Letter Acknowledging Subject Access Request and Asking for More Information
This document has been updated for compatibility with the UK GDPR. It is ready for use from the start of 2021.
The Information Commissioner’s Office recently revised its guidance on timescales for compliance with Data Subject Access Requests in situations where more information is required from a data subject (e.g. to clarify a request). The timeframe for response is paused if you need to ask the data subject for more information to understand the nature and scope of their request. This document has been updated in line with this guidance.
This Letter Acknowledging Subject Access Request and Asking for More Information should be used by employers to acknowledge receipt of an individual’s request under the UK General Data Protection Regulation (UK GDPR) for information held about them by a company and ask for more information about the request. As the UK GDPR applies to all personal data that an organisation processes, employers should accept subject access requests not just from employees, but also from workers, contractors, apprentices and volunteers.
This letter has optional clauses depending on whether the employer needs more information in order to fulfil the data subject access request or the employer needs the individual to provide proof of his or her identity.
Under UK GDPR, the time limit for an employer to respond to a subject access request is one month from the date of receipt. If a request is complex, the time period for response can be extended by a further two months. The employer must inform the individual of any such extension within one month of the request, together with the reasons for the delay.
The UK GDPR allows individuals to access information from organisations that process their personal data by means of a subject access request. The company must advise the employee on:
- whether or not the employee's personal data is being processed;
- the purposes of the processing and the categories of personal data concerned; the recipients to whom the data has been or will be disclosed;
- how long the data will be stored, or how that period is determined;
- the employee's rights in relation to the rectification or erasure of data, the restriction of processing and how to object to processing;
- the employee's right to lodge a complaint with the supervisory authority;
- any third-party sources of the data, where this information is available; and
- information about the logic involved in any automated decision-making, if applicable.
The company is also required to provide the employee with a copy of the personal data undergoing processing.
This document is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder, click on the “Download” button below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.