipt, as appropriate, and states the date by which the individual will receive a response to their SAR.
- SAR Letter – Receipt of Fee acknowledges the receipt of a fee for handling a SAR which is “manifestly unfounded or excessive” and states the date by which the individual will receive a response to their SAR.
- SAR Letter – No Data Found is a simple response to a SAR in cases where your search has revealed no information about (or relating to) the individual.
A similar set of letters is available for handling requests from individuals to exercise their other UK GDPR rights. More information is available here.