Welcome to Simply-Docs

The Right of Access and Subject Access Requests

Data Subject Access Requests

One of the key rights afforded to data subjects by the UK GDPR is the right of access. Much like the right to be informed, this right plays an important role in ensuring transparency. The right of access entitles individual data subjects to receive a copy of their personal data held by you as well as certain other information. The exercise of this right is generally referred to as a subject access request or SAR.

There is no prescribed form which a SAR must take. SARs can be made orally or in writing. Moreover, a SAR does not need to specifically state that it is a SAR. A relatively informal query submitted to you via social media is just as valid an SAR as a formal letter stating that it is a subject access request.

It is important for you to respond without undue delay. You must respond within one month, but in certain limited circumstances this can be extended (if the request is complex or if you have received multiple requests from the same individual).

It is also not generally possible to charge a fee for handling a SAR (but again, there are limited exceptions).

You must perform reasonable searches for the required information and must provide it to the individual in a user-friendly and concise format, using a secure method.

As with extensions and fees, there are strictly limited grounds allowing you to refuse to comply with a SAR, for example, if the request is “manifestly unfounded or excessive”, but in most circumstances, you must issue a proper response.

Document Templates Available

We offer a range of documents to assist in handling subject access requests:

  • Our Data Subject Access Request Guidance Notes provide detailed information on SARs including how to recognise them, the information you are required to provide in response, time limits, fees, and more.
  • Using our Data Subject Access Request Policy and Procedure , you can provide a helpful “how to” guide for SAR handling within your business. Designed to work alongside your main data protection policy, this document can help staff to identify SARs and then explains what to do with them – including how to respond, the applicable time limits, what to do if certain information has not been provided, and so on.
  • Our Subject Access Request Form is for you to provide to individuals (e.g. website users or customers) to assist them in making a SAR. Note, however, that you cannot require them to do so. Remember that a SAR need follow now specific formula.

In some cases, you will be able to respond to a SAR quickly and easily, but in other situations, you may, for example, need additional information to clarify the request or proof of ID. We have provided a set of template letters to assist in responding to SARs:

A similar set of letters is available for handling requests from individuals to exercise their other UK GDPR rights. More information is available here.

    Simply-4-Business Ltd Registered in England and Wales No. 4868909 Unit 100, Parkway House, Sheen Lane, London SW14 8LS